schemas.v1.1.1.samples.APT1.Mandiant_APT1_Report.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
<?xml version="1.0" encoding="UTF-8"?> <!-- APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report") is copyright 2013 by Mandiant Corporation and can be downloaded at intelreport.mandiant.com. This XML file using the STIX standard was created by The MITRE Corporation using the content of the APT1 Report with Mandiant's permission. Mandiant is not responsible for the content of this file. The following content represents a partial extraction of information from the Mandiant APT1 Report published 2/19/13. While not all content was converted into structured STIX format, the content here represents illustrative examples of how various threat related information (e.g. ThreatActors, TTP, Infrastructure, Tools, VictimTargeting, Malware, Indicators, etc.) can be structurally represented using STIX. In aligning the report with the STIX architecture, the report was divided into the following major constructs: - STIX Header: Describes the report Executive Summary, handling, information source, etc. - TTPs: Several TTPs (Tactics, Techniques, and Procedures) were created to describe: - The overall characterization of adversary behavior, intent and capability - Brief prose descriptions of malware used - Victim targeting - Individual kill chain phases - Leveraged infrastructure - Leveraged tools - Kill Chain Description: A short description of the Mandiant Attack Lifecycle as contained in the report - Threat Actor Characterization: Characterization of the APT1 threat actor and associated actors This extraction and conversion was done by hand. As such it may contain errors and is intended for illustrative purposes only. --> <stix:STIX_Package id="mandiant:package-e33ffe07-2f4c-48d8-b0af-ee2619d765cf" timestamp="2014-05-08T09:00:00.000000Z" version="1.1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:terms="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2" xmlns:URIObject="http://cybox.mitre.org/objects#URIObject-2" xmlns:LinkObject="http://cybox.mitre.org/objects#LinkObject-1" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:campaign="http://stix.mitre.org/Campaign-1" xmlns:threat-actor="http://stix.mitre.org/ThreatActor-1" xmlns:stix-ciq="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xmlns:xal="urn:oasis:names:tc:ciq:xal:3" xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3" xmlns:lmco="lockheedmartin.com" xmlns:mandiant="http://www.mandiant.com" xmlns:mitre="http://www.mitre.org" xsi:schemaLocation=" http://cybox.mitre.org/objects#AddressObject-2 ../../cybox/objects/Address_Object.xsd http://cybox.mitre.org/objects#URIObject-2 ../../cybox/objects/URI_Object.xsd http://cybox.mitre.org/objects#LinkObject-1 ../../cybox/objects/Link_Object.xsd http://stix.mitre.org/Indicator-2 ../../indicator.xsd http://stix.mitre.org/Campaign-1 ../../campaign.xsd http://stix.mitre.org/ThreatActor-1 ../../threat_actor.xsd http://stix.mitre.org/TTP-1 ../../ttp.xsd http://stix.mitre.org/default_vocabularies-1 ../../stix_default_vocabularies.xsd http://cybox.mitre.org/default_vocabularies-2 ../../cybox/cybox_default_vocabularies.xsd http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 ../../extensions/identity/ciq_3.0_identity.xsd http://stix.mitre.org/stix-1 ../../stix_core.xsd http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1 ../../extensions/marking/terms_of_use_marking.xsd"> <stix:STIX_Header> <stix:Title>APT1: Exposing One of China's Cyber Espionage Units</stix:Title> <stix:Package_Intent>Threat Actor Report</stix:Package_Intent> <stix:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the "Advanced Persistent Threat" (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that "The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement." Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. </P> <p> Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as "APT1" and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this report. </P> <p> The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. </P> <p> Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate. </P> </body> </html>]]> </stix:Description> <stix:Handling> <marking:Marking> <marking:Controlled_Structure>//node()</marking:Controlled_Structure> <!-- Apply following marking to entire document --> <marking:Marking_Structure xsi:type="terms:TermsOfUseMarkingStructureType"> <terms:Terms_Of_Use>APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report") is copyright 2013 by Mandiant Corporation and can be downloaded at intelreport.mandiant.com. This XML file using the STIX standard was created by The MITRE Corporation using the content of the APT1 Report with Mandiant's permission. Mandiant is not responsible for the content of this file.</terms:Terms_Of_Use> </marking:Marking_Structure> </marking:Marking> </stix:Handling> <stix:Information_Source> <stixCommon:Identity> <stixCommon:Name>MITRE</stixCommon:Name> </stixCommon:Identity> <stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Transformer/Translator</stixCommon:Role> <stixCommon:Contributing_Sources> <stixCommon:Source> <stixCommon:Identity> <stixCommon:Name>Mandiant</stixCommon:Name> </stixCommon:Identity> <stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Initial Author</stixCommon:Role> <stixCommon:Time> <cyboxCommon:Produced_Time precision="day">2013-02-19T00:00:00Z</cyboxCommon:Produced_Time> </stixCommon:Time> </stixCommon:Source> </stixCommon:Contributing_Sources> <stixCommon:Time> <cyboxCommon:Produced_Time precision="day">2014-01-16T00:00:00Z</cyboxCommon:Produced_Time> </stixCommon:Time> <stixCommon:References> <stixCommon:Reference>http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf</stixCommon:Reference> </stixCommon:References> </stix:Information_Source> </stix:STIX_Header> <!-- Top-level APT1 TTP --> <stix:TTPs> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8" xsi:type="ttp:TTPType"> <ttp:Title>APT1 Tactics, Techniques and Procedures</ttp:Title> <ttp:Intended_Effect> <stixCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p> Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006. Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed. </P> </body></html>]]> </stixCommon:Description> </ttp:Intended_Effect> <ttp:Intended_Effect> <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Economic</stixCommon:Value> </ttp:Intended_Effect> <ttp:Intended_Effect> <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value> </ttp:Intended_Effect> <ttp:Intended_Effect> <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Competitive Advantage</stixCommon:Value> </ttp:Intended_Effect> <ttp:Intended_Effect> <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value> </ttp:Intended_Effect> <ttp:Intended_Effect> <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value> </ttp:Intended_Effect> <ttp:Victim_Targeting> <ttp:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:FreeTextLines> <xpil:FreeTextLine> The group does not target industries systematically but more likely steals from an enormous range of industries on a continuous basis. </xpil:FreeTextLine> <xpil:FreeTextLine> Organizations in all industries related to China’s strategic priorities are potential targets of APT1’s comprehensive cyber espionage campaign. </xpil:FreeTextLine> </xpil:FreeTextLines> <xpil:Addresses> <xpil:Address> <xal:Country> <xal:NameElement>United States</xal:NameElement> <xal:NameElement>Canada</xal:NameElement> <xal:NameElement>United Kingdom</xal:NameElement> <xal:NameElement>Norway</xal:NameElement> <xal:NameElement>France</xal:NameElement> <xal:NameElement>Belgium</xal:NameElement> <xal:NameElement>Luxembourg</xal:NameElement> <xal:NameElement>Switzerland</xal:NameElement> <xal:NameElement>Israel</xal:NameElement> <xal:NameElement>UAE</xal:NameElement> <xal:NameElement>South Africa</xal:NameElement> <xal:NameElement>India</xal:NameElement> <xal:NameElement>Japan</xal:NameElement> <xal:NameElement>Taiwan</xal:NameElement> <xal:NameElement>Singapore</xal:NameElement> </xal:Country> </xpil:Address> </xpil:Addresses> <xpil:Languages> <xpil:Language>English</xpil:Language> </xpil:Languages> </stix-ciq:Specification> </ttp:Identity> </ttp:Victim_Targeting> <ttp:Related_TTPs> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Malware C2 (WEBC2)--> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Malware C2 (HTRAN)--> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-a35bc05a-247d-49a9-b954-c5c7344c55cc"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Infrastructure --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-36fa6965-c7b9-4ca4-bc3c-6f9c40bc29c4"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Infrastructure --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-1d04a399-dd12-49f8-aac9-fa781eb4beef"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Infrastructure --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Infrastructure --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696"></stixCommon:TTP></ttp:Related_TTP> <!