Tag Archives: Threat Intelligence

The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity

| By | Threat Intelligence, Threat Research |
Comments
0

Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the same unit that Mandiant publicly unmasked last year in the APT1 report. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property.

The evidence provided in the indictment includes Exhibit F (pages 54-56), which shows three charts based on Dynamic DNS data. These charts indicate that the named defendants (Unit 61398 members) were re-pointing their domain names at a Dynamic DNS provider during Chinese business hours from 2008 to 2013. The China work day, particularly for government offices, is very predictable, as noted on this travel site:

“Government offices, institutions and schools begin at 8:00 or 8:30, and end at 17:00 or 17:30 with two-hour noon break, from Monday to Friday. They usually close on Saturday, Sunday and public holidays.”

What Exhibit F shows is a spike of activity on Monday through Friday around 8am in Shanghai (China Standard Time), a roughly 2-hour lull at lunchtime, and then another spike of activity from about 2pm to 6pm. The charts also show that there were very few changes in Dynamic DNS resolution on weekends.

At Mandiant (now a FireEye company), we can corroborate the DOJ’s data by releasing additional evidence that we did not include in the APT1 report. In the APT1 report, we specified the following:

  • Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their hop infrastructure from 832 different IP addresses with Remote Desktop.

  • Of the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in Shanghai which we will refer to as APT1’s home networks.

  • In order to make a user’s experience as seamless as possible, the Remote Desktop protocol requires client applications to forward several important details to the server, including their client hostname and the client keyboard layout. In 1,849 of the 1,905 (97%) APT1 Remote Desktop sessions we observed in the past two years, the keyboard layout setting was “Chinese (Simplified) — US Keyboard.”

One thing we did not originally provide was an analysis of the time of day and day of week that these 1,905 Remote Desktop (RDP) connections occurred. However, when we look at these connections in bar chart format, obvious patterns appear:

rdp-analysis-fig1Figure 1: APT1 Remote Desktop login times distributed by hour of day (China Standard Time)

 

rdp-analysis-fig2Figure 2: APT1 Remote Desktop login times distributed by day of week (China Standard Time)

Essentially, APT1 conducted almost all of the 1,905 RDP connections from 2011 to 2013:

  • (1) On week days (Monday through Friday),
  • (2) between 8am and noon, 2pm and 6pm, and 7pm and 10pm CST.

On some occasions, APT1 personnel appear to have worked on weekends, but these are minor exceptions to the norm. Consider the following evidence together for the 1,905 RDP connections:

  • 98.2% of IP addresses used to log in to hop points (which help mask the real point of origin to victim organizations) were from Shanghai networks
  • 97% of the connections were from computers using the Simplified Chinese language setting
  • 97.5% of the connections occurred on weekdays, China Standard Time
  • 98.8% of the connections occurred between 7am and midnight China Standard Time
    • 75% occurred between 8am to noon or between 2pm to 6pm
    • 15% occurred between 7pm and 10pm

The simplest conclusion based on these facts is that APT1 is operating in China, and most likely in Shanghai. Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are.

The data used to produce the charts above are archived in raw format and we are confident that any computer networking expert would certify them as genuine and non-fabricated in a court of law. But, that isn’t really the issue. The real issue is: will this activity continue and for how long? Regardless, FireEye remains focused on how these threats evolve over time, in order to reduce the time from “detect” to “fix”, as these and other actors continue targeting potential victims.

NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

| By | Threat Intelligence, Threat Research

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs? Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property. Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues. In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.

NGO

Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: https://www.fireeyesolution.com/smb_five_reasons_wp.html.

Live from RSA USA 2014: Talking Threat Analytics with David Bianco and Mike Reeves

| By | Business of Security, Executive Perspectives, Security Perspective, Technology

During the recent RSA USA 2014 conference, FireEye Chief Security Strategist Richard Bejtlich sat down with David Bianco and Mike Reeves, two members of the FireEye threat analytics platform team. The trio discussed the Threat Analytics Platform (TAP), a new service from FireEye that blends real-time threat intelligence with data from existing SIEM and log-collection tools. By better leveraging the security alerts and event data they’re already generating data, TAP subscribers can identify threats and speed up incident response.

Whereas most intelligent analysis tools take months — if not years — to provide value, David Bianco notes that TAP can provide “extra context for events. You can find an entire story of an attack inside your systems instantly.”

Listen to the full podcast live from RSA USA 2014 here and check back soon for our next featured interview:
Richard Bejtlich Interviews David Bianco and Mike Reeves on TAP