Mandiant found that China Telecom had installed a special fiber optic network for Unit 61398 for national defense purposes, and like most APTs, APT1 starts most of its targeted attacks with a convincing-looking spearphishing email that includes an infected attachment.
The company today released more than 3,000 telltale indicators of APT1 infections—domain names, IP addresses, and MD5 hashes of malware, as well as sample indicators of compromise that include more than 40 malware families, 13 encryption certificates used the group, and a videos showing some real attacks by the group.
Mandiant also revealed details on three members of APT1, including one who writes malware for unit who appears to be a big Harry Potter fan based on his authentication security questions, and another who goes by "Ugly Gorilla" and has a penchant for signing his malware with his trademark hacker handle. Another hacker who goes by "SuperHard” revealed his physical location was the Pudong New Area of Shanghai.
click image for a larger version
Given China's heavy monitoring of Internet use, it's "highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai," the Mandiant report says. "Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1."
The "APT1: Exposing One of China's Cyber Espionage Units" report is available Website here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.