How extensive is APT1's infrastructure?
According to Mandiant, APT1 controls thousands of systems in support of their computer intrusion activities. In the past two years, the company observed APT1 establish at least 937 command-and-control servers hosted on 849 distinct IP addresses in 13 countries: 709 were registered to organizations in China, and 109 were registered in the United States.
Between January 2011 and January of this year, Mandiant has confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, which provides a remote user with access to a system.
Further, in the past several years, Mandiant has confirmed 2,551 FQDNs (fully qualified domain names) attributed to APT1.
How many people work for APT1?
Mandiant estimates that APT1 has at least dozens, if not hundreds, or human operators. "Given the volume, duration, and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors," according to Mandiant. "APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping)."
How does APT1 breach a target network?
APT1 has honed its attack methodology over the years to steal massive quantities of intellectual property. The group begins with aggressive spear phishing, proceeds to deploy custom digital weapons, and ends by exporting compressed bundles of files to China. One of APT1's strengths is that its operators have a sufficiently strong grasp of the English language -- a useful skill for duping end-users with socially engineered emails. What's more, APT1 has worked on developing its digital weapons for more than seven years, so the organization rolls out software upgrades on a continual basis. "Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships," according to Mandiant.
For example, after duping a user to launch a malware-infected PDF, an APT1 attacker will install a backdoor, which is fairly typical for an APT attack. However, while APT1 intruders occasionally use publicly available backdoors, such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. Mandiant has documented 42 families of backdoors used by APT1 that are not publicly available.
How does APT1 maintain its presence on a victim's network for so long?
According to Mandiant, APT1 employs three primary techniques to remain entrenched in victim's network. One approach is to install new backdoors on multiple systems as they claim more machines. That way, if one backdoor is detected and removed, attackers will still have access. "We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been present for more than a few weeks, according to Mandiant.
A second approach is to use valid VPN credentials to impersonate legitimate users. Mandiant has observed attackers using stolen usernames and passwords to log into victim networks' VPNs when the VPNs are only protected by single-factor authentication.
The third approach is to log in to Web portals, using stolen credentials. This includes not only restricted websites, but also Web-based email systems, such as Outlook Web Access.
This story, "The top 10 questions about the People's Liberation Army's cyber attacks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.