038 - Comment Panda [APT 1]

[00:00:00] Happy December, everybody. It's that time of year where people are wrapping up their 2024 bucket lists, thinking about what next year has in store for them, and generally, either stressed beyond belief about family commitments or isolating themselves for some good old-fashioned seasonal depression. So I thought to myself, let's cheer everyone up with an episode on APT number one. We've done North Korean APTs, we've done Russian APTs, let's throw China into the mix this time.

[00:00:30] Honestly, I think maybe I'll move to US groups soon and cover the equation group or something like that to even it out. Feels like the Eastern Hemisphere has dominated my topics at the moment.

[00:00:42] The group that we're going to be talking about today centers in Shanghai, and they go by a couple different names. Remember that APTs are not static in their naming conventions.

[00:00:52] So, I'm John Kordis, and today, we're going to be peeling back the curtain on the comment crew. Or, is it the comment group? Or maybe it's the comment panda? This episode, they're the number one on the APT list and in our hearts. So, let's talk about what the shell they did to gain access to companies like Coca-Cola and the New York Times. Then, we'll close out on how one report kind of led to them all but falling apart.

[00:01:19] All right. To start, a brief refresher for you to get you in a mindset for this episode.

[00:01:28] APT stands for Advanced Persistent Threat.

[00:01:32] The United States government technically defines an APT as an adversary with sophisticated levels of expertise and significant resources.

[00:01:41] Going on to say that they don't typically go for one-off hacks, they'll prefer to take a more long-term approach.

[00:01:47] And we'll really see that today.

[00:01:49] Some of the identifying ways they characterize them are that they establish a foothold in a network and then will pivot where they can, trying to take any information they can get along the way.

[00:02:00] Sometimes, they'll aim to impede critical aspects of a program, company, or even a mission that they can get in the way of, as long as it benefits them and their goals.

[00:02:10] Other times, however, they just sit and wait.

[00:02:13] They'll make sure that at the precise time and situation, they launch their attack in a way that the U.S. government defines as, quote,

[00:02:33] Okay, that was a bit of a mouthful, so let's just say that basically, they're groups of hackers with advanced tools and tactics far above what that guy you follow on TikTok who claims he can hack anything can do.

[00:02:46] They'll spend millions of dollars on the dark web to buy exploits and use them before anyone else even knows they exist.

[00:02:54] That's not even including the groups that hire people to build those exploits themselves.

[00:03:00] So how do we differentiate them?

[00:03:02] Think of every bad TV show you've ever seen with a serial killer.

[00:03:07] The killers might have a calling card, a signature style, or even a fingerprint.

[00:03:13] You know, there's a difference between Dexter and the guys from the Boondock Saints, right?

[00:03:19] These same concepts can be applied to what are called TTPs.

[00:03:24] Tactics, Techniques, and Procedures.

[00:03:27] Each hack can be broken down into the tactics, which might be how the APT would behave at the top level.

[00:03:35] Like, how do they do their recon and their initial access methods?

[00:03:39] Then, you would add in the technique.

[00:03:41] This is where they start to really go in deeper and apply some technology to those tactics.

[00:03:46] You've started to use your specific tools and scanners to scan the environment that you're trying to infiltrate, maybe.

[00:03:52] Or maybe you're starting to try and fish the people that you've identified are the best targets.

[00:03:58] Then, there's the procedure.

[00:04:00] How the final product is accomplished.

[00:04:03] This is where things would get really technical.

[00:04:06] Did they use some stolen account credentials to start making fake transactions in the event of compromising something like a bank?

[00:04:13] Do they use it to create a method to obtain persistent access so they don't ever have to worry about losing the connection to the network?

[00:04:21] All of those TTPs can be thought of as pieces of a fingerprint or a signature of a threat.

[00:04:28] Since it takes a lot of work to organize major hacks of companies and groups like this, things tend to get reused a bit, whether it's software or infrastructure or exploits.

[00:04:38] It gives the attacker a bit of a playbook that they can run through, but it also allows us, as defenders, to recognize these patterns and act accordingly.

[00:04:47] The MITRE, that's M-I-T-R-E, ATT&CK framework offers a very comprehensive list of how TTPs can be mapped to certain groups and how they can be used in conjunction to get deeper into your network.

[00:05:01] I highly suggest that if you're a practitioner and early on in your career, you take a look at this and start to kind of familiarize yourself with it because it's an incredibly valuable resource.

