Investigating APT1, presented at Flocon 2014

by Angela Horneman, Deana Shick,

Summary : In February 2013 Mandiant uncovered Advanced Persistent Threat 1 (APT1)—one of China's alleged cyber espionage groups—and provided a detailed report of APT1 operations along with 3000 indicators of the group's activity since 2006. This report analyzes unclassified freely available data sets in an attempt to understand APT1's middle infrastructure: the system of hops distribution points or relays and C2 servers that sit between APT1's victims and main C2 servers located overseas. To build that infrastructure APT1 chose and exploited particular organizations to obfuscate communications while remaining in plain sight.
This analysis based on data from IP addresses known to be associated with APT1 and domain names provided by Mandiant was conducted using a combination of System for Internet Level Knowledge (SiLK) tools Microsoft Excel and custom Python Scripts. This study detailed in this report can be replicated easily using available sources and tools. By combining key unclassified information the authors successfully described a large malicious network used to steal important information.