-- Leveraged Infrastructure --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-3098c57b-d623-4c11-92f4-5905da66658b"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-1e2c4237-d469-4144-9c0b-9e5c0c513c49"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-e13f3e6d-4f9c-4265-b1cf-f997a1bf7827"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-5728f45b-2eca-4942-a7f6-bc4267c1ab8d"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0bea2358-c244-4905-a664-a5cdce7bb767"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-7151c6d0-7e97-47ce-9290-087315ea3db7"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> <ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0781fe70-4c94-4300-8865-4b08b98611b4"></stixCommon:TTP></ttp:Related_TTP> <!-- Killchain phase behavior --> </ttp:Related_TTPs> </stix:TTP> <!-- Only two of the APT1 malware families (WEBC2 & HTRAN) were expressed minimally here in STIX to show how they can fit into the overall picture. All of the other malware families could be similarly expressed and in greater detail. --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411" xsi:type="ttp:TTPType"> <ttp:Title>WEBC2 Backdoor</ttp:Title> <ttp:Behavior> <ttp:Malware> <ttp:Malware_Instance> <ttp:Type>Backdoor</ttp:Type> <ttp:Name>WEBC2</ttp:Name> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p> WEBC2 backdoor variants download and interpret data stored between tags in HTML pages as commands. They usually download HTML pages from a system within APT1’s hop infrastructure. We have observed APT1 intruders logging in to WEBC2 servers and manually editing the HTML pages that backdoors will download. Because the commands are usually encoded and difficult to spell from memory, APT1 intruders typically do not type these strings, but instead copy and paste them into the HTML files. They likely generate the encoded commands on their own systems before pasting them in to an HTML file hosted by the hop point. For example, we observed an APT attacker pasting the string "czo1NA==" into an HTML page. That string is the base64- encoded version of "s:54", meaning "sleep for 54 minutes" (or hours, depending on the particular backdoor). In lieu of manually editing an HTML file on a hop point, we have also observed APT1 intruders uploading new (already-edited) HTML files. </P> </body></html>]]> </ttp:Description> <!-- NOTE: A structured extension could be used for the Malware_Instance element to provide a much more detailed and structured technical description of Malware instance behavior utilizing the MAEC language --> </ttp:Malware_Instance> </ttp:Malware> </ttp:Behavior> <ttp:Kill_Chain_Phases> <!-- Establishing a Foothold --> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f" xsi:type="ttp:TTPType"> <ttp:Title>HTRAN Malware C2</ttp:Title> <ttp:Behavior> <ttp:Malware> <ttp:Malware_Instance> <ttp:Type>Relay</ttp:Type> <ttp:Name>HUC Packet Transmit Tool (HTRAN)</ttp:Name> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> When APT1 attackers are not using WEBC2, they require a "command and control" (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available "HUC Packet Transmit Tool" or HTRAN on a hop. As always, keep in mind that these uses are confirmed uses, and likely represent only a small fraction of APT1’s total activity. </P> <p> The HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point. </P> <p> Typical use of HTRAN is fairly simple: the attacker must specify the originating IP address (of his or her workstation in Shanghai), and a port on which to accept connections. </P> <p> In the 767 observed uses of HTRAN, APT1 intruders supplied 614 distinct routable IP addresses. In other words, they used their hops to function as middlemen between victim systems and 614 different addresses. Of these addresses, 613 of 614 are part of APT1’s home networks. </P> </body> </html>]]> </ttp:Description> <!-- NOTE: A structured extension could be used for the Malware_Instance element to provide a much more detailed and structured technical description of Malware instance behavior utilizing the MAEC language --> </ttp:Malware_Instance> </ttp:Malware> </ttp:Behavior> <ttp:Resources><ttp:Infrastructure> <ttp:Type>Leveraged IP Blocks</ttp:Type> <ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1"> <cybox:Observable> <cybox:Object id="mandiant:object-031778a4-057f-48e6-9db9-c8d72b81ccd5"> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">143.89.0.0##comma##143.89.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object idref="mandiant:object-031778a4-057f-48e6-9db9-c8d72b81ccd5"/> <!-- 223.166.0.0 - 23.167.255.255 --> </cybox:Observable> <cybox:Observable> <cybox:Object idref="mandiant:object-da1d061b-2bc9-467a-b16f-8d14f468e1f0"/> <!-- 58.246.0.0 - 58.247.255.255 --> </cybox:Observable> <cybox:Observable> <cybox:Object idref="mandiant:object-2173d108-5714-42fd-8213-4f3790259fda"/> <!-- 112.64.0.0 - 112.65.255.255 --> </cybox:Observable> <cybox:Observable> <cybox:Object idref="mandiant:object-8ce03314-dfea-4498-ac9b-136e41ab00e4"/> <!-- 139.226.0.0 - 139.227.255.255 --> </cybox:Observable> </ttp:Observable_Characterization> </ttp:Infrastructure></ttp:Resources> <ttp:Kill_Chain_Phases> <!-- Establishing a Foothold --> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Net blocks corresponding to IP addresses that APT1 used to access their hop points --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-a35bc05a-247d-49a9-b954-c5c7344c55cc" xsi:type="ttp:TTPType"> <ttp:Resources><ttp:Infrastructure> <ttp:Type>Hop Point Accessors</ttp:Type> <ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1"> <cybox:Observable> <cybox:Object id="mandiant:object-232deffc-063f-4e83-9027-1b930af4a09f"> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">223.166.0.0##comma##23.167.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object id="mandiant:object-da1d061b-2bc9-467a-b16f-8d14f468e1f0"> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">58.246.0.0##comma##58.247.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object id="mandiant:object-2173d108-5714-42fd-8213-4f3790259fda"> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">112.64.0.0##comma##112.65.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object id="mandiant:object-8ce03314-dfea-4498-ac9b-136e41ab00e4"> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">139.226.0.0##comma##139.227.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">114.80.0.0##comma##114.95.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable> <cybox:Object> <cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr"> <AddressObject:Address_Value condition="InclusiveBetween">101.80.0.0##comma##101.95.255.255</AddressObject:Address_Value> </cybox:Properties> </cybox:Object> </cybox:Observable> </ttp:Observable_Characterization> </ttp:Infrastructure></ttp:Resources> </stix:TTP> <!