[00:05:12] And in terms of calling cards, well, sometimes they just straight up tell you who they are in the process of a hack, especially if they're trying to extort you for money.

[00:05:21] The more they can scare you with a name that's reputable, the more it means that you might actually comply and pay them.

[00:05:27] With those names comes a certain amount of power.

[00:05:31] Some parts of the industry establish these names based on their own findings, and you'll often see stuff where maybe one particular APT has multiple names.

[00:05:40] At the top of the show, we mentioned it.

[00:05:43] This APT is known by Comment Group, Comment Crew, Comment Panda, or just APT1.

[00:05:50] That's just because a couple different countries or organizations might have different designations for them.

[00:05:56] I think that's a good enough primer on the group, so let's talk about who they are and why we even really care.

[00:06:03] I'm going to be pulling a lot of the information today from a 76-page report published by Mandiant Security.

[00:06:09] Mandiant, as of today, is owned by Google, but at the time of this report, they were still their own entity.

[00:06:15] I want to start by rewinding to the start of this known timeline.

[00:06:19] The intelligence about APT1 suggests that they were active as early as 2006, and primarily active until around 2014 or so.

[00:06:28] Think about where you were in that time period.

[00:06:30] Because that's almost 10 years of activity, right?

[00:06:34] At the start of their foray into cyber espionage, they would have been dealing with George W. Bush as the President of the United States, ending in Barack Obama's second term.

[00:06:44] They would have started before Iron Man 1 came out.

[00:06:47] In fact, at this point, if you're a comic book movie fan, you're probably excited to catch Brendan Routh as Superman in Superman Returns, or see Hugh Jackman in his third outing as Logan for X-Men The Last Stand.

[00:06:59] Maybe you're a gamer and you're enjoying your new Xbox 360, PS3, or Nintendo Wii, all of which came out between late 2005 and early 2006.

[00:07:10] You know, where this time period starts.

[00:07:13] Myself, well, I was still in high school at the time and probably just figuring out my first dive into C++ or Java.

[00:07:20] Little did I know that across the world, one of the most prolific and daunting frat actors was making it their mission to find and steal copious amounts of data across the internet.

[00:07:30] Let's start by talking about who this group actually is.

[00:07:34] We'll start at the top with a little bit of a precursor on Chinese government structure.

[00:07:38] At the top of this chart, you've got the CPC and the PLA.

[00:07:43] You're going to get a lot of acronyms today, so it's important to remember that the CPC is the Communist Party of China, its governing arm, and the PLA is the Chinese People's Liberation Army, its military arm.

[00:07:56] The way that cyber command and operations tend to work here is that the cyber arm of defense is fully situated within the CPC, making it able to draw on an insane amount of resources within the government and private sectors.

[00:08:10] You remember that I talk about the great firewall of China in the past and some of the restrictions that they have on security vendors and vulnerability disclosures there.

[00:08:21] All of these might be at the disposal of an institution like this.

[00:08:25] This is because the PLA reports to the CPC's military commission.

[00:08:30] Mandian asserts that it's therefore reasonable to assume that any cyber espionage campaign that's happening within the PLA is happening at the direction of senior members of the CPC.

[00:08:42] So we've got the PLA operating at the behest of the CPC.

[00:08:46] Let's dive one layer down now and look within the PLA to see where exactly cyber command is located.

[00:08:53] Much like the United States military branches, there are many functions and areas broken down into departments to determine things like missions, capabilities, and funding.

[00:09:02] The highest prioritized department in the PLA is the general staff department, which we're going to refer to as GSD.

[00:09:12] That department employs over 130,000 people across 12 different bureaus, multiple research institutes, and smaller regional bureaus on top of that.

[00:09:24] So at the end of the line, we have APT1, our comment panda, which is a part of a GSD's third department, second bureau.

[00:09:32] It might seem like we're pretty deep in the nooks and crannies, but we're really not that far down from the top when you think about it.

[00:09:39] I've included a diagram of where they sit according to Mandian's research paper on my website, whattheshellpod.com.

[00:09:46] You can find it in the episode transcript for this episode.

[00:09:49] You'll see on the graph that it lists the second bureau as unit 61398.

[00:09:55] It's a number you're going to find often tied to this because that is the Chinese military unit cover designator, or MUCD.

