[Log In] []

Exploring the science and magic of Identity and Access Management
Tuesday, July 23, 2024

Mandiant Report: APT1 – Exposing One of China’s Cyber Espionage Units

Information Security
Author: Mark Dixon
Monday, March 11, 2013
12:39 pm


Mandiant, an American cyber security firm, recently released a 74 page report documenting evidence of cyber attacks by the People’s Liberation Army of the Republic of China:

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). … this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. …

APt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property. Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.

This detailed report includes a map showing observed APT1 activity …



… and a timeline of observed compromises by industry sector:



The report includes a detailed analysis of the APT attack lifecycle and methods for compromising the systems in the targets they attacked:


Detailed background about  the infrastructure used in the attacks and some of the people involved in this work are also included.

The report concludes:

In a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed and documented in this report. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1.

Perhaps this statement from Sun Tzu, in his book, The Art of War, is particularly appropriate in this case:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Comments Off on Mandiant Report: APT1 – Exposing One of China’s Cyber Espionage Units . Permalink . Trackback URL

Report: Mitigating Insider Threats

Information Security
Author: Mark Dixon
Friday, December 14, 2012
1:42 pm

A colleague referred me today to a long, but very useful technical report, “Common Sense Guide to Mitigating Insider Threats, 4th Edition,” published in December 2012 by the CERT® Program at Carnegie Mellon University.  The report abstract states:

This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University’s Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so.

It was interesting to read how the patterns and trends that they team observed indicated four classes of malicious insider activity:

  1. IT sabotage—an insider’s use of IT to direct specific harm at an organization or an individual
  2. theft of IP—an insider’s use of IT to steal IP from the organization. This category includes industrial espionage involving outsiders.
  3. fraud—an insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft or credit card fraud)
  4. miscellaneous—cases in which the insider’s activity was not for IP theft, fraud, or IT sabotage

The following chart shows the top six infrastructure sectors for the three most important classes: Fraud, Sabotage, and Theft of IP:

The nineteen practices that are include in the report are:

  1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
  2. Clearly document and consistently enforce policies and controls.
  3. Incorporate insider threat awareness into periodic security training for all employees.
  4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
  5. Anticipate and manage negative issues in the work environment.
  6. Know your assets.
  7. Implement strict password and account management policies and practices.
  8. Enforce separation of duties and least privilege.
  9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
  10. Institute stringent access controls and monitoring policies on privileged users
  11. Institutionalize system change controls
  12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
  13. Monitor and control remote access from all end points, including mobile devices.
  14. Develop a comprehensive employee termination procedure
  15. Implement secure backup and recovery processes
  16. Develop a formalized insider threat program
  17. Establish a baseline of normal network device behavior
  18. Be especially vigilant regarding social media
  19. Close the doors to unauthorized data exfiltration.

All in all, it is a very insightful and helpful report.

Comments Off on Report: Mitigating Insider Threats . Permalink . Trackback URL
WordPress Tags: ,

Kiplinger: 8 Things to Never Keep in Your Wallet

Information Security
Author: Mark Dixon
Thursday, September 13, 2012
5:05 am

Do you know what is in your wallet? Do you have a treasure trove of PII in there?  What if you lose it or someone steals it?

Kiplinger.com offers a short, informative, online slide show that offers good advice to us all.


Comments Off on Kiplinger: 8 Things to Never Keep in Your Wallet . Permalink . Trackback URL
WordPress Tags: , ,

Convenience Always Wins

Information Security
Author: Mark Dixon
Wednesday, September 12, 2012
9:14 pm

A great quote from America the Vulnerable:

When convenience butts heads with security, convenience wins. This is true even among security professionals. If these people won’t follow their own rules, others won’t follow them either. In short, if security is not built into our systems, our systems won’t be secure.

In short, our systems must be both easy and secure … a big challenge.

Comments Off on Convenience Always Wins . Permalink . Trackback URL

The Cloud Can be a Secure Place

Cloud Computing, Information Security
Author: Mark Dixon
Tuesday, September 11, 2012
4:47 am

When I was in 7th grade, I played the trombone in the Gooding, Idaho, Jr. High band – or at least tried to play it.  Once, we participated in a music festival where I played a solo rendition of the soaring anthem, “Jerusalem,” in front of a judge.  When I finished the piece, she remarked, “the trombone can be a beautiful instrument.”  I was devastated of course, and was somewhat relieved to hang up my trombone, so to speak, when we moved to a tiny town without a band the next year.

