Corporate Security and Chinese Hacking

Lessons from the Mandiant Report on Chinese Espionage

by Jim L

Last year a report was published that shines a light on sophisticated hacker techniques and how they have been successfully used in the real world.

I'm referring to the Mandiant report called "APT1: Exposing One of China's Cyber Espionage Units."

It can be found at intelreport.mandiant.com/Mandiant_APT1_Report.pdf.  It's a great report that shows how a foreign government used common and advanced techniques to pillage corporate databases.  Given that corporate espionage costs billions of dollars every year, this report got my attention.  When a threat is as well funded, planned, and executed as this one was, it gets labeled as an "Advanced Persistent Threat" (APT).  This report looks at one particularly aggressive group affiliated with the Chinese military that it calls "APT1."  Even when one excludes the political and diplomatic implications of such a sensitive topic, the report is still a great read for its detailed examination of how all the dirty work gets done.  I think hackers and curious minds everywhere should read it over and see what can be learned from it.  In this article, I'll summarize the findings of the report and offer some suggestions companies (and individuals too) can take to improve their security.

First, a little overview of how Chinese hacking has impacted U.S. companies, particularly companies in the defense industry.  In the age of the Internet, cyber spying stands out as a gold mine of information acquisition, and this report shows why.  The volume of attacks attributed to China has reached such a high level that the U.S. government considers it a threat to economic competitiveness.  Industries hacked include those involved in energy, finance, aerospace, information technology, and automobiles.  Intellectual property theft targets a variety of technological areas including defense and military technology.  In 2009, it is believed that Chinese hackers stole token related technology from security company RSA which was later used to hack into Lockheed Martin's computer network.  Indeed, Lockheed Martin may have lost information related to the newest stealth fighter, which could jeopardize lives and cost millions of dollars.

One defense contractor, QinetiQ, was reportedly infiltrated and took little action to stop it even after repeated warnings from NASA and the NCIS.  The network was compromised at every level for almost a year.  As a result, investigators said that terabytes of data, including classified information relating to military robotics, drones, and the Army's helicopter fleet, including PIN codes that could now be used to identify helicopters' deployment and combat-readiness, were stolen.  (Schwartz, 2013)

It is more than a little disturbing that the national security of the United States could be at risk from such security breaches.  Many of the security breaches are downplayed by companies worried about their public image.  However, the more such security breaches are kept hidden, the harder it will be to force companies to take security more seriously.  Due to the persistent nature and broad scope of such attacks, one former Bush administration official feared we could find that some of America's most critical and expensive weapons technologies will fail to perform in a military conflict with China.  While the Chinese government denies engaging in computer hacking, evidence to the contrary is mounting.  The report by Mandiant stands out as one of the most well documented reports to date linking economic cyber espionage directly to the Chinese military.  While the amount of public information related to IP theft and hacking could literally fill volumes of books, the Mandiant report deserves special attention because it consolidates the hacking problem into one coherent and well documented report.

The actor known as APT1 is believed to be the Second Bureau of the People's Liberation Army, Unit 61398.  This elite unit recruits those with the background necessary to conduct hacking operations against English speaking countries.  In addition to English language proficiency, the recruits for this group are also skilled in highly technical areas of information technology, including computer security.  The unit receives large scale fiber optic infrastructure support from China Telecom, which cites its importance in protecting national security.  The data stolen by this unit since 2006 is measured in terabytes and over 140 companies are known to have been targeted.  The attacks are continuous and widespread over a range of industries.  Once a target was successfully attacked, the unit would maintain a continued presence on the network for almost a year on average.  The information targeted is highly technical and confidential - system designs, test results, business plans, manufacturing procedures, management emails, network architecture information, and user credentials.  (Mandiant, 2013)

Anatomy of an Attack

This kind of cyber espionage requires the exploitation of vulnerabilities in existing computer systems and networks.  Vulnerabilities can range from unpatched software to zero day exploits to social engineering.  Not surprisingly, people appear to be the weak link that the Chinese are exploiting the most.  Spear phishing is APT1's most commonly used technique.  Why spear phish?  Because spear phishing works!  The methods used to perpetuate these attacks are a textbook lesson in computer security and hacking.  Unlike many spear phishing emails, their emails use proper English to the point that it can fool well-educated targets.  They even incorporate American slang to an extent.