[00:10:02] In the same way that a squadron might report up to a group, into a wing, into a section of the Air Force, the unit would in this case be the nomenclature used for that area.

[00:10:12] So this is unit 61398.

[00:10:15] This group in particular is housed in the Pudongnu area of Shanghai.

[00:10:19] And if you look at the pictures supplied in the original report, it's a seemingly run-of-the-mill office building with some security gates.

[00:10:27] I'll put those pictures in the transcript as well.

[00:10:29] But I think I've met a lot of people who are kind of disillusioned into thinking that all this hacking and espionage stuff happens at the coolest, most elite locations in the world.

[00:10:41] These pictures really do help kind of reinforce the idea that it's not about that, it's about what goes on inside.

[00:10:46] Anyone who works in government can tell you that a lot of those buildings are probably 30 to 50 years old.

[00:10:53] It's cheaper just to maintain them than it is to build one of those new state-of-the-art infrastructures.

[00:10:59] The stretch of road that this organization occupies in Shanghai likely has this unit in addition to a myriad kinds of other support.

[00:11:09] Think about any normal company.

[00:11:11] You don't have just one type of job there.

[00:11:13] You'll need tech support for the infrastructure there, employee support, server support, in this case, linguists and engineers.

[00:11:20] All in all, it was estimated that APT1 had hundreds, maybe even thousands of employees operating out of this hub.

[00:11:27] And I would imagine not all of them knew exactly what they were doing or what they were supporting.

[00:11:32] In fact, many of them might have been compartmentalized to the point where thinking that they were just working a tech support job with a security clearance.

[00:11:41] But for the overall mission, they tended to recruit talented people out of school and from the military to join the cause.

[00:11:47] Specifically, if you look at the kind of proficiencies that they're looking for, it can tell you a lot about the team.

[00:11:56] In leaked memos about job receptions, they look for people who have specialties in topics such as politics, English, mathematics, and signal and digital circuits.

[00:12:08] So you can kind of take all that and infer that what they're going to be doing is going to be kind of complicated, foreign-languaged, and likely focus on the Western Hemisphere.

[00:12:19] And to support that work, let's talk a little bit about the infrastructure that they have to work with.

[00:12:24] We know that they have a special communication line courtesy of China Telecom.

[00:12:29] That's their state-owned enterprise for ISP.

[00:12:32] We know they have this special physical infrastructure.

[00:12:36] It was leaked in a memo that detailed the kind of internet speeds and connection requirements that they would have.

[00:12:42] And it's another interesting read that I'll post on the website.

[00:12:45] But what kind of tech do they have to back it up?

[00:12:48] Well, what if I told you that a conservative estimate put it at around 1,000 different servers spread across the world with varying functions?

[00:12:55] And that's not even including machines that they've compromised and used to pivot into other networks.

[00:13:01] These would be things like servers that host exploits, malicious domains, phishing scams, command and control servers, everything that you need from start to finish for a hack.

[00:13:10] These command and control servers, those are where popped machines or accounts might communicate back to and allow the APT to have persistent access.

[00:13:18] Think of it like a control panel for everyone that you've hacked, all in one place and easy to access.

[00:13:25] Now, what's their mission, right?

[00:13:27] In the past, we've talked about how APTs can be used to generate income through tactics like ransomware.

[00:13:33] In fact, we saw that pretty heavily featured in our episodes on Lazarus Group and Fancy Bear.

[00:13:38] But APT1 seemed a bit more broad-scoped in being used for the general forward progression of China.

[00:13:45] What I mean by that is a lot of what they did was information stealing and slow burn style attacks as opposed to availability-based attacks that would take a service offline.

[00:13:55] Overall, they would steal items that involved interesting or important intellectual property that they could use.

[00:14:02] Things like blueprints, proprietary technology, business plans, personal data for marketing.

[00:14:07] The list goes on and on.

[00:14:09] When it was broken down by ATT&CK, it was even found that over the course of 10 months, they stole almost 7 terabytes of data at one point.

[00:14:18] Most of those targets, and by most I mean nearly 90%, were against English native language organizations.

[00:14:24] And many of the industries that they belonged to match up pretty directly with areas that China had, at the time, prioritized for their economic growth plans.

[00:14:33] So when you put that together, the idea seemed to be similar to that meme about copying homework.

[00:14:39] Their goal was to get access to as much information or homework from successful industries as possible.

[00:14:47] From competing nations.

