Have You Been Targeted by Chinese Espionage Units?

Using Mandiants Analysis and FlowTraq to Identify Threats

Recently hacking attempts have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make use of subtle tricks like naming a file filename.pdf Exposing One of Chinas Cyber Espionage Units When reading through Mandiants analysis, we can see how FlowTraq can be used to track down these spear phishing attempts. They have identified a broad set of IP addresses associated with this military unit for various tasks, though as with any security analysis it can never be entirely complete. Table 8 on page 40 of their analysis includes IP addresses associated with their hop points: intermediary systems used as bridges so that their attacks are disguised, using techniques including FTP and Remote Desktop. Weve annotated the list with the best-fit CIDR block. 223.166.0.0 - 223.167.255.255 (223.166.0.0/15) 58.246.0.0 - 58.247.255.255 (58.246.0.0/15) 112.64.0.0 - 112.65.255.255 (112.64.0.0/15) 139.226.0.0 - 139.227.255.255 (139.226.0.0/15) 114.80.0.0 - 114.95.255.255 (114.80.0.0/12) 101.80.0.0 - 101.95.255.255 (101.80.0.0/12) FlowTraqs unique filtering ability allows you to search, and alert for IP CIDR blocks, such as above. You can either put each in its own filter line, or paste the following string into a single line: 223.166.0.0/15, 101.80.0.0/12 If you see connections to your network to or from these IP ranges over the last year, examine the protocols in 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 114.80.0.0/12, .exe so that the filename is truncated at the .pdf. There are a number of interesting articles on the subject, as well as Mandiants excellent analysis APT1:

use. If you see FTP command channels (TCP port 21) or Windows Remote Desktop (TCP port 3389) or any other file transfer or control protocol, we recommend investigating that connection, and we urge you to read Mandiants report to understand the nature of the potential threat. Later in their report, Table 9 shows the connections they have seen using the HUC Packet Transmit Tool (HTRAN), a tunneling tool allowing, in this case, the attacker to make use of middle-man networks. HTRAN can be configured to use a number of ports, but TCP ports 80 and 443 are common. Mandiant specifically lists 443 as being seen in the wild. The list of IP addresses looks similar to the hop point ranges shown earlier. 223.166.0.0 - 223.167.255.255 (223.166.0.0/15) 58.246.0.0 - 58.247.255.255 (58.246.0.0/15) 112.64.0.0 - 112.65.255.255 (112.64.0.0/15) 139.226.0.0 - 139.227.255.255 (139.226.0.0/15) 143.89.0.0 - 143.89.255.255 (143.89.0.0/16, Hong Kong University of Science and Technology) (Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 143.89.0.0/16) Finally, they identified a number of domain names used in these attacks that have resolved to IP addresses that should look familiar by now. All of them belong to China Unicom Shanghai Network. 223.166.0.0 - 223.167.255.255 (223.166.0.0/15) 58.246.0.0 - 58.247.255.255 (58.246.0.0/15) 112.64.0.0 - 112.65.255.255 (112.64.0.0/15) 114.80.0.0 - 114.95.255.255 (114.80.0.0/12) 139.226.0.0 - 139.227.255.255 (139.226.0.0/15) 222.64.0.0 - 222.73.255.255 (222.64.0.0/13 and 222.72.0.0/15) 116.224.0.0 116.239.255.255 (116.224.0.0/12) (Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 114.80.0.0/12, 139.226.0.0/15, 222.64.0.0/13, 222.72.0.0/15, 116.224.0.0/12) Our hats are off to the folks at Mandiant for some impressive detective work. Again, we highly recommend visiting their site to learn more about not only this particular threat (especially if you detect connections to any of the IP ranges listed here), but also the tools and techniques being used in this domain. That will enable you both to search your NetFlow record and also to educate your users about what to watch for.

Identify Threats on Your Network Right Now!

Download a free 14-day Trial of FlowTraq NetFlow Montoring solution and put the results of Mandiants analysis to work for you today.