Amien Harisen - APT1 Attack


Published on

Amien Harisen - APT1 Attack

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Amien Harisen - APT1 Attack

  1. 1. Advanced Persistent ThreatBe Aware or Be Conquered
  2. 2. IntroductionAmien H.Rosyandino/GreenID-SIRTII(2009-2012)Spentera(2013 –Now)InfoSecEnthusiastResearch :• Honeypot• AttackPattern / APTAnalysis• MalwareAnalysis• ComputerForensics
  3. 3. Fire Sale (is it a myth ?)• Take Out Transportation• Take Out Financial Base & Telecoms• Take Out the Utilities & PowerThree Step Systematic Attack
  4. 4. Definition• The term originally referred to nation-statesengaging in cyber espionage.• What distinguishes an APT from other threats is thatit is targeted, persistent, evasive and advanced.• APTs target specific organizations with the purpose ofstealing specific data or causing specific damage.
  5. 5. Stux Net• It is the first discovered malware that spies on and subvertsindustrial systems.• Discovered in June 2010 and it is believed to have been created bythe United States and Israel to attack Irans nuclear facilities• The worm initially spreads indiscriminately, but includes a highlyspecialized malware payload that is designed to target onlySiemens supervisory control and data acquisition (SCADA) systemsthat are configured to control and monitor specific industrialprocesses.• On 1 June 2012, an article in The New York Times said that Stuxnetis part of a U.S. and Israeli intelligence operation called "OperationOlympic Games", started under President George W. Bush andexpanded under President Barack Obama.
  6. 6. Introducing APT1• World next publicly available comprehensive reporton Advanced Persistent Threat• Provided by Mandiant (• It’s a nickname for a group that being governmentsponsored for doing specific attack and specificpurpose• China is the suspected government that sponsoredthe group
  7. 7. APT1 Group Structure• APT1 is believed to be the 2nd Bureau of the PLA GSD 3rdDept, with MUCD Unit 61398• For the Estimation Unit 61398 is staffed by hundreds, andperhaps thousands of people based on the size of Unit61398’s physical infrastructure• Unit 61398 is partially situated on Datong Road (大同路) inGaoqiaozhen (高桥镇), which is located in the Pudong NewArea (浦东新区) of Shanghai (上海). The central building inthis compound is a 130,663 square foot facility that is 12stories high and was built in early 2007• Unit 61398 requires its personnel to be trained in computersecurity and computer network operations and also requiresits personnel to be proficient in the English language
  8. 8. APT1 Group Structure
  9. 9. APT1 Group Structure
  10. 10. APT1 Data Breach Summary• APT1 has systematically stolen hundreds of terabytes of data fromat least 141 organizations, and has demonstrated the capability andintent to steal from dozens of organizations simultaneously.• Once APT1 has established access, they periodically revisit thevictim’s network over several months or years and steal broadcategories of intellectual property, including technology blueprints,proprietary manufacturing processes, test results, business plans,pricing documents, partnership agreements, and emails andcontact lists from victim organizations’ leadership.• The longest time period APT1 maintained access to a victim’snetwork was 1,764 days, or four years and ten months.• Among other large-scale thefts of intellectual property, we haveobserved APT1 stealing 6.5 terabytes of compressed data from asingle organization over a ten-month time period.
  11. 11. APT1 Data Theft• Product development and use, including information on testresults, system designs, product manuals, parts lists, andsimulation technologies;• manufacturing procedures, such as descriptions of proprietaryprocesses, standards, and waste management processes;• business plans, such as information on contract negotiationpositions and product pricing, legal events, mergers, jointventures, and acquisitions;• policy positions and analysis, such as white papers, andagendas and minutes from meetings involving high rankingpersonnel; emails of high-ranking employees; and usercredentials and network architecture information.
  12. 12. Example
  13. 13. APT1 Target Summary• Since 2006, Mandiant has observed APT1 compromise141 companies spanning 20 major industries.• APT1 focuses on compromising organizations across abroad range of industries in English-speaking countries.• Of the 141 APT1 victims, 87% of them are headquarteredin countries where English is the native language.• The industries APT1 targets match industries that Chinahas identified as strategic to their growth, including fourof the seven strategic emerging industries that Chinaidentified in its 12th Five Year Plan.
  14. 14. APT1 Target Summary
  15. 15. APT1 Target Summary
  16. 16. APT1 Attack Lifecycle
  17. 17. Attack Lifecycle Different
  18. 18. APT1 Attack MethodSame attack vector but targeted purpose
  19. 19. Some Real World CaseEstonia Cyber AttackRussia Cyber attackagainst Georgiablowing oil refineriesKRTV Hijacked forZombie Attack
  20. 20. Where do we stand ?
  21. 21. Where do we stand ?
  22. 22. Where do we stand ?
  23. 23. Team Cymru Statistic
  24. 24. Team Cymru Statistic
  25. 25. So ?Are there anyreasons for notbe concerned ?
  26. 26. Thank YOU !!