[00:14:49] And then they would take those blueprints that led to their success and repurpose it for Chinese growth, both homegrown and internationally.

[00:14:59] I want to go into some specifics now.

[00:15:01] Who did they hack?

[00:15:02] What kind of trade secrets were they after?

[00:15:05] Well, even though they go as far back as 2006, I want to cover some more interesting stories.

[00:15:11] So we're going to start in 2009 and pivot over to Coca-Cola.

[00:15:15] That's right, the biggest soda company to many people, and proprietor of many American products and beverages.

[00:15:22] One of the many tactics that tend to get used by APTs is spear phishing.

[00:15:27] This is highly targeted phishing that is more well-scoped than your normal random USPS package awaiting fraudulent email, right?

[00:15:35] So in 2009, when some workers, including the deputy president of Coke's Pacific Group, received an email,

[00:15:43] well, you know, I think nowadays you've probably received enough phishing training to realize what's wrong with it and report that email right away.

[00:15:50] But at this point, even their VPs fell victim.

[00:15:55] It has to start with someone falling victim for you to be trained on it.

[00:15:59] Unfortunately, all of your training really is built on the failures of others.

[00:16:03] Failures like this, where unfortunately someone opened it.

[00:16:07] Well, the attackers, APT1 in this case, used this spear phishing email to install malware on that exec's computer.

[00:16:15] The malware included a keystroke logger that would report all the typed keys back up to the C2 server.

[00:16:22] Imagine the kind of information that you're getting from a key logger from a person like this.

[00:16:26] Possible usernames and passwords to let you write in.

[00:16:29] Inadvertent recon on the organization.

[00:16:32] Trade secrets.

[00:16:33] Those are all at your disposal.

[00:16:35] Not to mention, we all know no one would ever do personal business on a work computer, right?

[00:16:40] So there's surely no risk of any personal data being on there.

[00:16:44] But what did China specifically want for this?

[00:16:47] Well, think about the tactics that Coke might be using to get their sales up to make their product.

[00:16:52] It's really a staple in the American economy.

[00:16:55] And at this point, Coke had recently even tried to acquire China's Huyan Juice Group.

[00:17:00] So China knew that there was interest in the market.

[00:17:03] And frankly, I think they saw an opportunity to use the tools that Coke had perfected over in their own backyard.

[00:17:09] They even rejected a $2.3 billion offer from Coke, presumably to make that money on their own and reduce external dependencies.

[00:17:18] Now, if you look at some of the articles from the time, it does say that there were some monopoly concerns and there was some kind of shady dealings going on.

[00:17:26] But it's really hard to see how this wasn't just a direct benefit for their economy by keeping it in-house.

[00:17:33] Now let's move on to the RSA security breach of 2011.

[00:17:37] A significant attack on a leading security company.

[00:17:41] In March of 2011, RSA security, which is a division of EMC, they fell victim to an attack believed to be orchestrated by APT1.

[00:17:51] For people who aren't aware, RSA is primarily known for their identity and access management products.

[00:17:57] These are things like multi-factor tokens, password solutions, and general authentication and account security.

[00:18:03] You're probably most familiar with them and their little key fob tokens that were used before MFA apps became as widespread as they are.

[00:18:12] The attackers, once again, used spear phishing emails with a subject line,

[00:18:18] 2011 Recruitment Plan, targeting a small group of employees.

[00:18:22] Those emails contained an Excel file that was embedded with a zero-day exploit.

[00:18:27] It exploited a previously unknown vulnerability in Adobe Flash, which is since hopefully long gone on everyone's systems,

[00:18:34] but at this point was readily exploitable.

[00:18:38] According to RSA themselves, the attacker in this case sent two different phishing emails over a two-day period.

[00:18:45] The two emails were sent to two small groups of employees that you wouldn't consider particularly high-profile or high-value targets.

[00:18:53] The email subject line read, 2011 Recruitment Plan.

[00:18:57] The email was crafted well enough to trick one of the employees to retrieve it from their junk mail folder and open the attached Excel file.

[00:19:06] It was a spreadsheet titled 2011 Recruitment Plan dot XLS.

[00:19:10] So let's look at that again because I'm still having some trouble thinking about this.

[00:19:15] Not only was it a phishing attempt, a successful phishing attempt,

[00:19:19] but it was good enough that someone pulled it directly out of their junk folder to open it.

[00:19:25] That is a critical success.