-- APT1 Servers infrastructure --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-36fa6965-c7b9-4ca4-bc3c-6f9c40bc29c4" xsi:type="ttp:TTPType"> <ttp:Title>APT1 C2 Servers Infrstructure</ttp:Title> <ttp:Resources><ttp:Infrastructure> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> In the last two years alone, we have confirmed 937 APT1 C2 servers — that is, actively listening or communicating programs — running on 849 distinct IP addresses. However, we have evidence to suggest that APT1 is running hundreds, and likely thousands, of other servers (see the Domains section below). The programs acting as APT1 servers have mainly been: (1) FTP, for transferring files; (2) web, primarily for WEBC2; (3) RDP, for remote graphical control of a system; (4) HTRAN, for proxying; and (5) C2 servers associated with various backdoor families (covered in <a href="http://intelreport.mandiant.com">Appendix C: The Malware Arsenal</a>). </P> </body> </html>]]> </ttp:Description> </ttp:Infrastructure></ttp:Resources> </stix:TTP> <!-- APT1 Domain names infrastructure --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-1d04a399-dd12-49f8-aac9-fa781eb4beef" xsi:type="ttp:TTPType"> <ttp:Title>Domain Names Infrastructure</ttp:Title> <ttp:Resources><ttp:Infrastructure> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> APT1’s infrastructure includes FQDNs in addition to the IP addresses discussed above. The FQDNs play an important role in their intrusion campaigns because APT1 embeds FQDNs as C2 addresses within their backdoors. In the last several years we have confirmed 2,551 FQDNs attributed to APT1. Of these, we have redacted FQDNs that implicated victims by name and provided 2,046 in <a href="http://intelreport.mandiant.com">Appendix D</a>. By using FQDNs rather than hardcoded IP addresses as C2 addresses, attackers may dynamically decide where to direct C2 connections from a given backdoor. That is, if they lose control of a specific hop point (IP address) they can "point" the C2 FQDN address to a different IP address and resume their control over victim backdoors. This flexibility allows the attacker to direct victim systems to myriad C2 servers and avoid being blocked. </p> <p> APT1 FQDNs can be grouped into three categories: (1) registered zones, (2) third-party zones, and (3) hijacked domains. </p> </body> </html>]]> </ttp:Description> <!-- The specific FQDNs could easily be referenced here using an ObservableCharacterization element that references the CybOX-defined FQDNs as specified in the associated fqdns.xml file --> </ttp:Infrastructure></ttp:Resources> <ttp:Related_TTPs> <ttp:Related_TTP> <stixCommon:Relationship>Leverages</stixCommon:Relationship> <stixCommon:TTP idref="mandiant:ttp-a6fa7315-04ff-4234-ad22-6c210ffe0f2b"/> <!-- Registered DNS Zones infrastructure --> </ttp:Related_TTP> <ttp:Related_TTP> <stixCommon:Relationship>Leverages</stixCommon:Relationship> <stixCommon:TTP idref="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82"/> <!-- APT1 Third party services infrastructure --> </ttp:Related_TTP> <ttp:Related_TTP> <stixCommon:Relationship>Leverages</stixCommon:Relationship> <stixCommon:TTP idref="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696"/> <!-- APT1 Hijacked FQDNs infrastructure --> </ttp:Related_TTP> </ttp:Related_TTPs> </stix:TTP> <!-- Registered DNS Zones infrastructure --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-a6fa7315-04ff-4234-ad22-6c210ffe0f2b" xsi:type="ttp:TTPType"> <ttp:Title>Registered DNS Zones infrastructure</ttp:Title> <ttp:Resources><ttp:Infrastructure> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> A DNS zone represents a collection of FQDNs that end with the same name, and which are usually registered through a domain registration company and controlled by a single owner. For example, “hugesoft.org” is an FQDN but also represents a zone. The FQDNs “ug-co.hugesoft.org” and “7cback.hugesoft.org” are part of the “hugesoft. org” zone and are called “subdomains” of the zone. The person who registered “hugesoft.org” may add as many subdomains as they wish and controls the IP resolutions of these FQDNs. APT1 has registered at least 107 zones since 2004. Within these zones, we know of thousands of FQDNs that have resolved to hundreds of IP addresses (which we suspect are hops) and in some instances to APT1’s source IP addresses in Shanghai. </P> <p> The first zone we became aware of was “hugesoft. org”, which was registered through eNom, Inc. in October 2004. The registrant supplied “[email protected]” as an email address. The supplied registration information, which is still visible in public “whois” data as of February 3, 2013, includes the following: </P> <code> Domain Name:HUGESOFT.ORG Created On:25-Oct-2004 09:46:18 UTC Registrant Name:huge soft Registrant Organization:hugesoft Registrant Street1:shanghai Registrant City:shanghai Registrant State/Province:S Registrant Postal Code:200001 Registrant Country:CN Registrant Phone:+86.21000021 Registrant Email:[email protected] </code> <p> The supplied registrant information does not need to be accurate for the zone to be registered successfully. For example, “shanghai” is not a street name. Nevertheless, it is noteworthy that Shanghai appeared in the first known APT1 domain registration, along with a phone number that begins with China’s “+86” international code. In fact, Shanghai was listed as the registrant’s city in at least 24 of the 107 (22%) registrations. </P> <p> Some of the supplied registration information is obviously false. For example, consider the registration information supplied for the zone “uszzcs.com” in 2005: </p> <code> Victor [email protected] +86.8005439436 Michael Murphy 795 Livermore St. Yellow Spring,Ohio,UNITED STATES 45387 </code> <p> Here, a phone number with a Chinese prefix (“+86”) accompanied an address in the United States. Since the United States uses the prefix “+1”, it is highly unlikely that a person living in Ohio would provide a phone number beginning with “+86”. Additionally, the city name is spelled incorrectly, as it should be “Yellow Springs” instead of “Yellow Spring”. This could have been attributed to a one-time spelling mistake, except the registrant spelled the city name incorrectly multiple times, both for the zones “uszzcs.com” and “attnpower.com”. This suggests that the registrant really thought “Yellow Spring” was the correct spelling and that he or she did not, in fact, live or work in Yellow Springs, Ohio. </p> <p> Overall, the combination of a relatively high number of “Shanghai” registrations with obviously false registration examples in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present, in which some registrants tried to fabricate non-Shanghai locations but others did not. This is supported by contextual information on the Internet for the email address “[email protected],” which was supplied in the registration information for seven of the 107 zones. On the site “www.china-one.org,” the email address “[email protected]” appears as the contact for the Shanghai Kai Optical Information Technology Co., Ltd., a website production company located in a part of Shanghai that is across the river from PLA Unit 61398. </p> <h1>naming themes</h1> <p> About half of APT1’s known zones were named according to three themes: news, technology and business. These themes cause APT1 command and control addresses to appear benign at first glance. However, we believe that the hundreds of FQDNs within these zones were created for the purpose of APT1 intrusions. (Note: these themes are not unique to APT1 or even APT in general.) </p> <p> The news-themed zones include the names of well-known news media outlets such as CNN, Yahoo and Reuters. However, they also include names referencing English-speaking countries, such as “aunewsonline.com” (Australia), “canadatvsite.com” (Canada), and “todayusa.org” (U.S.). Below is a list of zones registered by APT1 that are news- themed: </p> <p> <div <div> aoldaily.com<br> aunewsonline.com<br> canadatvsite.com<br> canoedaily.com<br> cnndaily.com<br> cnndaily.net<br> cnnnewsdaily.com<br> defenceonline.net<br> freshreaders.net<br> giftnews.org<br> </div> <div> issnbgkit.net<br> mediaxsds.net<br> myyahoonews.com<br> newsesport.com<br> newsonet.net<br> newsonlinesite.com<br> newspappers.org<br> nytimesnews.net<br> oplaymagzine.comv