What connections has Mandiant identified between the Chinese government and APT1?
Mandiant proposes that APT1 is, in fact, a branch of the Chinese military: People's Liberation Army (PLA's) Unit 61398. APT1 and Unit 61398 are similar in their mission, capabilities, and resources, according to Mandiant. What's more, Unit 61398 "is also located in precisely the same area from which APT1 activity appears to originate." Specifically, Mandiant said it has traced APT1's activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.
Additionally, Mandiant found that China Telecom provides special fiber optic communications infrastructure for Unit 61398.
Finally, Mandiant points out that "in a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government."
Who has APT1 targeted?
The group targets organizations in predominantly English-speaking countries: Of the 141 APT1 victims Mandiant has identified, 87 percent are headquartered in countries where English is the native language. This includes 115 victims in the United States and seven in Canada and the United Kingdom.
In terms of industries, Mandian reports that the highest percentage of attacks targeted IT companies, followed by aerospace companies. However, the total list contains 20 industries, ranging from energy and transportation to chemicals and financial services.
What sort of data does APT1 steal?
The group steals a broad range of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations' leadership, according to Mandiant.
Mandiant estimated that APT1 steals as much as 6.5 terabytes of compressed data from a single organization over a 10-month time period and estimates the group has likely stolen hundreds of terabytes from its victims.
How is that stolen data used?
Mandiant concedes that it does not have any direct evidence as to who receives data stolen by APT1 or how all that data is processed. However, the company believes that this stolen information can be used to "obvious advantage by the PRC and Chinese state-owned enterprises."
As an example, Mandiant points to a data heist in 2008, targeting a company in the wholesale industry. "Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel. During this same time period, major news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities.
"This may be coincidental; however, it would be surprising if APT1 could continue perpetrating such a broad mandate of cyber espionage and data theft if the results of the group's efforts were not finding their way into the hands of entities able to capitalize on them," according to Mandiant.