[00:19:27] Once the exploit was activated, the attackers installed a backdoor,

[00:19:31] and that granted them access into RSA's network.

[00:19:34] Once that was secure, they would use stolen credentials and elevation of privilege vulnerabilities

[00:19:39] to increase the privileges that they had.

[00:19:42] So to go from a regular user to gaining something a little higher level like a local or a domain administrator.

[00:19:48] And that's where we really start to chain all of our episodes together,

[00:19:52] because some of these were stolen credentials.

[00:19:54] And that's a constant theme in Hex.

[00:19:57] It's such a low barrier to entry when people just don't bother rotating already compromised accounts.

[00:20:02] It makes it so much easier on the attackers that they can just add these into their own little word lists.

[00:20:09] APT1 then moved sensitive data related to RSA's secure ID, two-factor authentication products,

[00:20:15] to staging servers.

[00:20:16] Before, they would extract it out into their own networks.

[00:20:19] And while it was there, they would zip it and encrypt it

[00:20:21] so that someone that was accidentally coming into those servers

[00:20:25] wouldn't be able to tell what that was.

[00:20:27] And that's another thing that I think we've kind of touched on every now and then,

[00:20:31] but I wanted to highlight.

[00:20:32] Many times, attackers don't need to stand up new infrastructure

[00:20:35] when they can just use yours.

[00:20:37] In this case, they were using legitimate servers to house the data for exfiltration here.

[00:20:43] And this breach is thought to have compromised RSA's secure ID product.

[00:20:48] It would have affected thousands of customers

[00:20:51] and necessitated a significant overhaul of both theirs and the customer's security protocols.

[00:20:58] The RSA security breach particularly highlighted the vulnerabilities

[00:21:03] that even security companies face when exposed to advanced cyber attacks.

[00:21:07] While RSA was able to stop them mid-attack,

[00:21:10] they still made away with data that could potentially have impacted many organizations.

[00:21:17] Next up, we're going to go into the New York Times hack of 2012,

[00:21:23] an attack on one of the world's leading news sources.

[00:21:26] In late 2012, the New York Times was added to APT1's list of victims.

[00:21:31] It was interesting to many when on January 20th, 2013,

[00:21:35] Times writer Nicole Perloff started an article with,

[00:21:39] quote,

[00:21:52] It took some time, but the cyber team at NYT was able to locate and expunge APT1,

[00:21:58] but not after quite a long time of them being able to set up shop inside their own home.

[00:22:02] What's interesting here is the timing of the attacks.

[00:22:06] According to Perloff,

[00:22:08] the attacks were timed closely to an article that was published on October 25th.

[00:22:13] They believe that around this time,

[00:22:15] the email accounts of the New York Times Shanghai Bureau Chief David Barboza

[00:22:19] were broken into given his ties to reports that found relatives of Wen Jiabo

[00:22:24] had been receiving large-sum fortunes under the Prime Minister's organization.

[00:22:30] The attackers would attempt to establish at least three backdoors,

[00:22:35] install 45 pieces of malware,

[00:22:37] but only one of them was detected by the Symantec security software.

[00:22:42] That kind of security software is the same as CrowdStrike,

[00:22:45] which we talked about a few weeks ago.

[00:22:47] After two weeks,

[00:22:48] the attackers were able to find the domain controller that contained all the staff passwords.

[00:22:53] And while they were encrypted,

[00:22:55] that itself was probably a potential treasure to them.

[00:22:59] Imagine being able to get access to the accounts that had details on sources that were private.

[00:23:04] I know it may not have been a payday for them,

[00:23:07] but there would have been some real interesting ransoms that could have been had here.

[00:23:10] Times executive editor,

[00:23:11] Jill Abramson,

[00:23:13] maintained through all this that there was,

[00:23:15] no evidence that sensitive emails or files were accessed.

[00:23:19] Yet,

[00:23:20] the investigation found that the attackers,

[00:23:22] quote,

[00:23:23] created custom software that allowed them to search for and grab Mr. Barboza's and Mr. Yardley's emails and documents.

[00:23:31] So it seems like the attackers exfiltrated sensitive information,

[00:23:34] including emails and documents of reporters and staff.

[00:23:38] This breach compromised the confidentiality of sensitive information

[00:23:42] and raises the awareness of the vulnerability of media organizations to cyber attacks.