phoenixtvus.com<br> </div> <div> purpledaily.com<br> reutersnewsonline.com<br> rssadvanced.org<br> saltlakenews.org<br> sportreadok.net<br> todayusa.org<br> usapappers.com<br> usnewssite.com<br> yahoodaily.com<br> </div> </div> </p> <p> The technology-themed zones reference well-known technology companies (AOL, Apple, Google, Microsoft), antivirus vendors (McAfee, Symantec), and products (Blackberry, Bluecoat). APT1 also used more generic names referencing topics like software: </p> <p> <div aolon1ine.com<br> applesoftupdate.com<br> blackberrycluter.com<br> bluecoate.com<br> comrepair.net<br> dnsweb.org<br> downloadsite.me<br> firefoxupdata.com<br> </div> <div> globalowa.com<br> gmailboxes.com<br> hugesoft.org<br> idirectech.com<br> ifexcel.com<br> infosupports.com<br> livemymsn.com<br> mcafeepaying.com<br> </div> <div microsoft-update-info.com<br> micyuisyahooapis.com<br> msnhome.org<br> pcclubddk.net<br> progammerli.com<br> softsolutionbox.net<br> symanteconline.net<br> webservicesupdate.com<br> </div> </p> <p> Finally, some zones used by APT1 reflect a business theme. The names suggest websites that professionals might visit: </p> <p> <div advanbusiness.com<br> businessconsults.net<br> businessformars.com<br> </div> <div companyinfosite.com<br> conferencesinfo.com<br> copporationnews.com<br> </div> <div infobusinessus.org<br> jobsadvanced.com<br> </div> </p> <p> Not every zone stays within APT1’s control forever. Over a campaign lasting for so many years, APT1 has not always renewed every zone in their attack infrastructure. Additionally, while some have simply been allowed to expire, others have been transferred to the organizations that the domain names attempted to imitate. For example, in September 2011, Yahoo filed a complaint against “zheng youjun” of “Arizona, USA”, who registered the APT1 zone “myyahoonews.com”. Yahoo alleged the “<myyahoonews.com> domain name was confusingly similar to Complainant’s YAHOO! mark” and that “[zheng youjun] registered and used the <myyahoonews.com> domain name in bad faith.” In response, the National Arbitration Forum found that the site “myyahoonews.com” at the time resolved to “a phishing web page, substantially similar to the actual WorldSID website...in an effort to collect login credentials under false pretenses.” Not surprisingly, “zheng youjun” did not respond. Subsequently, control of “myyahoonews.com” was transferred from APT1 to Yahoo. </p> </body> </html>]]> </ttp:Description> </ttp:Infrastructure></ttp:Resources> </stix:TTP> <!-- APT1 Third party services infrastructure --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82" xsi:type="ttp:TTPType"> <ttp:Title>Third-party Services Infrastructure</ttp:Title> <ttp:Resources><ttp:Infrastructure> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> The third-party service that APT1 has used the most is known as "dynamic DNS." This is a service that allows people to register subdomains under zones that other people have registered and provided to the service. Over the years, APT1 has registered hundreds of FQDNs in this manner. When they need to change the IP resolution of an FQDN, they simply log in to these services and update the IP resolution of their FQDN via a web-based interface. </P> <p> In addition to dynamic DNS, recently we have observed that APT1 has been creating FQDNs that end with "appspot.com", suggesting that they are using Google’s App Engine service. </P> </body> </html>]]> </ttp:Description> </ttp:Infrastructure></ttp:Resources> </stix:TTP> <!-- APT1 Hijacked FQDNs infrastructure --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696" xsi:type="ttp:TTPType"> <ttp:Title>Hijacked FQDN Infrastructure</ttp:Title> <ttp:Resources><ttp:Infrastructure> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> APT1 intruders often use the FQDNs that are associated with legitimate websites hosted by their hop points. We consider these domains to be "hijacked" because they were registered by someone for a legitimate reason, but have been leveraged by APT1 for malicious purposes. APT1 uses hijacked FQDNs for two main purposes. First, they place malware (usually in ZIP files) on the legitimate websites hosted on the hop point and then send spear phishing emails with a link that includes the legitimate FQDN. Second, they embed hijacked FQDNs as C2 addresses in their backdoors. </P> </body> </html>]]> </ttp:Description> </ttp:Infrastructure></ttp:Resources> </stix:TTP> <!-- Killchain phase - The Initial Compromise --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-3098c57b-d623-4c11-92f4-5905da66658b" xsi:type="ttp:TTPType"> <ttp:Title>The Initial Compromise</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>The Initial Compromise represents the methods intruders use to first penetrate a target organization’s network.</stixCommon:Description></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples' names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel — and uses these accounts to send the emails. As a real-world example, this is an email that APT1 sent to Mandiant employees: </P> <code> Date: Wed, 18 Apr 2012 06:31:41 -0700 From: Kevin Mandia <[email protected]> Subject: Internal Discussion on the Press Release Hello, Shall we schedule a time to meet next week? We need to finalize the press release. Details click here. Kevin Mandia </code> <p> At first glance, the email appeared to be from Mandiant’s CEO, Kevin Mandia. However, further scrutiny shows that the email was not sent from a Mandiant email account, but from "[email protected]". Rocketmail is a free webmail service. The account "[email protected]" does not belong to Mr. Mandia. Rather, an APT1 actor likely signed up for the account specifically for this spear phishing event. If anyone had clicked on the link that day (which no one did, thankfully), their computer would have downloaded a malicious ZIP file named "Internal_ Discussion_Press_Release_In_Next_Week8.zip". This file contained a malicious executable that installs a custom APT1 backdoor that we call WEBC2-TABLE. </P> <p> Although the files that APT1 actors attach or link to spear phishing emails are not always in ZIP format, this is the predominant trend we have observed in the last several years. </P> </body> </html>]]> </ttp:Description> </ttp:Attack_Pattern> <ttp:Attack_Pattern capec_id="CAPEC-163"/> <!-- Spear Phishing --> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-3356c179-d467-4530-a66a-7bb6b23ad946" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Establishing a Foothold --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-1e2c4237-d469-4144-9c0b-9e5c0c513c49" xsi:type="ttp:TTPType"> <ttp:Title>Establishing a Foothold</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>Establishing a foothold involves actions that ensure control of the target network’s systems from outside the network.</stixCommon:Description></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body>\ <p> APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. A backdoor is software that allows an intruder to send commands to the system remotely. In almost every case, APT backdoors initiate outbound connections to the intruder’s "command and control" (C2) server. APT intruders employ this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating communication with systems inside the network, they are less reliable at keeping malware that is already inside the network from communicating to systems outside. </p> <p> While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. We have documented 42 families of backdoors in <a href="http://intelreport.mandiant.com">Appendix C: The Malware Arsenal"</a> that APT1 uses that we believe are not publicly available. In addition we have provided 1,007 MD5 hashes associated with APT1 malware in <a href="http://intelreport.mandiant.com">Appendix E</a>. We will describe APT1’s backdoors in two categories: "Beachhead Backdoors" and "Standard Backdoors." </p> <h2>Beachhead Backdoors</h2> <p> Beachhead backdoors are typically minimally featured. They offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. </p> <p> APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the “Comment Crew.” A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Older