The emails originate from free webmail accounts and contain infected attachments or hyperlinks to infected sites.  When someone clicks on the attachment or link, the malicious spyware is loaded onto their computer.  Many of the malicious attachments used by APT1 have been ZIP files.  This shows the importance of not randomly opening executable files from unknown sources.  Once the ZIP file is opened, a user may see what appears to be an Adobe PDF file.  However, the file is actually malware complete with an Adobe PDF icon.  Most users won't look carefully enough at the file extension to see the .EXE at the end.

Once the malware is opened, it installs a backdoor on the victim's machine.  The backdoor is very useful to the attacker because it allows an outbound communication back to the malware's Command and Control (C2) server.  These outbound communications are easier to get past a firewall than an inbound connection.  The malware can send data back to the command and control servers or download additional malware.  Multiple kinds of malware were used in the APT1 attacks.  In fact, Appendix C of the Mandiant report (which details the malware used) is 153 pages long.  Another indicator of the sophistication of the attacks (and likely government involvement) is that most of the malware was custom made to conduct these cyber-exploitation attacks.

Mandiant actually categorizes the malware into sections: reconnaissance prior to the attack, establish foothold and maintain presence, and complete the mission.  A beachhead backdoor will establish a presence on the compromised system, gather system information, and lay the groundwork for additional malware.

For example, it might open a Windows command shell, download and execute a file, and then sleep until it's time to be used again.  This type of backdoor would likely be hidden in one of the initial spear phishing emails sent to a target computer.  Once an attacker is in the system, other backdoors will be created and kept hidden - ready to be used if others are found and eliminated.  This can make the network compromise persistent.

One variant of this malware called WEBC2 can download HTML pages from a C2 server and look for special commands hidden between special HTML tags.  After installation, the standard backdoors will begin doing most of the cyber espionage.  The methods of exploitation include uploading and downloading files, taking screen shots of the victim's computer, logging keystrokes, creating or modifying programs, altering the registry, stealing passwords, identifying users, and even establishing remote desktop interfaces.  (Mandiant, 2013)

These backdoors will try to mimic routine network traffic in order to avoid detection.  They may use names like "MACROMAIL" and "CALENDAR" to blend in.

As part of a standard hacking methodology, the APT1 attackers will employ privilege escalation to gain access to sensitive files and directories.  They will dump hashed password files from the victim's network using such publicly available tools as cachedump, fgdump, mimikatz, Pass-the-Hash Toolkit, and pwdump7.  Once they have the passwords, they can use software to crack them.  With cracked passwords, they can log on as privileged users and access even more data.  As the attackers gain greater access rights, they can run basic Windows commands to explore the target systems.  The commands can be manually typed or run all at once as batch files.  These basic commands can yield important information about who is logged in, network configuration, domain information, accounts that exist on the network, which accounts have administrator privileges, and currently running systems services.  At this point, the attackers can move laterally around the system gathering and stealing information.

They will also install multiple backdoors so that if one is discovered and removed, there will be another waiting to be used.  Once these attackers have stolen a user's account name and password, they can impersonate that user over the company's VPN or webmail connections.  The group would also steal email using GETMAIL and MAPIGET.  These utilities allowed them to steal email from PST archives as well as directly off the Microsoft Exchange servers.  As they mined the data, APT1 would archive it using the proprietary RAR format.  The archived files would be broken down into manageable 200 MB portions, encrypted, and sent back to the C2 servers.  By encrypting the data that is sent back, they make it impossible for companies to know exactly what was stolen.

How can one be certain these attacks really originated in China?  Fortunately, Mandiant also provides documentation of the worldwide Internet infrastructure used by APT1.  Mandiant could observe APT1 activity after it hit U.S. servers and then trace it back to servers originating in China.  Although APT1 used various server hops in countries all over the world, the attacks could be traced back to four major networks in Shanghai.  These hop points can make it appear that the attacks originate in countries other than China.  APT1 will create these hop points by compromising networks in various countries and then using them as launch pads for attacks against their ultimate objectives.  Incredibly, Mandiant was able to observe APT1 as it logged into some of its compromised hop points.  It captured 1,905 instances of these logins that utilized 832 different IP addresses of which 98.2 percent originated in China.  (Mandiant, 2013)

By capturing the IP address ranges from which the attacks originated, Mandiant could see that most of them were registered to China Unicom Shanghai Network.  The registration information even included contact information.  Because APT1 utilized Remote Desktop Protocol (RDP), they inadvertently disclosed details about themselves.  For instance, the keyboard layout was observed to be "Chinese (Simplified) - U.S. Keyboard."  The IP address originations and the keyboard layouts are good indications that the attacks originated in China by Chinese speakers.

