Pierluigi Paganini May 25, 2014

Experts at Mandiant have corroborated the DOJ’s data by releasing additional evidence not included in the original APT1 report.

One of the news most important shared on the internet this week it the one related to the indictment announced by US Department of Justice (DOJ) on five members of PLA Unit 61398.

One year ago Mandiant experts deeply analyzed the activities of the Chinese cyber unit in the APT1 report, the study aroused great indignation on the part of the government of Beijing.

Also in this case China accused US to have fabricated the evidence requesting to American authorities to “correct the error immediately.”

If the facts will be confirmed the China is considerable responsible for years of cyber espionage to steal industrial secrets and intellectual properties from US companies.

In a blog post experts at FireEye analyzed the content of the indictment highlighting that evidence provided includes Exhibit F (pages 54-56), which shows three charts based on Dynamic DNS data.

The charts indicate Unit 61398 operators were re-pointing their domain names at a Dynamic DNS provider during Chinese business hours in the period from 2008 to 2013.

“Government offices, institutions and schools begin at 8:00 or 8:30, and end at 17:00 or 17:30 with two-hour noon break, from Monday to Friday. They usually close on Saturday, Sunday and public holidays.”

“What Exhibit F shows is a spike of activity on Monday through Friday around 8am in Shanghai (China Standard Time), a roughly 2-hour lull at lunchtime, and then another spike of activity from about 2pm to 6pm. The charts also show that there were very few changes in Dynamic DNS resolution on weekends.” states FireEye.

Mandiant – FireEye experts are corroborating the evidence by releasing additional data not included in the APT1 report. The APT1 report included the following data, we specified the following:

• Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their hop infrastructure from 832 different IP addresses with Remote Desktop.

• Of the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in Shanghai which we will refer to as APT1’s home networks.

• In order to make a user’s experience as seamless as possible, the Remote Desktop protocol requires client applications to forward several important details to the server, including their client hostname and the client keyboard layout. In 1,849 of the 1,905 (97%) APT1 Remote Desktop sessions we observed in the past two years, the keyboard layout setting was “Chinese (Simplified) — US Keyboard.”

The report APT1 did not originally include analysis of the time of day and day of the week that these 1,905 Remote Desktop (RDP) connections occurred. In the following char is evident that activities were conducted during Chinese business hours, in some isolated cases, APT1 members have worked during weekends.

• 98.2% of IP addresses used to log in to hop points (which help mask the real point of origin to victim organizations) were from Shanghai networks
• 97% of the connections were from computers using the Simplified Chinese language setting
• 97.5% of the connections occurred on weekdays, China Standard Time
• 98.8% of the connections occurred between 7am and midnight China Standard Time
  • 75% occurred between 8am to noon or between 2pm to 6pm
  • 15% occurred between 7pm and 10pm

The timestamp data used for the above analysis derived from active RDP logins over a two year period, it exactly matches the DOJ’s timestamp data elaborated from a different source.

“These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are. “

The “attribution” of responsibility for a cyber attacks is very difficult, and also this last collection of data are not sufficient to exclude that a third government has used same means and method typically associated with China-based hackers. The fact that hackers have worked in Chinese business hours is a further evidence, but intelligence of any other government could have easily used it as a diversionary strategy.

Given this, it is clear that all the evidence collected so far leaves no doubt about the nature of the attacks.

(Security Affairs –  FireEye, APT1)