APT1, Unit 61398 and are state sponsored attacks real
The label of "state sponsored attacks" or "advanced persistent treat" has been used and abused frequently in the last few years. Hardly ever have we seen any "hard evidence" of how these attacks happen, and who is behind it. The report by Mandiant that made the news this week is probably the best public summary of these attacks listing conclusive evidence linking the attacks to the chinese government.
Attributing cyber attacks is always very difficult. IP addresses don't really mean much as attackers frequently use chains of compromissed machines to attack the ultimate target. The Mandiant report uses additional evidence and does a very good and thorough job in tracing the attacks.
But what does it mean to you?
First of all: Read the report (the original, not the press releases and commentaries): http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf . Direct management to the video that Mandiant made.
The report also includes lots of IP addresses and other indicators that you can use to check your own networks for similar compromisses.
The attacks follow a very tried and true pattern:
- send an e-mail to the victim.
- the victim will click on a link or an attachment
- an exploit will be used to compromisse the users system
- additional software will then be used to establish a foothold and exfiltrate data
What can you do about this?
At each step, try to see how you could possibly intercept the attack. For example conduct your own phishing exercises. With permission, register a hotmail/gmail/yahoo mail account using an executive's e-mail address. Sent an email to all employees using this from address and see how many people click. Direct them to a nice but educational page telling them how they may have been "hacked" this way, and what to look for.
This way, you gain a bit of awareness, but you also gain hard numbers on how many people in your organization would have clicked on the link. This is critical to demonstrate the size of the issue to manage to obtain resources to defend agains tthis threat.
Next, to prevent the infection of the system. Patching still helps. Not all attackers use 0-day attacks. But more importantly, reduce the attack surface by removing unneeded software (Java, Flash, Office...) . Office may be a hard one to remove, but limit it to the pieces of the package that are actually needed. It will save you on licensing fees too.
Consider whitelisting. While not perfect, if done right, it is a lot better then anti virus.
And finally in this very brief list: Don't forget some kind of exfiltration or data leakage protection. Look for anomalies more then for signatures. The better you know what is normal on your network, the better are your chances to detect "bad stuff".
	------
	Johannes B. Ullrich, Ph.D.
	SANS Technology Institute
	Twitter
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 | 
 
              
Comments
Think differently. Think about using virtualization and moving email and web browsing to highly protected enclaves. Is it really enough to keep adding expensive products and still know you can't protect the Enterprise?
QubesOS can protect a desktop, but how do expand that model out to a network? There are ways and nearly every virtualization technology can support them.
fordpref
Feb 20th 2013
1 decade ago
What I like about whitelisting is that it answers one important question: What is supposed to be on the systems. Even experienced sysadmins usually don't know.
jullrich@sans.edu
Feb 20th 2013
1 decade ago
Laurie
Feb 20th 2013
1 decade ago
A Californian hacker with madirish in their email address used exactly the same methods to drop a nasty payload onto my development PC in 2004. This was via an email with a forwarded email from an employee with an attached image that had a payload with a keylogger and a remote access component that was pretty sophisticated at the time. Sorry this MO is too similar to be funny. I had detected the employee who forwarded me the email attempting to gain access to our FTP site which contained PDF files that the employee did not have access to on our main server. Six weeks later the employees website was found and he was trying to sell the downloaded documents.
I have read the PDF and 'may' is not a very strong word when you consider the criminality of the MO.
Laurie
Feb 20th 2013
1 decade ago
for instance, an email enclave would not be able to initiate any connections to the internal enclave. Clients opening the app on their desktop don't really know that they are opening a virtual app. that system connects to the app server in the enclave and they read through their email. The catch would be that in order to open an attachment, they have to save it to a specific directory and then open it on their desktop. An internal file share server polls the file server in the enclave to look for new files and then pulls them down. The client/user doesn't see this. Attachments also must get put into a specific directory that gets pushed to the enclave.
There is a lot more to it, and it is complicated and expensive, but you can create enclaves for trusted and untrusted browsing too.
There are many ways to accomplish this, and whitelists still become a part of the solution. Only now you have taken the two biggest attack vectors and moved them into highly controlled enclaves. Your have significantly reduced the traffic radiating from the internal hosts making it much easier to find infections and intrusions.
It isn't that it is a solution, just an example of how we can start re-thinkiing security and network architecture to address issues instead of always trying to find a better detection/security tool.
fordpref
Feb 20th 2013
1 decade ago