The computer hacking group accused last week of being part of a specific unit of the Chinese military is apparently unfazed by the public attention triggered by a detailed report on its activities published by the security firm Mandiant. Another researcher tracking the group says that most of the infrastructure it had in place to carry out attacks remains in place.
“They shut down some of the infrastructure, but not much,” says Jaime Blasco, director of labs at security company AlienVault, who had been tracking the same group for several years. Blasco says that many of the group’s command-and-control servers—computers that act as relays between an attacker and the software placed inside a victim company—are still in place, and apparently active. “The group will not change much, because it works—they have been using the same infrastructure for years,” he says.
A spokesperson for Mandiant turned down a request to speak about the company’s latest information on the activity of the group (which is known as Advanced Persistent Threat 1, or APT1), saying only that some command-and-control servers had been seen to go offline.
Mandiant’s 60-page report was the most detailed public allegation yet that the Chinese military infiltrates companies in the U.S. and elsewhere. Other companies have made similar claims, but Mandiant, based in Washington, D.C., identified a specific army unit and even a specific office building in Shanghai’s suburbs as the origins of numerous attacks. Senator Dianne Feinstein, chair of the Senate Intelligence Committee, told MSNBC that the report was “essentially correct.”
Chinese officials have denied any link to what Mandiant and others have uncovered about the group, and all previous accusations of similar activity, such as those made by Google after it was breached by attackers looking for the e-mail accounts of Chinese dissidents (see “Google Reveals China Espionage Efforts”).
Aviv Raff, chief technology officer of Israeli security company Seculert, says that it wouldn’t be surprising for the group Mandiant calls APT1 to continue as usual despite the headlines about them. Some of their attacks and techniques had already been described publicly, he says. “I think this specific group doesn’t really care; we heard about these attacks for a long time,” says Raff.
A brazen response by attackers to the public discovery and detection of their technology and tactics is not unheard of. An attack known as Mahdi, discovered by researchers at Seculert and elsewhere last August (see “Bungling Cyber Spy Stalks Iran”), remains active, says Raff.
However, more sophisticated—if less prolific—groups believed to be backed by nation-states have been seen to change tactics after being exposed. “Red October went down quickly after it became public knowledge,” says Raff, referring to a large and apparently long-running campaign uncovered by Russian security firm Kaspersky in January and tracked by Seculert.
Sykipot, a campaign even more sophisticated than APT1 that targeted the U.S. defense sector and is also believed to originate in China, has since gone quiet, says Blasco, who tracked it closely. “It has been out for three to four years, and they have been adding new features and command and control infrastructure,” he says. “I lost the trail six months ago, and most of the command-and-control servers we knew are down.”