schemas.v1.2.0.samples.APT1.Mandiant_APT1_Report.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
<?xml version="1.0" encoding="UTF-8"?>
<!--
APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report")
is copyright 2013 by Mandiant Corporation and can be downloaded at
intelreport.mandiant.com. This XML file using the STIX standard was created
by The MITRE Corporation using the content of the APT1 Report with Mandiant's
permission. Mandiant is not responsible for the content of this file.
The following content represents a partial extraction of information from the
Mandiant APT1 Report published 2/19/13. While not all content was converted into
structured STIX format, the content here represents illustrative examples of how
various threat related information (e.g. ThreatActors, TTP, Infrastructure, Tools,
VictimTargeting, Malware, Indicators, etc.) can be structurally represented using
STIX. In aligning the report with the STIX architecture, the report was divided into
the following major constructs:
- STIX Header: Describes the report Executive Summary, handling, information source, etc.
- TTPs: Several TTPs (Tactics, Techniques, and Procedures) were created to describe:
- The overall characterization of adversary behavior, intent and capability
- Brief prose descriptions of malware used
- Victim targeting
- Individual kill chain phases
- Leveraged infrastructure
- Leveraged tools
- Kill Chain Description: A short description of the Mandiant Attack Lifecycle as contained in the report
- Threat Actor Characterization: Characterization of the APT1 threat actor and associated actors
This extraction and conversion was done by hand. As such it may contain errors and
is intended for illustrative purposes only.
-->
<stix:STIX_Package
id="mandiant:package-e33ffe07-2f4c-48d8-b0af-ee2619d765cf"
version="1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:marking="http://data-marking.mitre.org/Marking-1"
xmlns:terms="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:URIObject="http://cybox.mitre.org/objects#URIObject-2"
xmlns:LinkObject="http://cybox.mitre.org/objects#LinkObject-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:report="http://stix.mitre.org/Report-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:threat-actor="http://stix.mitre.org/ThreatActor-1"
xmlns:stix-ciq="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:lmco="lockheedmartin.com"
xmlns:mandiant="http://www.mandiant.com"
xmlns:mitre="http://www.mitre.org"
xsi:schemaLocation="
http://cybox.mitre.org/objects#AddressObject-2 ../../cybox/objects/Address_Object.xsd
http://cybox.mitre.org/objects#URIObject-2 ../../cybox/objects/URI_Object.xsd
http://cybox.mitre.org/objects#LinkObject-1 ../../cybox/objects/Link_Object.xsd
http://stix.mitre.org/Indicator-2 ../../indicator.xsd
http://stix.mitre.org/Campaign-1 ../../campaign.xsd
http://stix.mitre.org/ThreatActor-1 ../../threat_actor.xsd
http://stix.mitre.org/TTP-1 ../../ttp.xsd
http://stix.mitre.org/default_vocabularies-1 ../../stix_default_vocabularies.xsd
http://cybox.mitre.org/default_vocabularies-2 ../../cybox/cybox_default_vocabularies.xsd
http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 ../../extensions/identity/ciq_3.0_identity.xsd
http://stix.mitre.org/stix-1 ../../stix_core.xsd
http://stix.mitre.org/Report-1 ../../report.xsd
http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1 ../../extensions/marking/terms_of_use_marking.xsd">
<stix:STIX_Header>
<stix:Handling>
<marking:Marking>
<marking:Controlled_Structure>//node() | //@*</marking:Controlled_Structure>
<!-- Apply following marking to entire document -->
<marking:Marking_Structure xsi:type="terms:TermsOfUseMarkingStructureType">
<terms:Terms_Of_Use>APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report") is copyright 2013 by Mandiant Corporation and can be downloaded at intelreport.mandiant.com. This XML file using the STIX standard was created by The MITRE Corporation using the content of the APT1 Report with Mandiant's permission. Mandiant is not responsible for the content of this file.</terms:Terms_Of_Use>
</marking:Marking_Structure>
</marking:Marking>
</stix:Handling>
<stix:Information_Source>
<stixCommon:Identity>
<stixCommon:Name>MITRE</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Transformer/Translator</stixCommon:Role>
<stixCommon:Contributing_Sources>
<stixCommon:Source>
<stixCommon:Identity>
<stixCommon:Name>Mandiant</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Initial Author</stixCommon:Role>
<stixCommon:Time>
<cyboxCommon:Produced_Time precision="day">2013-02-19T00:00:00Z</cyboxCommon:Produced_Time>
</stixCommon:Time>
</stixCommon:Source>
</stixCommon:Contributing_Sources>
<stixCommon:Time>
<cyboxCommon:Produced_Time precision="day">2014-01-16T00:00:00Z</cyboxCommon:Produced_Time>
</stixCommon:Time>
<stixCommon:References>
<stixCommon:Reference>http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf</stixCommon:Reference>
</stixCommon:References>
</stix:Information_Source>
</stix:STIX_Header>
<!-- Top-level APT1 TTP -->
<stix:TTPs>
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8" xsi:type="ttp:TTPType">
<ttp:Title>APT1 Tactics, Techniques and Procedures</ttp:Title>
<ttp:Intended_Effect>
<stixCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>
Our evidence indicates that APT1 has been stealing
hundreds of terabytes of data from at least 141 organizations across a diverse
set of industries beginning as early as 2006. Remarkably, we have witnessed APT1
target dozens of organizations simultaneously. Once the group establishes access
to a victim’s network, they continue to access it periodically over several
months or years to steal large volumes of valuable intellectual property,
including technology blueprints, proprietary manufacturing processes, test
results, business plans, pricing documents, partnership agreements, emails and
contact lists from victim organizations’ leadership. We believe that the
extensive activity we have directly observed represents only a small fraction of
the cyber espionage that APT1 has committed.
</P>
</body></html>]]>
</stixCommon:Description>
</ttp:Intended_Effect>
<ttp:Intended_Effect>
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Economic</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Intended_Effect>
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Intended_Effect>
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Competitive Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Intended_Effect>
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Intended_Effect>
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Victim_Targeting>
<ttp:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:FreeTextLines>
<xpil:FreeTextLine> The group does not target industries systematically but
more likely steals from an enormous range of industries on a continuous
basis. </xpil:FreeTextLine>
<xpil:FreeTextLine> Organizations in all industries related to China’s
strategic priorities are potential targets of APT1’s comprehensive cyber
espionage campaign. </xpil:FreeTextLine>
</xpil:FreeTextLines>
<xpil:Addresses>
<xpil:Address>
<xal:Country>
<xal:NameElement>United States</xal:NameElement>
<xal:NameElement>Canada</xal:NameElement>
<xal:NameElement>United Kingdom</xal:NameElement>
<xal:NameElement>Norway</xal:NameElement>
<xal:NameElement>France</xal:NameElement>
<xal:NameElement>Belgium</xal:NameElement>
<xal:NameElement>Luxembourg</xal:NameElement>
<xal:NameElement>Switzerland</xal:NameElement>
<xal:NameElement>Israel</xal:NameElement>
<xal:NameElement>UAE</xal:NameElement>
<xal:NameElement>South Africa</xal:NameElement>
<xal:NameElement>India</xal:NameElement>
<xal:NameElement>Japan</xal:NameElement>
<xal:NameElement>Taiwan</xal:NameElement>
<xal:NameElement>Singapore</xal:NameElement>
</xal:Country>
</xpil:Address>
</xpil:Addresses>
<xpil:Languages>
<xpil:Language>English</xpil:Language>
</xpil:Languages>
</stix-ciq:Specification>
</ttp:Identity>
</ttp:Victim_Targeting>
<ttp:Related_TTPs>
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Malware C2 (WEBC2)-->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Malware C2 (HTRAN)-->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-a35bc05a-247d-49a9-b954-c5c7344c55cc"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Infrastructure -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-36fa6965-c7b9-4ca4-bc3c-6f9c40bc29c4"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Infrastructure -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-1d04a399-dd12-49f8-aac9-fa781eb4beef"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Infrastructure -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Infrastructure -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696"></stixCommon:TTP></ttp:Related_TTP>
<!-- Leveraged Infrastructure -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-3098c57b-d623-4c11-92f4-5905da66658b"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-1e2c4237-d469-4144-9c0b-9e5c0c513c49"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-e13f3e6d-4f9c-4265-b1cf-f997a1bf7827"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-5728f45b-2eca-4942-a7f6-bc4267c1ab8d"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0bea2358-c244-4905-a664-a5cdce7bb767"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-7151c6d0-7e97-47ce-9290-087315ea3db7"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
<ttp:Related_TTP><stixCommon:TTP idref="mandiant:ttp-0781fe70-4c94-4300-8865-4b08b98611b4"></stixCommon:TTP></ttp:Related_TTP>
<!-- Killchain phase behavior -->
</ttp:Related_TTPs>
</stix:TTP>
<!-- Only two of the APT1 malware families (WEBC2 & HTRAN) were expressed minimally here in STIX to show how they can fit into the overall picture.