[00:23:47] The New York Times hack really helped drive home the ongoing threat of cyber espionage to news organizations.

[00:23:54] And honestly,

[00:23:55] it's similar in scope to attacks and hacks that utilize things like the Pegasus malware,

[00:23:59] where they're targeting media and it's really insane to see the repercussions that come out of it.

[00:24:05] Lastly,

[00:24:07] I want to dive into Operation Shady Rat,

[00:24:09] a long-term espionage campaign.

[00:24:12] Spanning from mid-2006 all the way up to August 2011,

[00:24:16] Operation Shady Rat was conducted by PLA Unit 61398,

[00:24:21] our APT-1.

[00:24:22] The campaign targeted over 71 organizations,

[00:24:26] including defense contractors,

[00:24:28] government agencies,

[00:24:30] the United Nations,

[00:24:31] and the International Olympic Committee,

[00:24:33] because smack dab in the middle of this is the 2008 Olympics.

[00:24:37] Dmitry Alperovitch,

[00:24:39] the VP of research at McAfee,

[00:24:41] published a white paper on this,

[00:24:43] and in it he said,

[00:24:44] quote,

[00:24:45] With the goal of raising the level of public awareness today,

[00:24:48] we are publishing the most comprehensive analysis

[00:24:51] ever revealed of victim profiles

[00:24:53] from a five-year targeted operation

[00:24:56] by one specific actor,

[00:24:59] Operation Shady Rat.

[00:25:00] RAT is a common acronym in the industry,

[00:25:03] and that stands for Remote Access Tool.

[00:25:06] Dmitry published a chart of industries hit,

[00:25:09] and it's insane to really see it all in one place,

[00:25:11] because 71 on its own sounds like a big number,

[00:25:15] but when you really spread it out,

[00:25:16] when you see that federal governments,

[00:25:18] state governments,

[00:25:18] IT companies,

[00:25:20] media,

[00:25:21] real estate,

[00:25:22] solar,

[00:25:22] there really seemed to be no delimiter here.

[00:25:25] They were just going after and getting whatever they could.

[00:25:28] The attackers followed their TTPs,

[00:25:31] and starting at the left of that MITRE attack framework,

[00:25:33] for their initial access,

[00:25:35] they sent phishing emails again,

[00:25:36] with malicious attachments,

[00:25:38] again,

[00:25:39] to specific individuals within these organizations.

[00:25:43] Once the link was clicked,

[00:25:44] just as with other tactics here,

[00:25:47] we established that Remote Access Tools

[00:25:49] were installed on the victim's computer,

[00:25:52] granting the attackers a level of access

[00:25:54] that made it a lot easier to persist.

[00:25:57] It allowed them to move laterally as well,

[00:25:59] using these computers as pivot points

[00:26:01] into other parts of the compromised networks.

[00:26:04] In this case,

[00:26:06] the attack lasted an incredibly long amount of time.

[00:26:09] But what did they get?

[00:26:11] Well, over the course of the five years,

[00:26:12] the attackers stole intellectual property,

[00:26:14] including patents,

[00:26:16] state secrets,

[00:26:17] and confidential information.

[00:26:18] This sustained and coordinated effort

[00:26:21] from the campaign

[00:26:22] was revealed by McAfee in August of 2011,

[00:26:25] and it highlighted

[00:26:26] the widespread nature

[00:26:28] of their attempts at cyber espionage.

[00:26:30] They really wanted to raise the awareness

[00:26:31] about the threat posed by state-sponsored actors.

[00:26:35] And I do remember when this came out,

[00:26:36] and how it was a high-level news item,

[00:26:39] especially for me,

[00:26:41] given I was still in the military at the time,

[00:26:43] and relatively new in the field.

[00:26:46] Operation Shady Rat,

[00:26:47] at least in my opinion,

[00:26:48] really kind of served as a wake-up call

[00:26:50] for many organizations.

[00:26:52] And it showed that

[00:26:54] there is a critical threat

[00:26:56] that can happen to you,

[00:26:57] even if you're not maybe at the top

[00:26:59] of the security list

[00:27:01] or top of the popular networks.

[00:27:02] Ultimately,

[00:27:03] over seven years of activity

[00:27:05] resulted in some kind of interesting stats

[00:27:08] about APT1.

[00:27:10] So I want to share those.

[00:27:11] Like the fact that,

[00:27:12] all in all,

[00:27:13] there were over 150 different

[00:27:15] known victim groups

[00:27:17] or organizations.

