have you been targeted by chinese espionage units?
DESCRIPTION
The hacking attempts from March have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data.TRANSCRIPT
Have You Been Targeted by Chinese Espionage Units?
Using Mandiant’s Analysis and FlowTraq to Identify Threats
Recently hacking attempts have been in the news again,
this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large
number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run
disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make
use of subtle tricks like naming a file “filename.pdf .exe” so that the filename is truncated at the .pdf.
There are a number of interesting articles on the subject, as well as Mandiant’s excellent analysis “APT1:
Exposing One of China’s Cyber Espionage Units“
When reading through Mandiant’s analysis, we can see how FlowTraq can be used to track down these spear-
phishing attempts. They have identified a broad set of IP addresses associated with this military unit for various
tasks, though as with any security analysis it can never be entirely complete. Table 8 on page 40 of their analysis
includes IP addresses associated with their ‘hop points’: intermediary systems used as bridges so that their
attacks are disguised, using techniques including FTP and Remote Desktop. We’ve annotated the list with the
best-fit CIDR block.
223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
101.80.0.0 - 101.95.255.255 (101.80.0.0/12)
FlowTraq’s unique filtering ability allows you to search, and alert for IP CIDR blocks, such as above. You can
either put each in its own filter line, or paste the following string into a single line:
223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 114.80.0.0/12,
101.80.0.0/12
If you see connections to your network to or from these IP ranges over the last year, examine the protocols in
use. If you see FTP command channels (TCP port 21) or Windows Remote Desktop (TCP port 3389) or any other
file transfer or control protocol, we recommend investigating that connection, and we urge you to read Mandiant’s
report to understand the nature of the potential threat.
Later in their report, Table 9 shows the connections they have seen using the “HUC Packet Transmit Tool”
(HTRAN), a tunneling tool allowing, in this case, the attacker to make use of middle-man networks. HTRAN can
be configured to use a number of ports, but TCP ports 80 and 443 are common. Mandiant specifically lists 443 as
being seen in the wild. The list of IP addresses looks similar to the ‘hop point’ ranges shown earlier.
223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
143.89.0.0 - 143.89.255.255 (143.89.0.0/16, Hong Kong University of Science and
Technology)
(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15,
143.89.0.0/16)
Finally, they identified a number of domain names used in these attacks that have resolved to IP addresses that
should look familiar by now. All of them belong to China Unicom Shanghai Network.
223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
222.64.0.0 - 222.73.255.255 (222.64.0.0/13 and 222.72.0.0/15)
116.224.0.0 – 116.239.255.255 (116.224.0.0/12)
(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 114.80.0.0/12,
139.226.0.0/15, 222.64.0.0/13, 222.72.0.0/15, 116.224.0.0/12)
Our hats are off to the folks at Mandiant for some impressive detective work. Again, we highly recommend visiting
their site to learn more about not only this particular threat (especially if you detect connections to any of the IP
ranges listed here), but also the tools and techniques being used in this domain. That will enable you both to
search your NetFlow record and also to educate your users about what to watch for.
Identify Threats on Your Network Right Now!
Download a free 14-day Trial of FlowTraq NetFlow Montoring solution and put the results of Mandiant’s analysis
to work for you today.