versions of WEBC2 read data between HTML comments, though over time WEBC2 variants have evolved to read data contained within other types of tags. From direct observation, we can confirm that APT1 was using WEBC2 backdoors as early as July 2006. However, the first compile time35 we have for WEBC2-KT3 is 2004-01-23, suggesting that APT1 has been crafting WEBC2 backdoors since early 2004. Based on the 400+ samples of WEBC2 variants that we have accumulated, it appears that APT1 has direct access to developers who have continually released new WEBC2 variants for over six years. </p> <p> For example, these two build paths, which were discovered inside WEBC2-TABLE samples, help to illustrate how APT1 has been steadily building new WEBC2 variants as part of a continuous development process: </p> <code> <h3>Sample A</h3> MD5: d7aa32b7465f55c368230bb52d52d885 Compile date: 2012-02-23 \work\code\2008-7-8muma\mywork\winInet_winApplication2009-8-7\mywork\aaaaaaa2012-2-23\Release\aaaaaaa.pdb </code> <code> <h3>Sample B</h3> MD5: c1393e77773a48b1eea117a302138554 Compile date: 2009-08-07 D:\work\code\2008-7-8muma\mywork\winInet_winApplication2009-8-7\mywork\aaaaaaa\Release\aaaaaaa.pdb </code> <p> A “build path” discloses the directory from which the programmer built and compiled his source code. These samples, compiled 2.5 years apart, were compiled within a folder named “work\code\...\mywork”. The instances of “work” suggest that working on WEBC2 is someone’s day job and not a side project or hobby. Furthermore, the Sample A build string includes “2012-2-23” — which matches Sample A’s compile date. The Sample B build string lacks “2012-2-23” but includes “2009-8-7” — which also matches Sample B’s compile date. This suggests that the code used to compile Sample A was modified from code that was used to compile Sample B 2.5 years previously. The existence of “2008-7-8” suggests that the code for both samples was modified from a version that existed in July 2008, a year before Sample B was created. This series of dates indicates that developing and modifying the WEBC2 backdoor is an iterative and long-term process. </p> <p> WEBC2 backdoors typically give APT1 attackers a short and rudimentary set of commands to issue to victim systems, including: »» Open an interactive command shell (usually Windows’ cmd.exe) »» Download and execute a file »» Sleep (i.e. remain inactive) for a specified amount of time </p> <p> WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. WEBC2 backdoors work for their intended purpose, but they generally have fewer features than the “Standard Backdoors” described below. </p> <h2>Standard Backdoors</h2> <p> The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. These backdoors give APT intruders a laundry list of ways to control victim systems, including: »» Create/modify/delete/execute programs »» Upload/download files »» Create/delete directories »» List/start/stop processes »» Modify the system registry »» Take screenshots of the user’s desktop »» Capture keystrokes »» Capture mouse movement »» Start an interactive command shell »» Create a Remote desktop (i.e. graphical) interface »» Harvest passwords »» Enumerate users »» Enumerate other systems on the network »» Sleep (i.e. go inactive) for a specified amount of time »» Log off the current user »» Shut down the system </p> </body> </html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Related_TTPs> <ttp:Related_TTP> <stixCommon:Relationship>Leverages</stixCommon:Relationship> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> <!-- WEBC2 --> </ttp:Related_TTP> <ttp:Related_TTP> <stixCommon:Relationship>Leverages</stixCommon:Relationship> <stixCommon:TTP idref="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f"/> <!-- HTRAN --> </ttp:Related_TTP> </ttp:Related_TTPs> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Privilege Escalation --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" xsi:type="ttp:TTPType"> <ttp:Title>Privilege Escalation</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. </stixCommon:Description></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> In this and the next two stages, APT1 does not differ significantly from other APT intruders (or intruders, generally). APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials. </P> </body> </html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Resources><ttp:Tools> <ttp:Tool> <cyboxCommon:Name>cachedump</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>This program extracts cached password hashes from a system's registry.</P> <p>Currently packaged with fgdump</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>fgdump</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Windows password hash dumper.</P> <p>http://www.foofus.net/fizzgig/fgdump/</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>gsecdump</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Obtains password hashes from the Windows registry, inlcuding the SAM file, cached domain credentials, and LSA secrets.</P> <p>http://truesec.se</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>lslsass</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Dump active logon session password hashes from the lsass process.</P> <p>http://truesec.se</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>mimikatz</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>A utility primarily used for dumping password hashes.</P> <p>http://blog.gentilkiwi.com/mimikatz</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>pass-the-hash toolkit</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Allows an intruder to "pass" a password hash (without knowing the original password) to log in to systems.</P> <p>http://oss.coresecurity.com/projects/pshtoolkit.htm</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>pwdump7</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Dumps password hashes from the Windows registry.</P> <p>http://www.tarasco.org/security/pwdump_7/</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>pwdumpX</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>Dumps password hashes from the Windows Registry.</P> <p>The tool claims its origin as http://reedarvin.thearvins.com but the site is not offering this software as of the date of this report.</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> </ttp:Tools></ttp:Resources> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-bcde91d7-a3f9-4403-8550-87954d21f174" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Internal Reconnaisance --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-5728f45b-2eca-4942-a7f6-bc4267c1ab8d" xsi:type="ttp:TTPType"> <ttp:Title>Internal Reconnaisance</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>In the Internal Reconnaissance stage, the intruder collects information about the victim environment.</stixCommon:Description></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process. Figure 18 below shows the contents of a batch script that APT1 used on at least four victim networks. </P> <code> @echo off ipconfig /all>>”C:\WINNT\Debug\1.txt” net start>>”C:\WINNT\Debug\1.txt” tasklist /v>>”C:\WINNT\Debug\1.txt” net user >>”C:\WINNT\Debug\1.txt” net localgroup administrators>>”C:\WINNT\Debug\1.txt” netstat -ano>>”C:\WINNT\Debug\1.txt” net use>>”C:\WINNT\Debug\1.txt” net view>>”C:\WINNT\Debug\1.txt” net view /domain>>”C:\WINNT\Debug\1.txt” net group /domain>>”C:\WINNT\Debug\1.txt” net group “domain users” /domain>>”C:\WINNT\Debug\1.txt” net group “domain admins” /domain>>”C:\WINNT\Debug\1.txt” net group “domain controllers” /domain>>”C:\WINNT\Debug\1.txt” net group “exchange domain servers” /domain>>”C:\WINNT\Debug\1.txt” net group “exchange servers” /domain>>”C:\WINNT\Debug\1.txt” net group “domain computers” /domain>>”C:\WINNT\Debug\1.txt” </code> <p> This script performs the following functions and saves the results to a text file: »» Display the victim’s network configuration information »» List the services that have started on the victim system »» List currently running processes »» List accounts on the system »» List accounts with administrator privileges »» List current network connections »» List currently connected network shares »» List other systems on the network »» List network computers and accounts according to group (“domain controllers,” “domain users,” “domain admins,” etc.) </P> </body> </html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-5692e7a4-5325-4237-a867-0bcc0ebbf2e0" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Lateral Movement --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-0bea2358-c244-4905-a664-a5cdce7bb767" xsi:type="ttp:TTPType"> <ttp:Title>Lateral Movement</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>Expand foothold and access through lateral movement within the target environment.