All of the other malware families could be similarly expressed and in greater detail. -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411" xsi:type="ttp:TTPType">
<ttp:Title>WEBC2 Backdoor</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance>
<ttp:Type>Backdoor</ttp:Type>
<ttp:Name>WEBC2</ttp:Name>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>
WEBC2 backdoor variants download and interpret data stored
between tags in HTML pages as commands. They usually download HTML pages from a system within APT1’s hop
infrastructure. We have observed APT1 intruders logging in to WEBC2 servers and manually editing the HTML pages
that backdoors will download. Because the commands are usually encoded and difficult to spell from memory, APT1
intruders typically do not type these strings, but instead copy and paste them into the HTML files. They likely generate
the encoded commands on their own systems before pasting them in to an HTML file hosted by the hop point. For
example, we observed an APT attacker pasting the string "czo1NA==" into an HTML page. That string is the base64-
encoded version of "s:54", meaning "sleep for 54 minutes" (or hours, depending on the particular backdoor). In lieu
of manually editing an HTML file on a hop point, we have also observed APT1 intruders uploading new (already-edited)
HTML files.
</P>
</body></html>]]>
</ttp:Description>
<!-- NOTE: A structured extension could be used for the Malware_Instance element to provide a much more detailed and structured technical description of Malware instance behavior utilizing the MAEC language -->
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
<ttp:Kill_Chain_Phases>
<!-- Establishing a Foothold -->
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f" xsi:type="ttp:TTPType">
<ttp:Title>HTRAN Malware C2</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance>
<ttp:Type>Relay</ttp:Type>
<ttp:Name>HUC Packet Transmit Tool (HTRAN)</ttp:Name>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
When APT1 attackers are not using WEBC2, they require a "command and control" (C2) user interface so they can
issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically
in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be
forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have
observed 767 separate instances in which APT1 intruders used the publicly available "HUC Packet Transmit Tool"
or HTRAN on a hop. As always, keep in mind that these uses are confirmed uses, and likely represent only a small
fraction of APT1’s total activity.
</P>
<p>
The HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using
the hop point.
</P>
<p>
Typical use of HTRAN is fairly simple: the attacker must specify the originating IP address (of his or her workstation in
Shanghai), and a port on which to accept connections.
</P>
<p>
In the 767 observed uses of HTRAN, APT1 intruders supplied 614 distinct routable IP addresses. In other words, they
used their hops to function as middlemen between victim systems and 614 different addresses. Of these addresses,
613 of 614 are part of APT1’s home networks.
</P>
</body>
</html>]]>
</ttp:Description>
<!-- NOTE: A structured extension could be used for the Malware_Instance element to provide a much more detailed and structured technical description of Malware instance behavior utilizing the MAEC language -->
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
<ttp:Resources><ttp:Infrastructure>
<ttp:Type>Leveraged IP Blocks</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable>
<cybox:Object id="mandiant:object-031778a4-057f-48e6-9db9-c8d72b81ccd5">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">143.89.0.0##comma##143.89.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object idref="mandiant:object-031778a4-057f-48e6-9db9-c8d72b81ccd5"/> <!-- 223.166.0.0 - 23.167.255.255 -->
</cybox:Observable>
<cybox:Observable>
<cybox:Object idref="mandiant:object-da1d061b-2bc9-467a-b16f-8d14f468e1f0"/> <!-- 58.246.0.0 - 58.247.255.255 -->
</cybox:Observable>
<cybox:Observable>
<cybox:Object idref="mandiant:object-2173d108-5714-42fd-8213-4f3790259fda"/> <!-- 112.64.0.0 - 112.65.255.255 -->
</cybox:Observable>
<cybox:Observable>
<cybox:Object idref="mandiant:object-8ce03314-dfea-4498-ac9b-136e41ab00e4"/> <!-- 139.226.0.0 - 139.227.255.255 -->
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure></ttp:Resources>
<ttp:Kill_Chain_Phases>
<!-- Establishing a Foothold -->
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Net blocks corresponding to IP addresses that APT1 used to access their hop points -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-a35bc05a-247d-49a9-b954-c5c7344c55cc" xsi:type="ttp:TTPType">
<ttp:Resources><ttp:Infrastructure>
<ttp:Type>Hop Point Accessors</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable>
<cybox:Object id="mandiant:object-232deffc-063f-4e83-9027-1b930af4a09f">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">223.166.0.0##comma##23.167.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object id="mandiant:object-da1d061b-2bc9-467a-b16f-8d14f468e1f0">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">58.246.0.0##comma##58.247.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object id="mandiant:object-2173d108-5714-42fd-8213-4f3790259fda">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">112.64.0.0##comma##112.65.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object id="mandiant:object-8ce03314-dfea-4498-ac9b-136e41ab00e4">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">139.226.0.0##comma##139.227.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object>
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">114.80.0.0##comma##114.95.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable>
<cybox:Object>
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="InclusiveBetween">101.80.0.0##comma##101.95.255.255</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure></ttp:Resources>
</stix:TTP>
<!-- APT1 Servers infrastructure -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-36fa6965-c7b9-4ca4-bc3c-6f9c40bc29c4" xsi:type="ttp:TTPType">
<ttp:Title>APT1 C2 Servers Infrstructure</ttp:Title>
<ttp:Resources><ttp:Infrastructure>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
In the last two years alone, we have confirmed 937 APT1 C2 servers — that is, actively listening or communicating
programs — running on 849 distinct IP addresses. However, we have evidence to suggest that APT1 is running
hundreds, and likely thousands, of other servers (see the Domains section below). The programs acting as APT1
servers have mainly been: (1) FTP, for transferring files; (2) web, primarily for WEBC2; (3) RDP, for remote graphical
control of a system; (4) HTRAN, for proxying; and (5) C2 servers associated with various backdoor families (covered in
<a href="http://intelreport.mandiant.com">Appendix C: The Malware Arsenal</a>).
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Infrastructure></ttp:Resources>
</stix:TTP>
<!-- APT1 Domain names infrastructure -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-1d04a399-dd12-49f8-aac9-fa781eb4beef" xsi:type="ttp:TTPType">
<ttp:Title>Domain Names Infrastructure</ttp:Title>
<ttp:Resources><ttp:Infrastructure>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
APT1’s infrastructure includes FQDNs in addition to the IP addresses discussed above. The FQDNs
play an important role in their intrusion campaigns because APT1 embeds FQDNs as C2 addresses
within their backdoors. In the last several years we have confirmed 2,551 FQDNs attributed to
APT1. Of these, we have redacted FQDNs that implicated victims by name and provided 2,046 in
<a href="http://intelreport.mandiant.com">Appendix D</a>. By using FQDNs rather than hardcoded
IP addresses as C2 addresses, attackers may dynamically decide where to direct C2 connections
from a given backdoor. That is, if they lose control of a specific hop point (IP address) they
can "point" the C2 FQDN address to a different IP address and resume their control over victim
backdoors. This flexibility allows the attacker to direct victim systems to myriad C2 servers and
avoid being blocked.
</p>
<p>
APT1 FQDNs can be grouped into three categories: (1) registered zones, (2) third-party zones, and (3) hijacked domains.
