Security Experts:

China's APT1 Changing Tactics, Rebuilding: Mandiant

It appears the Chinese cyber-espionage crew behind attacks on as many as 100 businesses is cutting back on some of its attacks and looking for alternative tools, Mandiant said.

Back in February, Mandiant released a 74-page report with loads of information on the group, dubbed APT1, including its attack methods, operational methodology, and organizations it had previously infiltrated. The report accused APT1 of retrieving hundreds of terabytes of stolen data. Even if APT1 wasn't an official entity within the Chinese government, the report made a strong case that the government was at least aware of its operations.

APT1 Hacking

Since the publication of the report, the group may have had to change some of its methods, Mandiant said in a follow-up report this week. The original report included more than 3,000 APT1 indicators used by APT1, including domain names, 832 IP addresses, 13 digital certificates used to encrypt data, and MD5 hashes of over malware. Recent analysis indicates they are still active, but they are changing their methods.

"APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries -- with a discernible post-report shift towards new tools and infrastructure," wrote Dan Mcwhorter, Mandiant's managing director for threat intelligence.

The report was the first time a private sector company had laid out evidence to link the China to cyber-espionage campaigns against businesses and government entities around the world.

APT1 relied on social engineering methods, remote access tools, and more than 40 malware families to carry out their operations, the original report said. The report's goal was to make it harder to the group to carry out their attacks and slow them down, since organizations now knew what to look for in their logs and network traffic. It appears to have had some effect, as the information "hindered APT1's operations," Mcwhorter wrote.

"APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators," Mcwhorter wrote.

The group has not been knocked out yet, as it probably still has access to an extensive infrastructure of computers around the world. While there was speculation that Mandiant's publication of APT1 indicators would have resulted in the group dismantling itself, the follow-up reports indicates that is not the case.

Mandiant noted that APT1 is only one of more than 20 Advanced Persistent Threat groups operating out of China that the company is aware of. Mandiant's report disrupted only APT1, not the others.

"Mandiant has observed no significant changes in their operations," the follow-up report said. 

Related Reading: Lessons from Mandiant's APT1

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.