</stixCommon:Description></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p> Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. </P> <p> They can connect to shared resources on other systems. </P> <p> They can execute commands on other systems using the publicly available "psexec" tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ("at.exe"). </P> <p> These actions are hard to detect because legitimate system administrators also use these techniques to perform actions around the network. </P> </body></html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-48368014-7636-496e-a047-1d8b70027836" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Maintain Presence --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-7151c6d0-7e97-47ce-9290-087315ea3db7" xsi:type="ttp:TTPType"> <ttp:Title>Maintain Presence</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. </stixCommon:Description></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p> The APT does this (maintains presence) in three ways: </p> <ol> <li>Install new backdoors on multiple systems <p> Throughout their stay in the network (which could be years), APT1 usually installs new backdoors as they claim more systems in the environment. Then, if one backdoor is discovered and deleted, they still have other backdoors they can use. We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been present for more than a few weeks. </P> </li>Use legitimate VPN credentials <li> <p> APT actors and hackers in general are always looking for valid credentials in order to impersonate a legitimate user. We have observed APT1 using stolen usernames and passwords to log into victim networks’ VPNs when the VPNs are only protected by single-factor authentication. From there they are able to access whatever the impersonated users are allowed to access within the network. </P> </li> <li>Log in to web portals <p> Once armed with stolen credentials, APT1 intruders also attempt to log into web portals that the network offers. This includes not only restricted websites, but also web-based email systems such as Outlook Web Access. </P> </li> </ol> </body></html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-0d4b08b0-31c0-439a-a6a5-76e210d9b7b9" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Killchain phase - Completing the Mission --> <stix:TTP timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:ttp-0781fe70-4c94-4300-8865-4b08b98611b4" xsi:type="ttp:TTPType"> <ttp:Title>Completing the Mission</ttp:Title> <ttp:Intended_Effect><stixCommon:Description>Exfiltration information relevant to the mission.</stixCommon:Description></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Theft of Proprietary Information</stixCommon:Value></ttp:Intended_Effect> <ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value></ttp:Intended_Effect> <ttp:Behavior><ttp:Attack_Patterns> <ttp:Attack_Pattern> <ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html> <body> <p> Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process, as depicted in Figure 19. (The instances of "XXXXXXXX" obfuscate the text that was in the actual batch script.) </P> <code> @echo off cd /d c:\windows\tasks rar.log a XXXXXXXX.rar -v200m "C:\Documents and Settings\Place\My Documents\XXXXXXXX" -hpsmy123!@# del *.vbs del %0 </code> <p> After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Figure 19 above shows a RAR command with the option "-v200m", which means that the RAR file should be split up into 200MB portions. </P> <p> Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ("PST") files. </P> <p> Microsoft Outlook archives can be large, often storing years’ worth of emails. They may be too large to transfer out of a network quickly, and the intruder may not be concerned about stealing every email. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. </P> <p> Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any. </P> </body> </html>]]> </ttp:Description> </ttp:Attack_Pattern> </ttp:Attack_Patterns></ttp:Behavior> <ttp:Resources><ttp:Tools> <ttp:Tool> <cyboxCommon:Name>GETMAIL</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ("PST") files.</P> </body></html>]]> </cyboxCommon:Description> </ttp:Tool> <ttp:Tool> <cyboxCommon:Name>MAPIGET</cyboxCommon:Name> <cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html><body> <p>MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.</P> </body></html>]]>> </cyboxCommon:Description> </ttp:Tool> </ttp:Tools></ttp:Resources> <ttp:Kill_Chain_Phases> <stixCommon:Kill_Chain_Phase phase_id="mandiant:kill-chain-phase-aab09f58-b67b-43b0-9343-cefc967c88a0" kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/> </ttp:Kill_Chain_Phases> </stix:TTP> <!-- Kill Chain definition for Mandiant APT1 Attack Lifecycle Model --> <stix:Kill_Chains> <stixCommon:Kill_Chain id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17" name="APT1 Attack Lifecycle Model" definer="Mandiant" number_of_phases="8"> <stixCommon:Kill_Chain_Phase name="Initial Recon" ordinality="1" phase_id="mandiant:kill-chain-phase-15c4123e-b21c-4eb0-8871-e302c68d952a"/> <stixCommon:Kill_Chain_Phase name="Initial Compromise" ordinality="2" phase_id="mandiant:kill-chain-phase-3356c179-d467-4530-a66a-7bb6b23ad946"/> <stixCommon:Kill_Chain_Phase name="Establish Foothold" ordinality="3" phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d"/> <stixCommon:Kill_Chain_Phase name="Escalate Privileges" ordinality="4" phase_id="mandiant:kill-chain-phase-bcde91d7-a3f9-4403-8550-87954d21f174"/> <stixCommon:Kill_Chain_Phase name="Internal Recon" ordinality="5" phase_id="mandiant:kill-chain-phase-5692e7a4-5325-4237-a867-0bcc0ebbf2e0"/> <stixCommon:Kill_Chain_Phase name="Move Laterally" ordinality="6" phase_id="mandiant:kill-chain-phase-48368014-7636-496e-a047-1d8b70027836"/> <stixCommon:Kill_Chain_Phase name="Maintain Presence" ordinality="7" phase_id="mandiant:kill-chain-phase-0d4b08b0-31c0-439a-a6a5-76e210d9b7b9"/> <stixCommon:Kill_Chain_Phase name="Complete Mission" ordinality="8" phase_id="mandiant:kill-chain-phase-aab09f58-b67b-43b0-9343-cefc967c88a0"/> </stixCommon:Kill_Chain> </stix:Kill_Chains> </stix:TTPs> <stix:Threat_Actors> <!-- ThreatActor characterization for APT1 --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-8dff0344-0c82-4079-8d04-6f3e4d9bd1df" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stixCommon:Related_Identities> <stixCommon:Related_Identity> <stixCommon:Relationship>Recruits From</stixCommon:Relationship> <stixCommon:Identity><stixCommon:Name>Harbin Institute of Technology (哈尔滨工业大学)</stixCommon:Name></stixCommon:Identity> </stixCommon:Related_Identity> <stixCommon:Related_Identity> <stixCommon:Relationship>Recruits From</stixCommon:Relationship> <stixCommon:Identity><stixCommon:Name>Zhejiang University School of Computer Science and Technology (浙江大学计算机学院)</stixCommon:Name></stixCommon:Identity> </stixCommon:Related_Identity> </stixCommon:Related_Identities> <stix-ciq:Specification> <xpil:PartyName> <xnl:OrganisationName> <xnl:NameElement>People's Liberation Army</xnl:NameElement> <xnl:SubDivisionName>Unit 61398</xnl:SubDivisionName> </xnl:OrganisationName> <xnl:OrganisationName xnl:Type="UnofficialName"> <xnl:NameElement>APT1</xnl:NameElement> </xnl:OrganisationName> </xpil:PartyName> <xpil:Addresses> <xpil:Address> <xal:Country> <xal:NameElement>China</xal:NameElement> </xal:Country> <xal:AdministrativeArea> <xal:NameElement>Pudong