</p>
</body>
</html>]]>
</ttp:Description>
<!-- The specific FQDNs could easily be referenced here using an ObservableCharacterization element that references the CybOX-defined FQDNs as specified in the associated fqdns.xml file -->
</ttp:Infrastructure></ttp:Resources>
<ttp:Related_TTPs>
<ttp:Related_TTP>
<stixCommon:Relationship>Leverages</stixCommon:Relationship>
<stixCommon:TTP idref="mandiant:ttp-a6fa7315-04ff-4234-ad22-6c210ffe0f2b"/> <!-- Registered DNS Zones infrastructure -->
</ttp:Related_TTP>
<ttp:Related_TTP>
<stixCommon:Relationship>Leverages</stixCommon:Relationship>
<stixCommon:TTP idref="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82"/> <!-- APT1 Third party services infrastructure -->
</ttp:Related_TTP>
<ttp:Related_TTP>
<stixCommon:Relationship>Leverages</stixCommon:Relationship>
<stixCommon:TTP idref="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696"/> <!-- APT1 Hijacked FQDNs infrastructure -->
</ttp:Related_TTP>
</ttp:Related_TTPs>
</stix:TTP>
<!-- Registered DNS Zones infrastructure -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-a6fa7315-04ff-4234-ad22-6c210ffe0f2b" xsi:type="ttp:TTPType">
<ttp:Title>Registered DNS Zones infrastructure</ttp:Title>
<ttp:Resources><ttp:Infrastructure>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
A DNS zone represents a collection of FQDNs that end with the same name, and which are usually registered through
a domain registration company and controlled by a single owner. For example, “hugesoft.org” is an FQDN but also represents
a zone. The FQDNs “ug-co.hugesoft.org” and “7cback.hugesoft.org” are part of the “hugesoft. org” zone and are called
“subdomains” of the zone. The person who registered “hugesoft.org” may add as many subdomains as they wish and controls
the IP resolutions of these FQDNs. APT1 has registered at least 107 zones since 2004. Within these zones, we know of
thousands of FQDNs that have resolved to hundreds of IP addresses (which we suspect are hops) and in some instances to
APT1’s source IP addresses in Shanghai.
</P>
<p>
The first zone we became aware of was “hugesoft. org”, which was registered through eNom, Inc. in October 2004. The
registrant supplied “[email protected]” as an email address. The supplied registration information, which is still
visible in public “whois” data as of February 3, 2013, includes the following:
</P>
<code>
Domain Name:HUGESOFT.ORG
Created On:25-Oct-2004 09:46:18 UTC
Registrant Name:huge soft
Registrant Organization:hugesoft
Registrant Street1:shanghai
Registrant City:shanghai
Registrant State/Province:S
Registrant Postal Code:200001
Registrant Country:CN
Registrant Phone:+86.21000021
Registrant Email:[email protected]
</code>
<p>
The supplied registrant information does not need to be accurate for the zone to be registered successfully. For example,
“shanghai” is not a street name. Nevertheless, it is noteworthy that Shanghai appeared in the first known APT1 domain
registration, along with a phone number that begins with China’s “+86” international code. In fact, Shanghai was listed
as the registrant’s city in at least 24 of the 107 (22%) registrations.
</P>
<p>
Some of the supplied registration information is obviously false. For example, consider the registration information
supplied for the zone “uszzcs.com” in 2005:
</p>
<code>
Victor [email protected] +86.8005439436
Michael Murphy
795 Livermore St.
Yellow Spring,Ohio,UNITED STATES 45387
</code>
<p>
Here, a phone number with a Chinese prefix (“+86”) accompanied an address in the United States. Since the United States
uses the prefix “+1”, it is highly unlikely that a person living in Ohio would provide a phone number beginning with “+86”.
Additionally, the city name is spelled incorrectly, as it should be “Yellow Springs” instead of “Yellow Spring”. This could
have been attributed to a one-time spelling mistake, except the registrant spelled the city name incorrectly multiple times,
both for the zones “uszzcs.com” and “attnpower.com”. This suggests that the registrant really thought “Yellow Spring” was the
correct spelling and that he or she did not, in fact, live or work in Yellow Springs, Ohio.
</p>
<p>
Overall, the combination of a relatively high number of “Shanghai” registrations with obviously false registration examples
in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present, in which some
registrants tried to fabricate non-Shanghai locations but others did not. This is supported by contextual information on the
Internet for the email address “[email protected],” which was supplied in the registration information for seven of the 107 zones.
On the site “www.china-one.org,” the email address “[email protected]” appears as the contact for the Shanghai Kai Optical
Information Technology Co., Ltd., a website production company located in a part of Shanghai that is across the river from
PLA Unit 61398.
</p>
<h1>naming themes</h1>
<p>
About half of APT1’s known zones were named according to three themes: news, technology and business. These themes cause
APT1 command and control addresses to appear benign at first glance. However, we believe that the hundreds of FQDNs within
these zones were created for the purpose of APT1 intrusions. (Note: these themes are not unique to APT1 or even APT in general.)
</p>
<p>
The news-themed zones include the names of well-known news media outlets such as CNN, Yahoo and Reuters. However, they also
include names referencing English-speaking countries, such as “aunewsonline.com” (Australia), “canadatvsite.com” (Canada),
and “todayusa.org” (U.S.). Below is a list of zones registered by APT1 that are news- themed:
</p>
<p>
<div
<div>
aoldaily.com<br>
aunewsonline.com<br>
canadatvsite.com<br>
canoedaily.com<br>
cnndaily.com<br>
cnndaily.net<br>
cnnnewsdaily.com<br>
defenceonline.net<br>
freshreaders.net<br>
giftnews.org<br>
</div>
<div>
issnbgkit.net<br>
mediaxsds.net<br>
myyahoonews.com<br>
newsesport.com<br>
newsonet.net<br>
newsonlinesite.com<br>
newspappers.org<br>
nytimesnews.net<br>
oplaymagzine.comv
phoenixtvus.com<br>
</div>
<div>
purpledaily.com<br>
reutersnewsonline.com<br>
rssadvanced.org<br>
saltlakenews.org<br>
sportreadok.net<br>
todayusa.org<br>
usapappers.com<br>
usnewssite.com<br>
yahoodaily.com<br>
</div>
</div>
</p>
<p>
The technology-themed zones reference well-known technology companies (AOL, Apple, Google, Microsoft), antivirus vendors
(McAfee, Symantec), and products (Blackberry, Bluecoat). APT1 also used more generic names referencing topics like software:
</p>
<p>
<div
aolon1ine.com<br>
applesoftupdate.com<br>
blackberrycluter.com<br>
bluecoate.com<br>
comrepair.net<br>
dnsweb.org<br>
downloadsite.me<br>
firefoxupdata.com<br>
</div>
<div>
globalowa.com<br>
gmailboxes.com<br>
hugesoft.org<br>
idirectech.com<br>
ifexcel.com<br>
infosupports.com<br>
livemymsn.com<br>
mcafeepaying.com<br>
</div>
<div
microsoft-update-info.com<br>
micyuisyahooapis.com<br>
msnhome.org<br>
pcclubddk.net<br>
progammerli.com<br>
softsolutionbox.net<br>
symanteconline.net<br>
webservicesupdate.com<br>
</div>
</p>
<p>
Finally, some zones used by APT1 reflect a business theme. The names suggest websites that professionals might visit:
</p>
<p>
<div
advanbusiness.com<br>
businessconsults.net<br>
businessformars.com<br>
</div>
<div
companyinfosite.com<br>
conferencesinfo.com<br>
copporationnews.com<br>
</div>
<div
infobusinessus.org<br>
jobsadvanced.com<br>
</div>
</p>
<p>
Not every zone stays within APT1’s control forever. Over a campaign lasting for so many years, APT1 has not always
renewed every zone in their attack infrastructure. Additionally, while some have simply been allowed to expire,
others have been transferred to the organizations that the domain names attempted to imitate. For example, in September 2011,
Yahoo filed a complaint against “zheng youjun” of “Arizona, USA”, who registered the APT1
zone “myyahoonews.com”. Yahoo alleged the “<myyahoonews.com> domain name was confusingly similar to Complainant’s YAHOO!
mark” and that “[zheng youjun] registered and used the <myyahoonews.com> domain name in bad faith.” In response, the National
Arbitration Forum found that the site “myyahoonews.com” at the time resolved to “a phishing web page, substantially similar to
the actual WorldSID website...in an effort to collect login credentials under false pretenses.” Not surprisingly, “zheng youjun”
did not respond. Subsequently, control of “myyahoonews.com” was transferred from APT1 to Yahoo.
</p>
</body>
</html>]]>
</ttp:Description>
</ttp:Infrastructure></ttp:Resources>
</stix:TTP>
<!-- APT1 Third party services infrastructure -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82" xsi:type="ttp:TTPType">
<ttp:Title>Third-party Services Infrastructure</ttp:Title>
<ttp:Resources><ttp:Infrastructure>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
The third-party service that APT1 has used the most is known as "dynamic DNS." This is a service that allows people
to register subdomains under zones that other people have registered and provided to the service. Over the years,
APT1 has registered hundreds of FQDNs in this manner. When they need to change the IP resolution of an FQDN, they
simply log in to these services and update the IP resolution of their FQDN via a web-based interface.
</P>
<p>
In addition to dynamic DNS, recently we have observed that APT1 has been creating FQDNs that end with
"appspot.com", suggesting that they are using Google’s App Engine service.
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Infrastructure></ttp:Resources>
</stix:TTP>
<!-- APT1 Hijacked FQDNs infrastructure -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696" xsi:type="ttp:TTPType">
<ttp:Title>Hijacked FQDN Infrastructure</ttp:Title>
<ttp:Resources><ttp:Infrastructure>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
APT1 intruders often use the FQDNs that are associated with legitimate websites hosted by their hop points. We
consider these domains to be "hijacked" because they were registered by someone for a legitimate reason, but have
been leveraged by APT1 for malicious purposes. APT1 uses hijacked FQDNs for two main purposes. First, they
place malware (usually in ZIP files) on the legitimate websites hosted on the hop point and then send spear phishing
emails with a link that includes the legitimate FQDN. Second, they embed hijacked FQDNs as C2 addresses in their
backdoors.
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Infrastructure></ttp:Resources>
</stix:TTP>
<!-- Killchain phase - The Initial Compromise -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-3098c57b-d623-4c11-92f4-5905da66658b" xsi:type="ttp:TTPType">
<ttp:Title>The Initial Compromise</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>The Initial Compromise represents the methods intruders
use to first penetrate a target organization’s network.</stixCommon:Description></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain
either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are
usually relevant to the recipient. APT1 also creates webmail accounts using real peoples' names — names that are
familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel
— and uses these accounts to send the emails. As a real-world example, this is an email that APT1 sent to Mandiant
employees:
</P>
<code>
Date: Wed, 18 Apr 2012 06:31:41 -0700
From: Kevin Mandia <[email protected]>
Subject: Internal Discussion on the Press
Release
Hello,
Shall we schedule a time to meet next week?
We need to finalize the press release.
Details click here.
Kevin Mandia
</code>
<p>
At first glance, the email appeared to be from Mandiant’s CEO, Kevin Mandia. However, further scrutiny shows that
the email was not sent from a Mandiant email account, but from "[email protected]". Rocketmail is a
free webmail service. The account "[email protected]" does not belong to Mr. Mandia. Rather, an APT1
actor likely signed up for the account specifically for this spear phishing event. If anyone had clicked on the link that
day (which no one did, thankfully), their computer would have downloaded a malicious ZIP file named "Internal_
Discussion_Press_Release_In_Next_Week8.zip". This file contained a malicious executable that installs a custom APT1
backdoor that we call WEBC2-TABLE.
</P>
<p>
Although the files that APT1 actors attach or link to spear phishing emails are not always in ZIP format, this is the
predominant trend we have observed in the last several years.
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
<ttp:Attack_Pattern capec_id="CAPEC-163"/> <!-- Spear Phishing -->
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-3356c179-d467-4530-a66a-7bb6b23ad946"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Establishing a Foothold -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-1e2c4237-d469-4144-9c0b-9e5c0c513c49" xsi:type="ttp:TTPType">
<ttp:Title>Establishing a Foothold</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>Establishing a foothold involves actions that ensure
control of the target network’s systems from outside the network.</stixCommon:Description></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>\
<p>
APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. A
backdoor is software that allows an intruder to send commands to the system remotely. In almost every case, APT
backdoors initiate outbound connections to the intruder’s "command and control" (C2) server. APT intruders employ
this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating
communication with systems inside the network, they are less reliable at keeping malware that is already inside the
network from communicating to systems outside.
</p>
<p>
While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast
majority of the time they use what appear to be their own custom backdoors. We have documented 42 families of
backdoors in <a href="http://intelreport.mandiant.com">Appendix C: The Malware Arsenal"</a> that APT1 uses that
we believe are not publicly available. In addition we have provided 1,007 MD5 hashes associated with APT1 malware
in <a href="http://intelreport.mandiant.com">Appendix E</a>. We will describe APT1’s backdoors in two categories:
"Beachhead Backdoors" and "Standard Backdoors."
</p>
<h2>Beachhead Backdoors</h2>
<p>
Beachhead backdoors are typically minimally featured. They offer the attacker a toe-hold to perform simple tasks like retrieve files, gather
basic system information and trigger the execution of other more significant capabilities such as a standard backdoor.
</p>
<p>
APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known
kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the “Comment Crew.” A WEBC2 backdoor
is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt
to interpret the data between the tags as commands. Older versions of WEBC2 read data between HTML comments, though over
time WEBC2 variants have evolved to read data contained within other types of tags. From direct observation, we can confirm
that APT1 was using WEBC2 backdoors as early as July 2006. However, the first compile time35 we have for WEBC2-KT3 is 2004-01-23, suggesting that APT1
has been crafting WEBC2 backdoors since early 2004. Based on the 400+ samples of WEBC2 variants that we have
accumulated, it appears that APT1 has direct access to developers who have continually released new WEBC2 variants for over six years.
</p>
<p>
For example, these two build paths, which were discovered inside WEBC2-TABLE samples, help to illustrate how APT1
has been steadily building new WEBC2 variants as part of a continuous development process:
</p>
<code>
<h3>Sample A</h3>
MD5: d7aa32b7465f55c368230bb52d52d885
Compile date: 2012-02-23
\work\code\2008-7-8muma\mywork\winInet_winApplication2009-8-7\mywork\aaaaaaa2012-2-23\Release\aaaaaaa.pdb
</code>
<code>
<h3>Sample B</h3>
MD5: c1393e77773a48b1eea117a302138554
Compile date: 2009-08-07
D:\work\code\2008-7-8muma\mywork\winInet_winApplication2009-8-7\mywork\aaaaaaa\Release\aaaaaaa.pdb
</code>
<p>
A “build path” discloses the directory from which the programmer built and compiled his source code. These samples, compiled 2.5
years apart, were compiled within a folder named “work\code\...\mywork”. The instances of “work” suggest that working on WEBC2 is
someone’s day job and not a side project or hobby. Furthermore, the Sample A build string includes “2012-2-23” — which matches Sample
A’s compile date. The Sample B build string lacks “2012-2-23” but includes “2009-8-7” — which also matches Sample B’s compile date.
This suggests that the code used to compile Sample A was modified from code that was used to compile Sample B 2.5 years previously. The
existence of “2008-7-8” suggests that the code for both samples was modified from a version that existed in July 2008, a year before Sample
B was created. This series of dates indicates that developing and modifying the WEBC2 backdoor is an iterative and long-term process.
</p>
<p>
WEBC2 backdoors typically give APT1 attackers a short and rudimentary set of commands to issue to victim systems, including:
»» Open an interactive command shell (usually Windows’ cmd.exe)
»» Download and execute a file
»» Sleep (i.e. remain inactive) for a specified amount of time
</p>
<p>
WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems
to download and execute additional malicious software of their choice. WEBC2 backdoors work for their intended purpose, but they generally
have fewer features than the “Standard Backdoors” described below.
</p>
<h2>Standard Backdoors</h2>
<p>
The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a
custom protocol that the malware authors designed themselves. These backdoors give APT intruders a laundry list of ways to control victim
systems, including:
»» Create/modify/delete/execute programs
»» Upload/download files
»» Create/delete directories
»» List/start/stop processes
»» Modify the system registry
»» Take screenshots of the user’s desktop
»» Capture keystrokes
»» Capture mouse movement
»» Start an interactive command shell
»» Create a Remote desktop (i.e. graphical) interface
»» Harvest passwords
»» Enumerate users
»» Enumerate other systems on the network
»» Sleep (i.e. go inactive) for a specified amount of time
»» Log off the current user
»» Shut down the system
</p>
</body>
</html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Related_TTPs>
<ttp:Related_TTP>
<stixCommon:Relationship>Leverages</stixCommon:Relationship>
<stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> <!-- WEBC2 -->
</ttp:Related_TTP>
<ttp:Related_TTP>
<stixCommon:Relationship>Leverages</stixCommon:Relationship>
<stixCommon:TTP idref="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f"/> <!-- HTRAN -->
</ttp:Related_TTP>
</ttp:Related_TTPs>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Privilege Escalation -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" xsi:type="ttp:TTPType">
<ttp:Title>Privilege Escalation</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>Escalating privileges involves acquiring items (most
often usernames and passwords) that will allow access to more resources within
the network. </stixCommon:Description></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
In this and the next two stages, APT1 does not differ significantly from other APT intruders (or intruders,
generally). APT1 predominantly uses publicly available tools to dump password hashes from victim systems in
order to obtain legitimate user credentials.
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Resources><ttp:Tools>
<ttp:Tool>
<cyboxCommon:Name>cachedump</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>This program extracts cached password hashes from a system's registry.</P>
<p>Currently packaged with fgdump</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>fgdump</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Windows password hash dumper.</P>
<p>http://www.foofus.net/fizzgig/fgdump/</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>gsecdump</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Obtains password hashes from the Windows registry, inlcuding the SAM file, cached domain credentials, and LSA secrets.</P>
<p>http://truesec.se</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>lslsass</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Dump active logon session password hashes from the lsass process.</P>
<p>http://truesec.se</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>mimikatz</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>A utility primarily used for dumping password hashes.</P>
<p>http://blog.gentilkiwi.com/mimikatz</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>pass-the-hash toolkit</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Allows an intruder to "pass" a password hash (without knowing the original password) to log in to systems.</P>
<p>http://oss.coresecurity.com/projects/pshtoolkit.htm</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>pwdump7</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Dumps password hashes from the Windows registry.</P>
<p>http://www.tarasco.org/security/pwdump_7/</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>pwdumpX</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>Dumps password hashes from the Windows Registry.</P>
<p>The tool claims its origin as http://reedarvin.thearvins.com but the site is not offering this software as of the date of this report.</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
</ttp:Tools></ttp:Resources>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-bcde91d7-a3f9-4403-8550-87954d21f174"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Internal Reconnaisance -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-5728f45b-2eca-4942-a7f6-bc4267c1ab8d" xsi:type="ttp:TTPType">
<ttp:Title>Internal Reconnaisance</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>In the Internal Reconnaissance stage, the intruder
collects information about the victim environment.</stixCommon:Description></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system
and its networked environment. Although they usually simply type these commands into a command shell, sometimes
intruders may use batch scripts to speed up the process. Figure 18 below shows the contents of a batch script that
APT1 used on at least four victim networks.
</P>
<code>
@echo off
ipconfig /all>>”C:\WINNT\Debug\1.txt”
net start>>”C:\WINNT\Debug\1.txt”
tasklist /v>>”C:\WINNT\Debug\1.txt”
net user >>”C:\WINNT\Debug\1.txt”
net localgroup administrators>>”C:\WINNT\Debug\1.txt”
netstat -ano>>”C:\WINNT\Debug\1.txt”
net use>>”C:\WINNT\Debug\1.txt”
net view>>”C:\WINNT\Debug\1.txt”
net view /domain>>”C:\WINNT\Debug\1.txt”
net group /domain>>”C:\WINNT\Debug\1.txt”
net group “domain users” /domain>>”C:\WINNT\Debug\1.txt”
net group “domain admins” /domain>>”C:\WINNT\Debug\1.txt”
net group “domain controllers” /domain>>”C:\WINNT\Debug\1.txt”
net group “exchange domain servers” /domain>>”C:\WINNT\Debug\1.txt”
net group “exchange servers” /domain>>”C:\WINNT\Debug\1.txt”
net group “domain computers” /domain>>”C:\WINNT\Debug\1.txt”
</code>
<p>
This script performs the following functions and saves the results to a text file:
»» Display the victim’s network configuration information
»» List the services that have started on the victim system
»» List currently running processes
»» List accounts on the system
»» List accounts with administrator privileges
»» List current network connections
»» List currently connected network shares
»» List other systems on the network
»» List network computers and accounts according to group (“domain controllers,” “domain users,” “domain admins,” etc.)
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-5692e7a4-5325-4237-a867-0bcc0ebbf2e0"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Lateral Movement -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-0bea2358-c244-4905-a664-a5cdce7bb767" xsi:type="ttp:TTPType">
<ttp:Title>Lateral Movement</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>Expand foothold and access through lateral movement
within the target environment.</stixCommon:Description></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>
Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder
to move around the network undetected.
</P>
<p>
They can connect to shared resources on other systems.
</P>
<p>
They can execute commands on other systems using the publicly available "psexec" tool from Microsoft
Sysinternals or the built-in Windows Task Scheduler ("at.exe").
</P>
<p>
These actions are hard to detect because legitimate system administrators also use these techniques to perform
actions around the network.
</P>
</body></html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-48368014-7636-496e-a047-1d8b70027836"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Maintain Presence -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-7151c6d0-7e97-47ce-9290-087315ea3db7" xsi:type="ttp:TTPType">
<ttp:Title>Maintain Presence</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>In this stage, the intruder takes actions to ensure
continued, long-term control over key systems in the network environment from
outside of the network. </stixCommon:Description></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>
The APT does this (maintains presence) in three ways:
</p>
<ol>
<li>Install new backdoors on multiple systems
<p>
Throughout their stay in the network (which could be years), APT1 usually installs new backdoors as they claim more
systems in the environment. Then, if one backdoor is discovered and deleted, they still have other backdoors they can
use. We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been
present for more than a few weeks.
</P>
</li>Use legitimate VPN credentials
<li>
<p>
APT actors and hackers in general are always looking for valid credentials in order to impersonate a legitimate user.
We have observed APT1 using stolen usernames and passwords to log into victim networks’ VPNs when the VPNs are
only protected by single-factor authentication. From there they are able to access whatever the impersonated users are
allowed to access within the network.
</P>
</li>
<li>Log in to web portals
<p>
Once armed with stolen credentials, APT1 intruders also attempt to log into web portals that the network offers. This
includes not only restricted websites, but also web-based email systems such as Outlook Web Access.
</P>
</li>
</ol>
</body></html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-0d4b08b0-31c0-439a-a6a5-76e210d9b7b9"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Killchain phase - Completing the Mission -->
<stix:TTP timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:ttp-0781fe70-4c94-4300-8865-4b08b98611b4" xsi:type="ttp:TTPType">
<ttp:Title>Completing the Mission</ttp:Title>
<ttp:Intended_Effect><stixCommon:Description>Exfiltration information relevant to the mission.</stixCommon:Description></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Theft of Proprietary Information</stixCommon:Value></ttp:Intended_Effect>
<ttp:Intended_Effect><stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value></ttp:Intended_Effect>
<ttp:Behavior><ttp:Attack_Patterns>
<ttp:Attack_Pattern>
<ttp:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing
them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are
password protected. Sometimes APT1 intruders use batch scripts to assist them in the process, as depicted in Figure
19. (The instances of "XXXXXXXX" obfuscate the text that was in the actual batch script.)
</P>
<code>
@echo off
cd /d c:\windows\tasks
rar.log a XXXXXXXX.rar -v200m "C:\Documents and Settings\Place\My
Documents\XXXXXXXX" -hpsmy123!@#
del *.vbs
del %0
</code>
<p>
After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are
consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many
times their RAR files are so large that the attacker splits them into chunks before transferring them. Figure 19 above
shows a RAR command with the option "-v200m", which means that the RAR file should be split up into 200MB
portions.
</P>
<p>
Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The
first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft
Outlook archive ("PST") files.
</P>
<p>
Microsoft Outlook archives can be large, often storing years’ worth of emails. They may be too large to transfer out
of a network quickly, and the intruder may not be concerned about stealing every email. The GETMAIL utility allows
APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1
intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails.
</P>
<p>
Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal
email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully,
MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email
from specified accounts into text files (for the email body) and separate attachments, if there are any.
</P>
</body>
</html>]]>
</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns></ttp:Behavior>
<ttp:Resources><ttp:Tools>
<ttp:Tool>
<cyboxCommon:Name>GETMAIL</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ("PST") files.</P>
</body></html>]]>
</cyboxCommon:Description>
</ttp:Tool>
<ttp:Tool>
<cyboxCommon:Name>MAPIGET</cyboxCommon:Name>
<cyboxCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html><body>
<p>MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.</P>
</body></html>]]>>
</cyboxCommon:Description>
</ttp:Tool>
</ttp:Tools></ttp:Resources>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase
phase_id="mandiant:kill-chain-phase-aab09f58-b67b-43b0-9343-cefc967c88a0"
kill_chain_id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<!-- Kill Chain definition for Mandiant APT1 Attack Lifecycle Model -->
<stix:Kill_Chains>
<stixCommon:Kill_Chain id="mandiant:kill-chain-e9dfa013-41e2-4c71-83db-279d41a13e17"
name="APT1 Attack Lifecycle Model" definer="Mandiant" number_of_phases="8">
<stixCommon:Kill_Chain_Phase name="Initial Recon" ordinality="1"
phase_id="mandiant:kill-chain-phase-15c4123e-b21c-4eb0-8871-e302c68d952a"/>
<stixCommon:Kill_Chain_Phase name="Initial Compromise" ordinality="2"
phase_id="mandiant:kill-chain-phase-3356c179-d467-4530-a66a-7bb6b23ad946"/>
<stixCommon:Kill_Chain_Phase name="Establish Foothold" ordinality="3"
phase_id="mandiant:kill-chain-phase-6df42755-0721-436a-a211-2844cc9c583d"/>
<stixCommon:Kill_Chain_Phase name="Escalate Privileges" ordinality="4"
phase_id="mandiant:kill-chain-phase-bcde91d7-a3f9-4403-8550-87954d21f174"/>
<stixCommon:Kill_Chain_Phase name="Internal Recon" ordinality="5"
phase_id="mandiant:kill-chain-phase-5692e7a4-5325-4237-a867-0bcc0ebbf2e0"/>
<stixCommon:Kill_Chain_Phase name="Move Laterally" ordinality="6"
phase_id="mandiant:kill-chain-phase-48368014-7636-496e-a047-1d8b70027836"/>
<stixCommon:Kill_Chain_Phase name="Maintain Presence" ordinality="7"
phase_id="mandiant:kill-chain-phase-0d4b08b0-31c0-439a-a6a5-76e210d9b7b9"/>
<stixCommon:Kill_Chain_Phase name="Complete Mission" ordinality="8"
phase_id="mandiant:kill-chain-phase-aab09f58-b67b-43b0-9343-cefc967c88a0"/>
</stixCommon:Kill_Chain>
</stix:Kill_Chains>
</stix:TTPs>
<stix:Threat_Actors>
<!-- ThreatActor characterization for APT1 -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-8dff0344-0c82-4079-8d04-6f3e4d9bd1df" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stixCommon:Related_Identities>
<stixCommon:Related_Identity>
<stixCommon:Relationship>Recruits From</stixCommon:Relationship>
<stixCommon:Identity><stixCommon:Name>Harbin Institute of Technology (哈尔滨工业大学)</stixCommon:Name></stixCommon:Identity>
</stixCommon:Related_Identity>
<stixCommon:Related_Identity>
<stixCommon:Relationship>Recruits From</stixCommon:Relationship>
<stixCommon:Identity><stixCommon:Name>Zhejiang University School of Computer Science and Technology (浙江大学计算机学院)</stixCommon:Name></stixCommon:Identity>
</stixCommon:Related_Identity>
</stixCommon:Related_Identities>
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:OrganisationName>
<xnl:NameElement>People's Liberation Army</xnl:NameElement>
<xnl:SubDivisionName>Unit 61398</xnl:SubDivisionName>
</xnl:OrganisationName>
<xnl:OrganisationName xnl:Type="UnofficialName">
<xnl:NameElement>APT1</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses>
<xpil:Address>
<xal:Country>
<xal:NameElement>China</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea>
<xal:NameElement>Pudong New Area</xal:NameElement>
<xal:SubAdministrativeArea>
<xal:NameElement>Gaoqiaozhen</xal:NameElement>
</xal:SubAdministrativeArea>
</xal:AdministrativeArea>
<xal:Locality>
<xal:NameElement>Shanghai</xal:NameElement>
</xal:Locality>
<xal:Thoroughfare>
<xal:NameElement>Datong Road</xal:NameElement>
<xal:Number>208</xal:Number>
</xal:Thoroughfare>
<xal:Premises>
<xal:NameElement>12 stories, 130,663 sq ft, 2000
people</xal:NameElement>
</xal:Premises>
</xpil:Address>
</xpil:Addresses>
<xpil:Relationships>
<xpil:Relationship xpil:RelationshipWithOrganisation="componentOf">
<xnl:OrganisationName>
<xnl:NameElement>GSD 3rd Department SIGINT/CNO</xnl:NameElement>
</xnl:OrganisationName>
</xpil:Relationship>
<xpil:Relationship xpil:RelationshipWithOrganisation="componentOf">
<xnl:OrganisationName>
<xnl:NameElement>PLA General Staff Department</xnl:NameElement>
</xnl:OrganisationName>
</xpil:Relationship>
<xpil:Relationship xpil:RelationshipWithOrganisation="componentOf">
<xnl:OrganisationName>
<xnl:NameElement>Communist Party of China</xnl:NameElement>
</xnl:OrganisationName>
</xpil:Relationship>
</xpil:Relationships>
<xpil:OrganisationInfo xpil:NumberOfEmployees="100 < X > 1000"/>
<xpil:Languages>
<xpil:Language>Chinese</xpil:Language>
<xpil:Language>English</xpil:Language>
</xpil:Languages>
<xpil:Nationalities>
<xpil:Country>
<xal:NameElement>Chinese</xal:NameElement>
</xpil:Country>
</xpil:Nationalities>
<xpil:Qualifications>
<xpil:Qualification>
<xpil:QualificationElement>Covert
Communications</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>English
Linguistics</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>Operating System
Internals</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>Digital Signal
Processing</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>Network
Security</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>Profession Code: 080902 — Circuits and Systems</xpil:QualificationElement>
</xpil:Qualification>
<xpil:Qualification>
<xpil:QualificationElement>Profession Code: 081000 — Information and Communications Engineering</xpil:QualificationElement>
</xpil:Qualification>
</xpil:Qualifications>
</stix-ciq:Specification>
<stix-ciq:Role>Nation-State</stix-ciq:Role>
<stix-ciq:Role>Military</stix-ciq:Role>
</threat-actor:Identity>
<threat-actor:Observed_TTPs>
<threat-actor:Observed_TTP>
<!-- Primary APT1 TTP entry -->
<stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/>
</threat-actor:Observed_TTP>
</threat-actor:Observed_TTPs>
<threat-actor:Associated_Actors>
<!-- GSD 3rd Department / 2nd Bureau -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Asserted Alias</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-94624865-2709-443f-9b4c-2891985fd69b"/>
</threat-actor:Associated_Actor>
<!-- Comment Crew -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Asserted Alias</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-f1ce5a9e-0fb7-465b-acb9-e7f75098eee9"/>
</threat-actor:Associated_Actor>
<!-- Comment Group -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Asserted Alias</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-5abb4d96-e3f2-4a1a-b025-c5b63ec6eb0b"/>
</threat-actor:Associated_Actor>
<!-- Shady Rat -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">POSSIBLE</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Asserted Alias</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-d9619c21-9d4f-414e-9471-36bb8fc42bbe"/>
</threat-actor:Associated_Actor>
<!-- UglyGorilla -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Member</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-6d179234-61fc-40c4-ae86-3d53308d8e65"/>
</threat-actor:Associated_Actor>
<!-- DOTA -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Member</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-d84cf283-93be-4ca7-890d-76c63eff3636"/>
</threat-actor:Associated_Actor>
<!-- SuperHard -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Relationship>Member</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-02e7c48f-0301-4c23-b3e4-02e5a0114c21"/>
</threat-actor:Associated_Actor>
<!-- China Telecom -->
<threat-actor:Associated_Actor>
<stixCommon:Confidence>
<stixCommon:Value vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED">CONFIRMED</stixCommon:Value>
<stixCommon:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html lang="en"><body>
<h1>Written memo confirming relationship.</h1>
<p>
Market Department Examining Control Affairs Division Report
</P>
<p>
Requesting Concurrence Concerning the General Staff Department 3rd Department 2nd Bureau
Request to Use Our Company’s Communication Channel
</P>
<p>
Division Leader Wu:
</P>
<p>
The Chinese People’s Liberation Army Unit 61398 (General Staff Department 3rd Department
2nd Bureau) wrote to us a few days ago saying that, in accordance with their central command
“8508” on war strategy construction [or infrastructure] need, the General Staff Department
3rd Department 2nd Bureau (Gaoqiao Base) needs to communicate with Shanghai City 005 Center
(Shanghai Intercommunication Network Control Center within East Gate Bureau) regarding
intercommunication affairs. This bureau already placed fiber-optic cable at the
East Gate front entrance [road pole]. They need to use two ports to enter our company’s
East Gate communication channel. The length is about 30m. At the same time, the second stage
construction (in Gaoqiao Base) needs to enter into our company’s Shanghai Nanhui Communication
Park 005 Center (special-use bureau). This military fiber-optic cable has
already been placed at the Shanghai Nanhui Communication Park entrance. They need to use
4 of our company ports inside the Nanhui Communication Park to enter. The length is 600m. Upon
our division’s negotiation with the 3rd Department 2nd Bureau’s communication branch, the military
has promised to pay at most 40,000 Yuan for each port. They also hope Shanghai Telecom will smoothly
accomplish this task for the military based on the principle that national defense construction is
important. After checking the above areas’ channels, our company has a relatively abundant inventory
to satisfy the military’s request.