APT1 also utilized C2 servers and DNS servers to facilitate the espionage.  Some of these C2 servers utilized by APT1 were examined.  709 of them were in China and 109 were found to be in the U.S.  These C2 servers used various protocols to facilitate the hacking: FTP for file transfer, web, RDP for remote control of a system, and HTran for proxy.  The DNS servers allowed APT1 to use Fully-Qualified Domain Names (FQDNs) instead of hard coded IP addresses.  An IP address could be blocked or shut down, but by using a FQDN and reconfiguring the DNS servers, APT1 could maintain their connections to compromised networks.  All that was necessary was for APT1 to point the FQDN to a new IP address.  Some of the registration addresses have been found to be fraudulent.  Others had been hijacked.  In either case, APT1 has used the TCP/IP based Internet infrastructure to establish a cyber-espionage architecture that is vast and persistent.

Common Sense Security

A strong corporate security policy cannot prevent all attacks, but it can make them much more difficult to conduct.  In fact, common sense security policies that are already standard practice in the IT community today could have prevented much of the theft that has occurred.  There is simply no reason for a business entity not to address the methods employed by APT1 when developing a security policy.

Business and government entities (especially those working on sensitive technologies) should conduct periodic reviews of their security landscape with an eye toward spotting vulnerabilities and unsecured access points.  These reviews should also look at employee training programs, current backup and disaster recovery procedures, change management policies, network architecture, firewall policies and rules, wireless access points, use of encryption, remote access, and other areas of vulnerability.  These reviews will help develop and maintain a comprehensive security policy that is implemented through strict corporate procedures.

The case of APT1 shows that poor decisions made by employees can open the door to cyber intrusion.  One of the simplest things a company can do to protect itself is to train employees in the basics of information security.  If you work in corporate security, train your employees not to click on unverified hyperlinks, to be suspicious of emails from outside the company, and not to open documents in emails that they are not expecting and from people they do not know.  They need to understand that email addresses can be spoofed and that some attachments can be dangerous.  If employees had been more vigilant about opening email and clicking on links, many of the attempts by APT1 to gain network access could have been prevented.  It is also fairly simple and inexpensive for a company to adopt strong password policies.  The stronger the password, the less likely it is that it can be cracked using brute force attacks.  Also, by forcing employees to change their passwords every 90 days and preventing the reuse of old passwords, hackers who have stolen a password will be kicked out of the system after the password expires.  Make sure employees know whom to contact if they do notice suspicious activity.  That way, security has a chance to stop an attack before it can succeed.

Strong email and spam filtering protocols should be implemented to prevent phishing emails from arriving in the first place.  It would also make sense to initiate polices that prevent employees from sending company files and data through unencrypted private email accounts, especially free ones.  Corporate data should stay on the corporate network.  With good training, an employee should immediately be suspicious if a manager is sending attachments or links from a non-work-related email account.  Companies and government entities should also implement multi-factor authentication through the use of security tokens.  The tokens generate random numbers that are synchronized with a remote server and change at regular intervals (such as every 50 to 60 seconds).

When the employee attempts to log on he must type the randomly generated numbers into the logon screen.  If the numbers match what is on the remote server at that time, he is allowed access.  In addition to the token generated numbers, the employee should also have to provide a PIN number that only the employee knows.  That way, a hacker who steals the token will still not be able to log in even if the logon ID and password are known.  In order to log on remotely, the employee must have a user ID, password, PIN, and token generated random number.  This type of multi-factor authentication should be used for remote VPN access as well as webmail access.

Other standard security precautions all companies and individuals should take include maintaining up to date and effective patch management policies.  It should be assumed that all known software vulnerabilities will eventually be exploited, so all software patches for both operating systems and applications should be applied regularly.  Anti-virus definitions should be up to date and scans should be run regularly on the network and against all files downloaded from the Internet.  Firms should use IDS and IPS systems both on the network and on individual hosts.  They should develop and enforce strong authentication protocols for VPNs and remote access.  To help prevent data loss, laptops should have full-disk encryption.  Companies should practice good wireless security by scanning for and shutting down rogue access points.  The latest wireless security protocols, such as WPA2, should be mandatory.  The most sensitive parts of the network should be inaccessible to Wi-Fi devices.  They should also conduct frequent penetration tests against the network to highlight vulnerabilities.

I learned a lot about hacking and security from this report.  It should be of interest to hackers, security professionals, and anyone else interested in keeping information safe in a cyber-world.

Bibliography
Return to $2600 Index