New Area</xal:NameElement> <xal:SubAdministrativeArea> <xal:NameElement>Gaoqiaozhen</xal:NameElement> </xal:SubAdministrativeArea> </xal:AdministrativeArea> <xal:Locality> <xal:NameElement>Shanghai</xal:NameElement> </xal:Locality> <xal:Thoroughfare> <xal:NameElement>Datong Road</xal:NameElement> <xal:Number>208</xal:Number> </xal:Thoroughfare> <xal:Premises> <xal:NameElement>12 stories, 130,663 sq ft, 2000 people</xal:NameElement> </xal:Premises> </xpil:Address> </xpil:Addresses> <xpil:Relationships> <xpil:Relationship xpil:RelationshipWithOrganisation="componentOf"> <xnl:OrganisationName> <xnl:NameElement>GSD 3rd Department SIGINT/CNO</xnl:NameElement> </xnl:OrganisationName> </xpil:Relationship> <xpil:Relationship xpil:RelationshipWithOrganisation="componentOf"> <xnl:OrganisationName> <xnl:NameElement>PLA General Staff Department</xnl:NameElement> </xnl:OrganisationName> </xpil:Relationship> <xpil:Relationship xpil:RelationshipWithOrganisation="componentOf"> <xnl:OrganisationName> <xnl:NameElement>Communist Party of China</xnl:NameElement> </xnl:OrganisationName> </xpil:Relationship> </xpil:Relationships> <xpil:OrganisationInfo xpil:NumberOfEmployees="100 < X > 1000"/> <xpil:Languages> <xpil:Language>Chinese</xpil:Language> <xpil:Language>English</xpil:Language> </xpil:Languages> <xpil:Nationalities> <xpil:Country> <xal:NameElement>Chinese</xal:NameElement> </xpil:Country> </xpil:Nationalities> <xpil:Qualifications> <xpil:Qualification> <xpil:QualificationElement>Covert Communications</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>English Linguistics</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>Operating System Internals</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>Digital Signal Processing</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>Network Security</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>Profession Code: 080902 — Circuits and Systems</xpil:QualificationElement> </xpil:Qualification> <xpil:Qualification> <xpil:QualificationElement>Profession Code: 081000 — Information and Communications Engineering</xpil:QualificationElement> </xpil:Qualification> </xpil:Qualifications> </stix-ciq:Specification> <stix-ciq:Role>Nation-State</stix-ciq:Role> <stix-ciq:Role>Military</stix-ciq:Role> </threat-actor:Identity> <threat-actor:Observed_TTPs> <threat-actor:Observed_TTP> <!-- Primary APT1 TTP entry --> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </threat-actor:Observed_TTP> </threat-actor:Observed_TTPs> <threat-actor:Associated_Actors> <!-- GSD 3rd Department / 2nd Bureau --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Asserted Alias</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-94624865-2709-443f-9b4c-2891985fd69b"/> </threat-actor:Associated_Actor> <!-- Comment Crew --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Asserted Alias</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-f1ce5a9e-0fb7-465b-acb9-e7f75098eee9"/> </threat-actor:Associated_Actor> <!-- Comment Group --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Asserted Alias</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-5abb4d96-e3f2-4a1a-b025-c5b63ec6eb0b"/> </threat-actor:Associated_Actor> <!-- Shady Rat --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">POSSIBLE</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Asserted Alias</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-d9619c21-9d4f-414e-9471-36bb8fc42bbe"/> </threat-actor:Associated_Actor> <!-- UglyGorilla --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Member</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-6d179234-61fc-40c4-ae86-3d53308d8e65"/> </threat-actor:Associated_Actor> <!-- DOTA --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Member</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-d84cf283-93be-4ca7-890d-76c63eff3636"/> </threat-actor:Associated_Actor> <!-- SuperHard --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> </stixCommon:Confidence> <stixCommon:Relationship>Member</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-02e7c48f-0301-4c23-b3e4-02e5a0114c21"/> </threat-actor:Associated_Actor> <!-- China Telecom --> <threat-actor:Associated_Actor> <stixCommon:Confidence> <stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value> <stixCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html> <html lang="en"><body> <h1>Written memo confirming relationship.</h1> <p> Market Department Examining Control Affairs Division Report </P> <p> Requesting Concurrence Concerning the General Staff Department 3rd Department 2nd Bureau Request to Use Our Company’s Communication Channel </P> <p> Division Leader Wu: </P> <p> The Chinese People’s Liberation Army Unit 61398 (General Staff Department 3rd Department 2nd Bureau) wrote to us a few days ago saying that, in accordance with their central command “8508” on war strategy construction [or infrastructure] need, the General Staff Department 3rd Department 2nd Bureau (Gaoqiao Base) needs to communicate with Shanghai City 005 Center (Shanghai Intercommunication Network Control Center within East Gate Bureau) regarding intercommunication affairs. This bureau already placed fiber-optic cable at the East Gate front entrance [road pole]. They need to use two ports to enter our company’s East Gate communication channel. The length is about 30m. At the same time, the second stage construction (in Gaoqiao Base) needs to enter into our company’s Shanghai Nanhui Communication Park 005 Center (special-use bureau). This military fiber-optic cable has already been placed at the Shanghai Nanhui Communication Park entrance. They need to use 4 of our company ports inside the Nanhui Communication Park to enter. The length is 600m. Upon our division’s negotiation with the 3rd Department 2nd Bureau’s communication branch, the military has promised to pay at most 40,000 Yuan for each port. They also hope Shanghai Telecom will smoothly accomplish this task for the military based on the principle that national defense construction is important. After checking the above areas’ channels, our company has a relatively abundant inventory to satisfy the military’s request. </P> <p> This is our suggestion: because this is concerning defense construction, and also the 3rd Department 2nd Bureau is a very important communication control department, we agree to provide the requested channels according to the military’s suggested price. Because this is a one-time payment, and it is difficult to use the normal renting method, we suggest our company accept one-time payment using the reason of “Military Co-Construction [with China Telecom] of Communication Channels” and provide from our inventory. The military’s co-building does not interfere with our proprietary rights. If something breaks, the military is responsible to repair it and pay for the expenses. After you agree with our suggestion, we will sign an agreement with the communication branch of 61398 and implement it. </P> <p> Please provide a statement about whether the above suggestion is appropriate or not. </P> <p> [Handwritten Note]Agree with the Market Department Examining Control Affairs Division suggestion; inside the agreement clearly [...define? (illegible) ...] both party’s responsibilities. </P> </body></html>]]> </stixCommon:Description> </stixCommon:Confidence> <stixCommon:Relationship>Infrastructure Provided By</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-76dd3859-31a6-43c5-9f3e-9c6ac745b61b"/> </threat-actor:Associated_Actor> </threat-actor:Associated_Actors> </stix:Threat_Actor> <!