[00:27:18] I say known here

[00:27:20] because it's truly difficult

[00:27:21] to know the exact number.

[00:27:23] We don't know what we don't know.

[00:27:25] I would imagine that

[00:27:26] based on the numbers I've seen,

[00:27:28] they've probably managed to exfiltrate

[00:27:29] nearly a petabyte

[00:27:30] of trade secrets and data

[00:27:32] from the organizations

[00:27:34] that they've popped in total.

[00:27:35] Some of the major industry players

[00:27:37] we know lost upwards

[00:27:39] of double-digit terabytes of data.

[00:27:41] And if we scale that up,

[00:27:43] times 150,

[00:27:44] it's going to be an issue.

[00:27:45] What was more interesting to me too

[00:27:47] is partially how they played

[00:27:50] their long game.

[00:27:51] According to Mandiant,

[00:27:52] once APT had established access,

[00:27:54] they periodically revisited

[00:27:56] the victim's network

[00:27:57] over several months or years

[00:27:59] and attempted to re-steal

[00:28:01] broad categories of IP,

[00:28:03] including those tech blueprints,

[00:28:05] manufacturing processes,

[00:28:07] test results,

[00:28:07] business plans,

[00:28:09] pricing documents,

[00:28:10] partnership agreements,

[00:28:11] emails,

[00:28:11] the list goes on and on,

[00:28:12] all from these victim organizations'

[00:28:14] leadership.

[00:28:15] It kind of sounds to me

[00:28:17] like a toxic ex

[00:28:18] checking in on you

[00:28:19] just to ruin your day.

[00:28:20] In terms of overall access,

[00:28:22] well, it averaged out that

[00:28:23] the victim's mean time of,

[00:28:25] well, being victimized

[00:28:27] was just about a year long.

[00:28:28] So if I was compromised in 2009,

[00:28:31] then they might have been

[00:28:32] expunged or stopped in 2010.

[00:28:35] But what's the point?

[00:28:36] This is some interesting stuff

[00:28:38] and the group is largely

[00:28:39] out of the game right now.

[00:28:41] But APT1 to me

[00:28:43] truly demonstrates

[00:28:43] how big of an economic powerhouse

[00:28:46] cybercrime can be.

[00:28:47] A government entity

[00:28:49] with the goal of stealing

[00:28:50] and repurposing

[00:28:51] economic secrets

[00:28:53] and tactics

[00:28:54] from its competing

[00:28:55] economic powers

[00:28:56] managed to change

[00:28:57] the course of history.

[00:28:58] And I don't think

[00:28:59] that's an exaggeration.

[00:29:00] They likely brought

[00:29:01] technologies to China

[00:29:03] that sure,

[00:29:04] probably would have

[00:29:04] gotten there eventually,

[00:29:05] but almost certainly

[00:29:06] came a bit early

[00:29:07] or provided inspiration

[00:29:09] for their own advances.

[00:29:11] And I won't act like

[00:29:12] we don't do the same thing.

[00:29:13] That's the game, right?

[00:29:15] That's what everyone does.

[00:29:16] But one of the things

[00:29:17] that you may have noticed

[00:29:18] is how much I am

[00:29:19] using the past tense here.

[00:29:21] With the publishing

[00:29:22] of the findings

[00:29:23] like the Mandiant Report

[00:29:25] and the McAfee White Papers,

[00:29:26] a lot of the TTPs

[00:29:27] of this group

[00:29:28] were made available

[00:29:29] to the public.

[00:29:30] Mandiant could have kept

[00:29:31] that information hidden

[00:29:33] and kept developing

[00:29:34] proprietary protections

[00:29:35] and intel documents

[00:29:37] on the organization,

[00:29:38] but they chose

[00:29:39] to make it public.

[00:29:40] They wanted the information

[00:29:41] that they had to be shared

[00:29:42] because they believed

[00:29:43] it would help

[00:29:43] the industry as a whole.

[00:29:45] In their report,

[00:29:46] they disclosed

[00:29:47] hundreds of thousands

[00:29:48] of indicators of compromise

[00:29:49] or IOCs

[00:29:51] that could be used

[00:29:53] to write protections

[00:29:54] and blocks for organizations.

