Fascinating video tracks a real Chinese hacker in action

February 19, 2013

The American cyber security firm Mandiant, which worked with the New York Times to expose and counter a China-based hacking campaign, has released an extensive report that it says ties years of cyber attacks on U.S. corporations back to the Chinese military.

Mandiant says it can even narrow down the hackers to a specific military unit in the Chinese army, Unit 61398, and a specific location in Shanghai.

As part of its report, Mandiant released a video that purports to show one of the Chinese hackers in the act of attacking real, unsuspecting "English language" targets. The video says it tracks "actual attacker sessions and intrusion activities conducted by one specific Advanced Persistent Threat (APT) group, which Mandiant has named APT1." In other words, APT1 is their name for the Chinese hackers.

The video, embedded above, moves quickly and is highly technical. It includes comments along the lines of "Here an APT1 actor uses a web C2 head web command and control server" and "now the APT1 actor is verifying that stolen credentials will work on a Microsoft Exchange email server." Still, it's hard to miss the big picture: the hacker behind that keyboard is trying a lot of tricks, both sophisticated and simple, to break into other people's computers.

One of the simpler tools is something called "spearfishing" – sending people e-mails with innocent-sounding attachments that, once downloaded, send private information back to the hacker. Our hacker here is sending attachments called "SalaryAdministrationPolicy.zip" and "SecurityReform.pdf." You have to wonder who came up with those names.

At one point, the Mandiant employee narrating the video makes a very telling comment about the hacker: "He has used this account for spearfishing messages ... most of which seem to be focused on military exercises in the Philippines." The company doesn't disclose whom the hacker is targeting, but this comment gives you some hints.

The hacker also uses some specialized software such as HTran, which was first tied to China-based hackers in 2011. Here's TechWeekEurope explaining how HTran, once embedded in the target computer, allows the hacker to monitor the target:

HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target system, it redirects it to the hacker’s server.

The code was developed by “lion”, a Chinese hacker who is often credited as being the founder of the Honker Union of China (HUC). This group is patriotic to the People’s Republic of China and may be tied to the government – or at least in sympathy with it. The name of the connection bouncer is derived from HUC Packet Transmit Tool, HTran’s official name.

The hacker also uses something called GetMail, which appears to allow him or her to download the contents of the target's e-mail archive.

Read William Wan's story from Beijing for more on the report and its implications. We leave you with Mandiant's "highlights" from its report, which make clear that the security firm seems to consider the Chinese hacking to be significant in scope and scale as well as explicitly linked to the Chinese military:

• APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.

• APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.

• APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.

• APT1 maintains an extensive infrastructure of computer systems around the world.

• In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.

• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.

• In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
• Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

More on Chinese cyber espionage:

Chinese hackers outed themselves by logging into their personal Facebook accounts

Eric Schmidt warns that the Internet, in part under Chinese pressure, could fracture into pieces

New Sinocentrism: The ideology that may drive China to hack foreigners

Comments
Show Comments

Get the WorldViews newsletter

Sign up for daily updates from WorldViews.

Most Read World
Next Story
Max Fisher · February 19, 2013