-- ThreatActor characterization for UglyGorilla --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-6d179234-61fc-40c4-ae86-3d53308d8e65" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:PartyName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>Ugly Gorilla</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>Wang Dong</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>JackWang</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="NickName"> <xnl:NameElement>Greenfield” (绿野)</xnl:NameElement> </xnl:PersonName> </xpil:PartyName> <xpil:Accounts> <xpil:Account xpil:Type="Online Forum"><xpil:Organisation><xnl:NameElement>PLA Daily’s (解放军报) China Military Online (中国军网)</xnl:NameElement></xpil:Organisation></xpil:Account> </xpil:Accounts> <xpil:ElectronicAddressIdentifiers> <xpil:ElectronicAddressIdentifier xpil:Type="EMAIL">[email protected]</xpil:ElectronicAddressIdentifier> </xpil:ElectronicAddressIdentifiers> <xpil:Nationalities> <xpil:Country> <xal:NameElement>China</xal:NameElement> </xpil:Country> </xpil:Nationalities> </stix-ciq:Specification> </threat-actor:Identity> <threat-actor:Observed_TTPs> <threat-actor:Observed_TTP> <!-- This is simply two examples of many such entries that could be harvested (and in far more detail) from the APT1 report in regards to specific observed TTP for individual threat actors. --> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Resources><ttp:Infrastructure> <ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="0" cybox_update_version="1"> <cybox:Observable> <cybox:Object> <cybox:Properties xsi:type="URIObject:URIObjectType" type="Domain Name"> <URIObject:Value>hugesoft.org</URIObject:Value> </cybox:Properties> </cybox:Object> </cybox:Observable> </ttp:Observable_Characterization> </ttp:Infrastructure></ttp:Resources> </stixCommon:TTP> </threat-actor:Observed_TTP> <threat-actor:Observed_TTP> <stixCommon:Relationship>Authored</stixCommon:Relationship> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Behavior><ttp:Malware> <ttp:Malware_Instance><ttp:Name>MANITSME</ttp:Name></ttp:Malware_Instance> </ttp:Malware></ttp:Behavior> </stixCommon:TTP> </threat-actor:Observed_TTP> </threat-actor:Observed_TTPs> </stix:Threat_Actor> <!-- ThreatActor characterization for DOTA --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-d84cf283-93be-4ca7-890d-76c63eff3636" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:PartyName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>dota</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>DOTA</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="Alias"> <xnl:NameElement>Rodney</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="Alias"> <xnl:NameElement>Raith</xnl:NameElement> </xnl:PersonName> </xpil:PartyName> <xpil:ElectronicAddressIdentifiers> <xpil:ElectronicAddressIdentifier xpil:Type="EMAIL" >[email protected]</xpil:ElectronicAddressIdentifier> <xpil:ElectronicAddressIdentifier xpil:Type="EMAIL" >[email protected]</xpil:ElectronicAddressIdentifier> </xpil:ElectronicAddressIdentifiers> <xpil:Nationalities> <xpil:Country> <xal:NameElement>China</xal:NameElement> </xpil:Country> </xpil:Nationalities> </stix-ciq:Specification> </threat-actor:Identity> </stix:Threat_Actor> <!-- ThreatActor characterization for SuperHard --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-02e7c48f-0301-4c23-b3e4-02e5a0114c21" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:PartyName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>SuperHard</xnl:NameElement> </xnl:PersonName> <xnl:PersonName xnl:Type="KnownAs"> <xnl:NameElement>Mei Qiang</xnl:NameElement> </xnl:PersonName> </xpil:PartyName> <xpil:Nationalities> <xpil:Country> <xal:NameElement>China</xal:NameElement> </xpil:Country> </xpil:Nationalities> </stix-ciq:Specification> <stix-ciq:Role>Research and Development</stix-ciq:Role> </threat-actor:Identity> <threat-actor:Observed_TTPs> <threat-actor:Observed_TTP> <stixCommon:Relationship>Authored/Contributed_To</stixCommon:Relationship> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Behavior><ttp:Malware> <ttp:Malware_Instance><ttp:Name>AURIGA</ttp:Name></ttp:Malware_Instance> </ttp:Malware></ttp:Behavior> </stixCommon:TTP> </threat-actor:Observed_TTP> <threat-actor:Observed_TTP> <stixCommon:Relationship>Authored/Contributed_To</stixCommon:Relationship> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Behavior><ttp:Malware> <ttp:Malware_Instance><ttp:Name>BANGAT</ttp:Name></ttp:Malware_Instance> </ttp:Malware></ttp:Behavior> </stixCommon:TTP> </threat-actor:Observed_TTP> </threat-actor:Observed_TTPs> </stix:Threat_Actor> <!-- ThreatActor characterization for Comment Crew --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-f1ce5a9e-0fb7-465b-acb9-e7f75098eee9" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>Comment Crew</stixCommon:Name> </threat-actor:Identity> </stix:Threat_Actor> <!-- ThreatActor characterization for Comment Group --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-5abb4d96-e3f2-4a1a-b025-c5b63ec6eb0b" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>Comment Group</stixCommon:Name> </threat-actor:Identity> </stix:Threat_Actor> <!-- ThreatActor characterization for Shady Rat --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-d9619c21-9d4f-414e-9471-36bb8fc42bbe" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>Shady Rat</stixCommon:Name> </threat-actor:Identity> </stix:Threat_Actor> <!-- ThreatActor characterization for GSD 3rd Department / 2nd Bureau --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-94624865-2709-443f-9b4c-2891985fd69b" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>GSD 3rd Department / 2nd Bureau</stixCommon:Name> </threat-actor:Identity> <threat-actor:Associated_Actors> <threat-actor:Associated_Actor> <stixCommon:Relationship>Component_Of</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-b5d1d28c-d824-49c0-80b6-9179202e297b"/> </threat-actor:Associated_Actor> </threat-actor:Associated_Actors> </stix:Threat_Actor> <!-- ThreatActor characterization for GSD 3rd Department --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-b5d1d28c-d824-49c0-80b6-9179202e297b" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>GSD 3rd Department</stixCommon:Name> </threat-actor:Identity> <threat-actor:Associated_Actors> <threat-actor:Associated_Actor> <stixCommon:Relationship>Component_Of</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-5ac0fd8e-5804-4849-a170-4ec0d15a5e8b"/> </threat-actor:Associated_Actor> </threat-actor:Associated_Actors> </stix:Threat_Actor> <!-- ThreatActor characterization for PLA General Staff --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-5ac0fd8e-5804-4849-a170-4ec0d15a5e8b" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity> <stixCommon:Name>PLA General Staff</stixCommon:Name> </threat-actor:Identity> <threat-actor:Associated_Actors> <threat-actor:Associated_Actor> <stixCommon:Relationship>Component_Of</stixCommon:Relationship> <stixCommon:Threat_Actor idref="mandiant:threat-actor-d5b62b58-df7c-46b1-a435-4d01945fe21d"/> </threat-actor:Associated_Actor> </threat-actor:Associated_Actors> </stix:Threat_Actor> <!-- ThreatActor characterization for Communist Party of China --> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-d5b62b58-df7c-46b1-a435-4d01945fe21d" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:PartyName> <xnl:OrganisationName> <xnl:NameElement>Communist Part of China</xnl:NameElement> </xnl:OrganisationName> </xpil:PartyName> <xpil:Addresses> <xpil:Address> <xal:Country> <xal:NameElement>China</xal:NameElement> </xal:Country> </xpil:Address> </xpil:Addresses> <xpil:Languages> <xpil:Language>Chinese</xpil:Language> </xpil:Languages> </stix-ciq:Specification> <stix-ciq:Role>Nation-State</stix-ciq:Role> </threat-actor:Identity> </stix:Threat_Actor> <!-- ThreatActor characterization for China Telecom--> <stix:Threat_Actor timestamp="2014-05-08T09:00:00.000000Z" id="mandiant:threat-actor-76dd3859-31a6-43c5-9f3e-9c6ac745b61b" xsi:type="threat-actor:ThreatActorType"> <threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType"> <stix-ciq:Specification> <xpil:PartyName> <xnl:OrganisationName> <xnl:NameElement>China Telecom</xnl:NameElement> </xnl:OrganisationName> </xpil:PartyName> <xpil:Addresses> <xpil:Address> <xal:Country> <xal:NameElement>China</xal:NameElement> </xal:Country> </xpil:Address> </xpil:Addresses> <xpil:Languages> <xpil:Language>Chinese</xpil:Language> </xpil:Languages> </stix-ciq:Specification> <stix-ciq:Role>State-influenced Commercial Entity</stix-ciq:Role> </threat-actor:Identity> </stix:Threat_Actor> </stix:Threat_Actors> </stix:STIX_Package>