Transcript Single Objective

China’s APT Attack
Against the New
York Times
Danielle Lambert
• Advanced: attackers
have a full spectrum of
intelligence-gathering
tools available
• Persistent: continuous
monitoring and
interaction for a very
specific task
• Threat: human actions
Advanced Persistent
Threat Attacks
Anatomy of an APT Attack
• The New York Times
Investigation on the
Chinese Prime
Minister
• Chinese government
officials sent warnings
that investigations
would have
consequences
• Article published Oct.
25th, 2012
What started the hack?
• Stole passwords
and gained access
to the personal
computers of 53
employees
Hackers in China
Attacked the NY Times for
4 straight months
Target: U.S. Media &
Reporters
• Single Objective:
Anticipate stories that
might damage the
reputation of Chinese
leaders
Intelligence Gathering
• Chinese denies but attack
methods resemble past attacks
from the Chinese military since
2004
Chinese Facilities
Personnel require high technical computer skills. The group also appears
to have a frequent requirement for strong English proficiency.
Unit 61398 Personnel
Requirements
• Social engineering
• Spear phishing
email
• Zero-day viruses
• Planting malware
on a website that the
victim employees
will be likely to
visit
Point of Entry
Malicious ZIP files
•
•
•
•
•
•
•
•
•
•
Fake Email from
Mandiant’s CEO
Employee-Benefit-and-Overhead-AdjustmentKeys.zip
Negative_Reports_Of_Turkey.zip
New_Technology_For_FPGA_And_Its_Developing
_Trend.zip
Oil-Field-Services-Analysis-And-Outlook.zip
Proactive_Investors_One2One_Energy_Investor_F
orum.zip
Social-Security-Reform.zip
Telephonics_Supplier_Manual_v3.zip
The_Latest_Syria_Security_Assessment_Report.zip
Updated_Office_Contact_v1.zip
Welfare_Reform_and_Benefits_Development_Plan.
zip
Spear Phishing
• Set up at least 3 back doors and identified the domain controller after 2
weeks
Establish a Foothold
BISCUIT Backdoor
Backdoors
Backdoors mimic
communication
protocols
Escalate Privileges
•
•
•
•
•
•
•
Display network
configuration
List the services started
on the victim system
List currently running
processes
List accounts on the
system
List admin accounts
List current network
connections
List currently
connected network
shares
Data Discovery
• Connect to shared resources on other systems
• Execute commands on other systems that are publicly available
Lateral Movement
• Install new backdoors
• Use Virtual Private
Network credentials
• Log into web portals and
emails
Maintain Presence
• Compress
stolen files
via RAR
• Batch Scripts
to speed up the
process & split
files into
chunks
Complete the mission
• Attackers used
university computers
as proxies
• Consistently hopped
IP addresses
Data Exfiltration
• Allowed a honeypot to identify
every back door the hackers used
• Replaced every compromised
computer
• Set up new defenses
• Changed all employee passwords
NY Times Prevention