I was reminded of that incident this morning when I read a Mashable article, “Top 5 Misconceptions about the Cloud,” sponsored by Western Digital.  The fifth “misconception” was “You Can’t Beef Up Security on the Cloud.”  In my mind’s eye, I could almost see my trombone judge saying, “The cloud can be a secure place.”

So what’s the problem?  Much like a 7th grader’s ill-conceived belief that he could impress a judge with little practice and poor technique, the article’s overly simplistic recommendation for bolstering cloud security was “You can use behavior-based key management servers and encryption key management to give your files an extra layer of protection.”

Cloud security entails much, much more than that.

I can accept that cloud based solutions can be well-secured, but we must not be complacent or expect great results with little effort.

Comments Off on The Cloud Can be a Secure Place . Permalink . Trackback URL

All Credit Card PIN Codes in the World Leaked

Humor, Information Security
Author: Mark Dixon
Monday, September 10, 2012
5:18 am

Pastebin reported this morning that a repository of all credit card PIN codes had been leaked.  Here is a small sample of the leaked data.

The big question is, “To change, or not to change my PIN?”


Comments Off on All Credit Card PIN Codes in the World Leaked . Permalink . Trackback URL

Huawei Denies Security Threat Allegations

Information Security
Author: Mark Dixon
Sunday, September 9, 2012
9:12 pm

On August 28th, I blogged that CNET reported on a congressional committee that wanted to know whether Huawei was a national security threat.

According in an article this week in ThreatPost, Huawei issued a position paper addressing the allegations.  John Suffolk, Huawei’s global cyber security officer stated:

“We have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.

“Huawei does not, and would not, support, condone or conduct activities intended to acquire sensitive information related to any country, company or individual, nor do we knowingly allow our technology to be used for illegal purposes.”

Whether or not Huawei is culpable has yet to be proven or disproven conclusively, but the current tenuous conditions in the cybersecurity field has many people on edge.  The ThreatPost article quoted Shawn Henry, a former FBI official:

“It’s hard to explain the threat to some organizations. Some people get it, but many don’t. The entire threat out there is kind of like an iceberg. The part that most people hear about is the part above the water line, the unclassified threats. People don’t hear about what’s below the water line, which is everything that’s happening in the classified environments. It doesn’t get a lot of attention outside of the classified environment, but I can tell you that it’s deep and broad and extensive.”

It is indeed a challenging world we live in. Let’s be careful out there!


Comments Off on Huawei Denies Security Threat Allegations . Permalink . Trackback URL
WordPress Tags: ,

Your Autobiographical Trail

Information Security
Author: Mark Dixon
Thursday, September 6, 2012
8:38 pm

An interesting observation in Joel Brenner’s book, “America the Vulnerable.”

The overlapping and ever-expanding appetite of government and commerce to keep tabs on us— and our own appetite for keeping tabs on one another— means that it’s virtually impossible to elude our own autobiographical trail of purchasing habits, property ownership, employment history, credit scores, educational records, and in my case, a security clearance record a mile long.

What have you added to your trail today?  Are you sure you wanted to do that?

Comments Off on Your Autobiographical Trail . Permalink . Trackback URL
WordPress Tags: ,

Data Breaches and Data Werewolves

Humor, Information Security
Author: Mark Dixon
Wednesday, September 5, 2012
8:46 pm

Finally, a solution to big data breaches …


Comments Off on Data Breaches and Data Werewolves . Permalink . Trackback URL
WordPress Tags:

America the Vulnerable

Information Security
Author: Mark Dixon
Thursday, August 30, 2012
2:37 am

I am beginning to read a compelling book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” by Joel Brenner, former senior counsel at the National Security Agency.

My favorite line in the introduction:

Our world is becoming a collection of glass houses that provide only the illusion of shelter.

More to come soon.

Comments Off on America the Vulnerable . Permalink . Trackback URL
WordPress Tags:
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.