[00:29:56] This effectively

[00:29:57] shined a major light

[00:29:58] on APT1

[00:29:58] and let anyone see,

[00:30:00] hey,

[00:30:00] has this been going on

[00:30:01] in my environment

[00:30:02] and I wasn't aware?

[00:30:03] And that happened

[00:30:04] to the point

[00:30:05] where the group

[00:30:05] as we know it

[00:30:06] no longer exists.

[00:30:08] That's not to say

[00:30:09] that the people involved

[00:30:10] aren't still hacking

[00:30:10] for China,

[00:30:11] they've likely just

[00:30:12] been repurposed

[00:30:13] onto some of the newer APTs

[00:30:15] with different infrastructure

[00:30:16] and tools.

[00:30:18] The cycle

[00:30:19] has to continue,

[00:30:20] right?

[00:30:21] I'm John Cordes

[00:30:22] and I hope

[00:30:23] this was an interesting

[00:30:24] glimpse into one

[00:30:25] of the bigger adversaries

[00:30:26] that the digital community

[00:30:27] has ever faced.

[00:30:29] Before you go,

[00:30:30] there's a couple

[00:30:31] interesting things

[00:30:31] I wanted to let you know about.

[00:30:33] First,

[00:30:33] at the end of the year,

[00:30:34] I've got a little piece

[00:30:34] of bonus content

[00:30:35] that I'm going to be putting out.

[00:30:36] It's going to be audio

[00:30:37] and video,

[00:30:38] but this year,

[00:30:40] I kept my own personal

[00:30:40] kind of bingo card

[00:30:42] of goals

[00:30:42] and I kept track

[00:30:43] of all the new media

[00:30:45] that I watched,

[00:30:46] read,

[00:30:47] or listened to.

[00:30:48] I thought it would be

[00:30:49] a fun little offshoot

[00:30:50] to take that

[00:30:51] and do a small dive

[00:30:52] into the kinds of things

[00:30:53] that I got up to this year

[00:30:54] and maybe spread

[00:30:55] some recommendations your way.

[00:30:57] But if that's not

[00:30:58] your cup of tea,

[00:30:59] then you can just ignore it.

[00:31:01] In terms of the show,

[00:31:03] well,

[00:31:03] we're on Blue Sky now too.

[00:31:05] As I've said before,

[00:31:06] Discord is the primary method

[00:31:07] that I use for communicating

[00:31:08] with the show

[00:31:09] and the invite

[00:31:10] is in the description

[00:31:11] if you want to click in

[00:31:12] and join us over there.

[00:31:13] But I saw an avenue

[00:31:15] for expanding the show

[00:31:16] in Blue Sky

[00:31:16] and I was getting kind of

[00:31:18] tired of Twitter.

[00:31:19] A lot of the settings

[00:31:20] that I had already cultivated

[00:31:21] are now gone

[00:31:23] under the new administration there.

[00:31:25] So,

[00:31:26] if you want to find me

[00:31:27] on Blue Sky,

[00:31:27] you can find me there

[00:31:28] at ShellPod.

[00:31:29] One word.

[00:31:31] And as we close up the year,

[00:31:32] I just want to say thanks.

[00:31:33] Thanks to all the people

[00:31:34] that came back to the show.

[00:31:37] This year wasn't an easy year

[00:31:39] for the show.

[00:31:40] I only got a few episodes out

[00:31:42] and we dealt with,

[00:31:43] honestly,

[00:31:43] what I thought was

[00:31:44] a show-ending issue.

[00:31:45] But I think 2025

[00:31:46] is going to be great.

[00:31:48] We've got two more 2024 episodes

[00:31:50] to get you through,

[00:31:51] so it's not done yet,

[00:31:52] but if you can,

[00:31:54] I would really appreciate it

[00:31:56] if you shared

[00:31:56] your favorite episode

[00:31:57] on whatever social

[00:31:59] that you do use

[00:32:00] and tag me there.

[00:32:01] I'd love to talk to you about it

[00:32:02] and see what works for you

[00:32:04] and what doesn't work.

[00:32:05] And if you don't mind,

[00:32:06] if you have a podcast platform

[00:32:07] that accepts reviews,

[00:32:09] maybe leave a review

[00:32:10] or a five-star rating.

[00:32:11] It'll help get me

[00:32:11] some of that audience back.

[00:32:13] Alright,

[00:32:14] I think that's enough pandering

[00:32:15] to the audience for now.

[00:32:16] I'll see you all in two weeks.