Mandiant APT1

Pointing the Finger at China

Mandiant released a report this week describing the operations of a hacking group it labeled “APT1.” Much of the report was dedicated to attributing the activities of APT1 to the People’s Liberation Army (PLA) of China. These claims have gathered mainstream attention including coverage on CNN.

While there has been a good bit of finger pointing in the past by both analysts and U.S. officials, this is the first thorough public treatise connecting China to advanced attacks against U.S.-based companies.

In the report, Mandiant reveals some startling statistics that reinforce earlier data suggesting that U.S. companies are failing to detect intrusions that result in data breaches. The report shows that the primary interest in the APT1 attacks is stealing company secrets.

Broad Problem

The report showed that 1,905 unique breaches were observed coming from APT1. Of those breaches, approximately 85% of them were targeted at 115 U.S.-based companies. The companies breached were from a broad spectrum of industries ranging from high tech to agriculture. The takeaway for U.S. companies is sobering: you’re a target for well-funded, sophisticated attacks from state-sponsored attackers.

Deep Problem

Not only were so many diverse industries successfully breached, the depth of the attack was remarkable. According the report, ”we found that APT1 maintained access to the victim’s network for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was at least 1,764 days.” APT1 deployed privilege escalation techniques that allowed the group to gain increasing access to protected data and assets. In one cited example, 6.5 Terabytes of data was stolen over a period of 10 months.

Core Vulnerability

The core issue with each of the exploited companies was a lack of actionable, intelligent network surveillance. Enforcement mechanisms were deployed to protect against these types of attacks, but network monitoring was neglected. This gave APT1 long windows to snake its way around the network. As I discussed in my previous blog entry on the importance of surveillance, an unmonitored security system will eventually give way to attackers.


The Mandiant report goes a long way in making the case that well-funded, sophisticated attackers are currently staffed for the purpose of stealing corporate trade secrets. The report also reveals a fundamental problem in the operational preparedness of enterprises to detect these types of attacks. Click here for more information on combating APTs.

Image source: