Advanced Persistent ThreatBe Aware or Be Conquered

Introduction

Amien H. Rosyandino

/Green

ID-SIRTII (2009-2012)

Spentera (2013 – Now)

InfoSec Enthusiast

Research :• Honeypot• Attack

Pattern / APT Analysis

• Malware Analysis

• Computer Forensics

Fire Sale (is it a myth ?)

• Take Out Transportation• Take Out Financial Base & Telecoms• Take Out the Utilities & Power

Three Step Systematic Attack

Definition

• The term originally referred to nation-states engaging in cyber espionage.

• What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced.

• APTs target specific organizations with the purpose of stealing specific data or causing specific damage.

Stux Net

• It is the first discovered malware that spies on and subverts industrial systems.

• Discovered in June 2010 and it is believed to have been created by the United States and Israel to attack Iran's nuclear facilities

• The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.

• On 1 June 2012, an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called "Operation Olympic Games", started under President George W. Bush and expanded under President Barack Obama.

Introducing APT1

• World next publicly available comprehensive report on Advanced Persistent Threat

• Provided by Mandiant (www.mandiant.com)• It’s a nickname for a group that being government

sponsored for doing specific attack and specific purpose

• China is the suspected government that sponsored the group

APT1 Group Structure

• APT1 is believed to be the 2nd Bureau of the PLA GSD 3rd Dept, with MUCD Unit 61398

• For the Estimation Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure

• Unit 61398 is partially situated on Datong Road ( 大同路 ) in Gaoqiaozhen (高桥镇 ), which is located in the Pudong New Area ( 浦东新区 ) of Shanghai ( 上海 ). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007

• Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language

APT1 Group Structure

APT1 Group Structure

APT1 Data Breach Summary

• APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.

• Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.

• The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

• Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.

APT1 Data Theft

• Product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies;

• manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes;

• business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions;

• policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high ranking personnel; emails of high-ranking employees; and user credentials and network architecture information.

Example

APT1 Target Summary

• Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.

• APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.

• Of the 141 APT1 victims, 87% of them are headquartered in countries where English is the native language.

• The industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.

APT1 Target Summary

APT1 Target Summary

APT1 Attack Lifecycle

Attack Lifecycle Different

APT1 Attack Method

Same attack vector but targeted purpose

Some Real World Case

Estonia Cyber Attack

Russia Cyber attack against Georgia

blowing oil refineries

KRTV Hijacked for Zombie Attack

Where do we stand ?

Where do we stand ?

Where do we stand ?

Team Cymru Statistic

Team Cymru Statistic

So ?

Are there any reasons for not be concerned ?

Thank YOU !!Fade2Green@GMail.comAmien.Green@Spentera.com