</P>
<p>
This is our suggestion: because this is concerning defense construction, and also the 3rd Department
2nd Bureau is a very important communication control department, we agree to provide the requested channels
according to the military’s suggested price. Because this is a one-time payment, and it is difficult
to use the normal renting method, we suggest our company accept one-time payment using the reason of
“Military Co-Construction [with China Telecom] of Communication Channels” and provide from our inventory.
The military’s co-building does not interfere with our proprietary rights. If something breaks, the military
is responsible to repair it and pay for the expenses. After you agree with our suggestion, we will sign
an agreement with the communication branch of 61398 and implement it.
</P>
<p>
Please provide a statement about whether the above suggestion is appropriate or not.
</P>
<p>
[Handwritten Note]Agree with the Market Department Examining Control Affairs Division suggestion;
inside the agreement clearly [...define? (illegible) ...] both party’s responsibilities.
</P>
</body></html>]]>
</stixCommon:Description>
</stixCommon:Confidence>
<stixCommon:Relationship>Infrastructure Provided By</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-76dd3859-31a6-43c5-9f3e-9c6ac745b61b"/>
</threat-actor:Associated_Actor>
</threat-actor:Associated_Actors>
</stix:Threat_Actor>
<!-- ThreatActor characterization for UglyGorilla -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-6d179234-61fc-40c4-ae86-3d53308d8e65" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>Ugly Gorilla</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>Wang Dong</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>JackWang</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="NickName">
<xnl:NameElement>Greenfield” (绿野)</xnl:NameElement>
</xnl:PersonName>
</xpil:PartyName>
<xpil:Accounts>
<xpil:Account xpil:Type="Online Forum"><xpil:Organisation><xnl:NameElement>PLA Daily’s (解放军报) China Military Online (中国军网)</xnl:NameElement></xpil:Organisation></xpil:Account>
</xpil:Accounts>
<xpil:ElectronicAddressIdentifiers>
<xpil:ElectronicAddressIdentifier xpil:Type="EMAIL">[email protected]</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Nationalities>
<xpil:Country>
<xal:NameElement>China</xal:NameElement>
</xpil:Country>
</xpil:Nationalities>
</stix-ciq:Specification>
</threat-actor:Identity>
<threat-actor:Observed_TTPs>
<threat-actor:Observed_TTP>
<!-- This is simply two examples of many such entries that could be harvested (and in far more detail) from the APT1 report in regards to specific observed TTP for individual threat actors. -->
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Resources><ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="0" cybox_update_version="1">
<cybox:Observable>
<cybox:Object>
<cybox:Properties xsi:type="URIObject:URIObjectType" type="Domain Name">
<URIObject:Value>hugesoft.org</URIObject:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure></ttp:Resources>
</stixCommon:TTP>
</threat-actor:Observed_TTP>
<threat-actor:Observed_TTP>
<stixCommon:Relationship>Authored</stixCommon:Relationship>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Behavior><ttp:Malware>
<ttp:Malware_Instance><ttp:Name>MANITSME</ttp:Name></ttp:Malware_Instance>
</ttp:Malware></ttp:Behavior>
</stixCommon:TTP>
</threat-actor:Observed_TTP>
</threat-actor:Observed_TTPs>
</stix:Threat_Actor>
<!-- ThreatActor characterization for DOTA -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-d84cf283-93be-4ca7-890d-76c63eff3636" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>dota</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>DOTA</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="Alias">
<xnl:NameElement>Rodney</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="Alias">
<xnl:NameElement>Raith</xnl:NameElement>
</xnl:PersonName>
</xpil:PartyName>
<xpil:ElectronicAddressIdentifiers>
<xpil:ElectronicAddressIdentifier xpil:Type="EMAIL"
>[email protected]</xpil:ElectronicAddressIdentifier>
<xpil:ElectronicAddressIdentifier xpil:Type="EMAIL"
>[email protected]</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Nationalities>
<xpil:Country>
<xal:NameElement>China</xal:NameElement>
</xpil:Country>
</xpil:Nationalities>
</stix-ciq:Specification>
</threat-actor:Identity>
</stix:Threat_Actor>
<!-- ThreatActor characterization for SuperHard -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-02e7c48f-0301-4c23-b3e4-02e5a0114c21" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>SuperHard</xnl:NameElement>
</xnl:PersonName>
<xnl:PersonName xnl:Type="KnownAs">
<xnl:NameElement>Mei Qiang</xnl:NameElement>
</xnl:PersonName>
</xpil:PartyName>
<xpil:Nationalities>
<xpil:Country>
<xal:NameElement>China</xal:NameElement>
</xpil:Country>
</xpil:Nationalities>
</stix-ciq:Specification>
<stix-ciq:Role>Research and Development</stix-ciq:Role>
</threat-actor:Identity>
<threat-actor:Observed_TTPs>
<threat-actor:Observed_TTP>
<stixCommon:Relationship>Authored/Contributed_To</stixCommon:Relationship>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Behavior><ttp:Malware>
<ttp:Malware_Instance><ttp:Name>AURIGA</ttp:Name></ttp:Malware_Instance>
</ttp:Malware></ttp:Behavior>
</stixCommon:TTP>
</threat-actor:Observed_TTP>
<threat-actor:Observed_TTP>
<stixCommon:Relationship>Authored/Contributed_To</stixCommon:Relationship>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Behavior><ttp:Malware>
<ttp:Malware_Instance><ttp:Name>BANGAT</ttp:Name></ttp:Malware_Instance>
</ttp:Malware></ttp:Behavior>
</stixCommon:TTP>
</threat-actor:Observed_TTP>
</threat-actor:Observed_TTPs>
</stix:Threat_Actor>
<!-- ThreatActor characterization for Comment Crew -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-f1ce5a9e-0fb7-465b-acb9-e7f75098eee9" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>Comment Crew</stixCommon:Name>
</threat-actor:Identity>
</stix:Threat_Actor>
<!-- ThreatActor characterization for Comment Group -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-5abb4d96-e3f2-4a1a-b025-c5b63ec6eb0b" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>Comment Group</stixCommon:Name>
</threat-actor:Identity>
</stix:Threat_Actor>
<!-- ThreatActor characterization for Shady Rat -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-d9619c21-9d4f-414e-9471-36bb8fc42bbe" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>Shady Rat</stixCommon:Name>
</threat-actor:Identity>
</stix:Threat_Actor>
<!-- ThreatActor characterization for GSD 3rd Department / 2nd Bureau -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-94624865-2709-443f-9b4c-2891985fd69b" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>GSD 3rd Department / 2nd Bureau</stixCommon:Name>
</threat-actor:Identity>
<threat-actor:Associated_Actors>
<threat-actor:Associated_Actor>
<stixCommon:Relationship>Component_Of</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-b5d1d28c-d824-49c0-80b6-9179202e297b"/>
</threat-actor:Associated_Actor>
</threat-actor:Associated_Actors>
</stix:Threat_Actor>
<!-- ThreatActor characterization for GSD 3rd Department -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-b5d1d28c-d824-49c0-80b6-9179202e297b" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>GSD 3rd Department</stixCommon:Name>
</threat-actor:Identity>
<threat-actor:Associated_Actors>
<threat-actor:Associated_Actor>
<stixCommon:Relationship>Component_Of</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-5ac0fd8e-5804-4849-a170-4ec0d15a5e8b"/>
</threat-actor:Associated_Actor>
</threat-actor:Associated_Actors>
</stix:Threat_Actor>
