APT1 and learning from their OPSEC failures

  • by

This topic will be a trip down memory lane to some of us – those who remember how during the early years of the last decade hackers from the Chinese People’s Liberation Army infamous Unit 61398 hacked over a 100 targets in the US, unleashed new types of malware and put the “Persistent” in APT.

For those not familiar with the term, APT stands for Advanced Persistent Threat.

This phrase is usually used to describe a severe cyber-security threat posed by professional and well resourced, often state-sponsored, hacker groups. The kind of groups that subject their targets to prolonged, determined barrage of cyber attacks until they get what they’re after.

A lot has been written about APT1, their origins, operating methods, malware samples and scale of activities.

I do not wish to replicate these records or turn this post into a historical analysis of this group.

If you wish to read a comprehensive report that covers the APT1 story pretty much from A to Z, check out the phenomenal FireEye’s Mandiant report titled:

APT1 – Exposing One of China’s Cyber Espionage Units

These state sponsored military hackers introduced a new, infamous and notorious modus operandi into the realm of cyber threats and cyber security.

It was therefore no surprise when in May 2014, US federal prosecutors charged five APT1 members (in their absence) with offences relating to various data breaches at several US companies.

The APT1 story became also synonymous of very poor OPSEC practices on behalf of the Chinese cyber operatives.

OPSEC probably matters little when you work for the Chinese government, operate with impunity and don’t intend to undertake any international travel to countries that have an extradition agreement with the United States.

Nevertheless, there are some lessons to be learned here, especially when you are an OSINT investigator or a digital privacy enthusiast.

APT1 - Examples of bad OPSEC

  • Inclusion of nicknames and dates in the malware code, as well as attribution links in URLs used for malicious activity – one member of APT1, Ugly Gorilla, used to leave personal signatures in the source code: “Writed by UglyGorilla, 06/29/2007“. Out of vanity he would also include his initials in domain names, for example:

 

 ug-opm.hugesoft.org

 ug-rj.arrowservice.net

 ug-hst.msnhome.org

  • Usage of an email address which can be clearly attributable to the same individual already linked with other activities – uglygorilla@163.com. This email address was used to create accounts on a number of Internet forums, one of which suffered a data breach that resulted in leaking the IP address used in creating Ugly Gorilla’s account – 58.246.255.28. This discovery, among other variables, led to unravelling the IP address range used by APT1.
  • Poor separation of private life and the online persona – some accounts created on software development forums as early as 2006 contained real life user data, including real names and surnames. These accounts were created prior to any known APT1 activities and their purpose was not nefarious at the time. The avoidable mistake was the continuous use of these accounts and, in the case of Ugly Gorilla, re-using the “uglygorilla” nickname that already had a notable digital footprint.
  • Predictability of the naming convention when creating accounts – another member of APT1 nicknamed “Dota” created a substantial number of email accounts that were later used for APT1 operational purposes. He was however not very creative and adopted a predictable pattern for naming his accounts, which included:

 

d0ta010@hotmail.com

dota.sb005@gmail.com

dota.d013@gmail.com – these Gmail ones actually numbered in over a dozen, from dota.d001 through to dota.d015

a Facebook account – do.ta.5011

  • Usage of keyboard pattern based passwords like  “qwerty”, “1qaz2wsx” or highly memorable ones, like “rootkit” as a password for accounts on the information security research site rootkit.com

 

This practice is bad enough when creating personal accounts, the main risk here being passwords that are not secure and too hackable. For operational accounts, where the threat of somebody hacking into them is a rare risk, the potential ramifications are of a different nature.

Let’s imagine that a website where you created a number of operational, individualised accounts gets breached and a file containing credential dumps lands on Pastebin. If a dozen or more of these seemingly unrelated accounts have the exact same password, it is easy to link them together and safely assume they are controlled by the same individual.

  • Adherence to local time zone and time patterns – security researchers that investigated APT1 mapped out their activities and discovered that most of them occurred during business hours in Beijing’s time zone.

 

On top of that, it was inferred from the activity patterns that the hackers were taking weekends off, which led to suggestions that APT1 was a unit of professionals as opposed to hacktivists or just hacking enthusiasts with no work / life balance.

“It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.”
— Chinese Defense Ministry, January, 2013

Thank you for reading.

Stay tuned for some very interesting interviews, coming soon.

Leave a Reply

Your email address will not be published.