<!-- ThreatActor characterization for PLA General Staff -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-5ac0fd8e-5804-4849-a170-4ec0d15a5e8b" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity>
<stixCommon:Name>PLA General Staff</stixCommon:Name>
</threat-actor:Identity>
<threat-actor:Associated_Actors>
<threat-actor:Associated_Actor>
<stixCommon:Relationship>Component_Of</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="mandiant:threat-actor-d5b62b58-df7c-46b1-a435-4d01945fe21d"/>
</threat-actor:Associated_Actor>
</threat-actor:Associated_Actors>
</stix:Threat_Actor>
<!-- ThreatActor characterization for Communist Party of China -->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-d5b62b58-df7c-46b1-a435-4d01945fe21d" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:OrganisationName>
<xnl:NameElement>Communist Part of China</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses>
<xpil:Address>
<xal:Country>
<xal:NameElement>China</xal:NameElement>
</xal:Country>
</xpil:Address>
</xpil:Addresses>
<xpil:Languages>
<xpil:Language>Chinese</xpil:Language>
</xpil:Languages>
</stix-ciq:Specification>
<stix-ciq:Role>Nation-State</stix-ciq:Role>
</threat-actor:Identity>
</stix:Threat_Actor>
<!-- ThreatActor characterization for China Telecom-->
<stix:Threat_Actor timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:threat-actor-76dd3859-31a6-43c5-9f3e-9c6ac745b61b" xsi:type="threat-actor:ThreatActorType">
<threat-actor:Identity xsi:type="stix-ciq:CIQIdentity3.0InstanceType">
<stix-ciq:Specification>
<xpil:PartyName>
<xnl:OrganisationName>
<xnl:NameElement>China Telecom</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses>
<xpil:Address>
<xal:Country>
<xal:NameElement>China</xal:NameElement>
</xal:Country>
</xpil:Address>
</xpil:Addresses>
<xpil:Languages>
<xpil:Language>Chinese</xpil:Language>
</xpil:Languages>
</stix-ciq:Specification>
<stix-ciq:Role>State-influenced Commercial Entity</stix-ciq:Role>
</threat-actor:Identity>
</stix:Threat_Actor>
</stix:Threat_Actors>
<stix:Reports>
<stix:Report timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:Report-e33ffe07-2f4c-48d8-b0af-ee2619d765cf" xsi:type="report:ReportType">
<report:Header>
<report:Title>APT1: Exposing One of China's Cyber Espionage Units</report:Title>
<report:Intent>Threat Actor Report</report:Intent>
<report:Description structuring_format="HTML5"><![CDATA[<!DOCTYPE html>
<html>
<body>
<p>
Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world.
The majority of these security breaches are attributed to advanced threat actors referred to as the "Advanced Persistent
Threat" (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the
report, our position was that "The Chinese government may authorize this activity, but there’s no way to determine the
extent of its involvement." Now, three years later, we have the evidence required to change our assessment. The details
we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based
primarily in China and that the Chinese Government is aware of them.
</P>
<p>
Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most
prolific of these groups. We refer to this group as "APT1" and it is one of more than 20 APT groups with origins in
China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad
range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in
terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this
report.
</P>
<p>
The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has
conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against
nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back
to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a
substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and
procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three
personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by
others.
</P>
<p>
Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s
cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign
in large part because it receives direct government support. In seeking to identify the organization behind this activity,
our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and
resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.
</P>
</body>
</html>]]>
</report:Description>
</report:Header>
<report:TTPs>
<report:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-33159b98-3264-4e10-a968-d67975b6272f" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-a35bc05a-247d-49a9-b954-c5c7344c55cc" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-36fa6965-c7b9-4ca4-bc3c-6f9c40bc29c4" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-1d04a399-dd12-49f8-aac9-fa781eb4beef" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-a6fa7315-04ff-4234-ad22-6c210ffe0f2b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-5c446bed-3bf6-4344-a4d2-5560d550fc82" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-3756130b-9a5f-47d4-8ed4-4350c9921696" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-3098c57b-d623-4c11-92f4-5905da66658b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-1e2c4237-d469-4144-9c0b-9e5c0c513c49" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-5728f45b-2eca-4942-a7f6-bc4267c1ab8d" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-0bea2358-c244-4905-a664-a5cdce7bb767" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-7151c6d0-7e97-47ce-9290-087315ea3db7" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:TTP idref="mandiant:ttp-0781fe70-4c94-4300-8865-4b08b98611b4" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:TTPs>
<report:Threat_Actors>
<report:Threat_Actor idref="mandiant:threat-actor-8dff0344-0c82-4079-8d04-6f3e4d9bd1df" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-6d179234-61fc-40c4-ae86-3d53308d8e65" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-d84cf283-93be-4ca7-890d-76c63eff3636" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-02e7c48f-0301-4c23-b3e4-02e5a0114c21" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-f1ce5a9e-0fb7-465b-acb9-e7f75098eee9" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-5abb4d96-e3f2-4a1a-b025-c5b63ec6eb0b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-d9619c21-9d4f-414e-9471-36bb8fc42bbe" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-94624865-2709-443f-9b4c-2891985fd69b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-b5d1d28c-d824-49c0-80b6-9179202e297b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-5ac0fd8e-5804-4849-a170-4ec0d15a5e8b" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-d5b62b58-df7c-46b1-a435-4d01945fe21d" timestamp="2015-05-15T09:00:00.000000Z"/>
<report:Threat_Actor idref="mandiant:threat-actor-76dd3859-31a6-43c5-9f3e-9c6ac745b61b" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:Threat_Actors>
<report:Related_Reports>
<report:Related_Report>
<stixCommon:Relationship>Appendix D</stixCommon:Relationship>
<stixCommon:Report idref="mandiant:Report-190593d6-1861-4cfe-b212-c016fce1e242" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:Related_Report>
<report:Related_Report>
<stixCommon:Relationship>Appendix E</stixCommon:Relationship>
<stixCommon:Report idref="mandiant:Report-190593d6-1861-4cfe-b212-c016fce1e241" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:Related_Report>
<report:Related_Report>
<stixCommon:Relationship>Appendix F</stixCommon:Relationship>
<stixCommon:Report idref="mandiant:Report-190593d6-1861-4cfe-b212-c016fce1e249" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:Related_Report>
<report:Related_Report>
<stixCommon:Relationship>Appendix G</stixCommon:Relationship>
<stixCommon:Report idref="mandiant:Report-190593d6-1861-4cfe-b212-c016fce1e248" timestamp="2015-05-15T09:00:00.000000Z"/>
</report:Related_Report>
</report:Related_Reports>
</stix:Report>
</stix:Reports>
</stix:STIX_Package>