Mandiant says it observed a group it dubbed “APT1” first infiltrating, then stealing data from computer networks of at least 141 companies spanning 20 major industries. Of the targeted companies, 115 were in the US, seven in Canada and Britain, and 17 of 19 others also conducting their business in English.
Targeted for theft were “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”
At just one company, Mandiant researchers discovered 6.5 terabytes of data were stolen over a 10 month period – all exfiltrated back to computers identified in the same block in Shanghai – where the Chinese military’s cyberespionage unit is located. Sometimes data was seen being stolen from dozens of victims at once, Mandiant reported.
APT1 generally established access through spear-phishing – the ploy of sending to someone in a targeted company an e-mail that is designed to look legitimate but carries malware in an attachment. Once they gained access to a system, the cyberspies periodically revisited the victim’s network over several months or years.
The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called “Comment Crew” or the “Shanghai Group.” But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People’s Liberation Army (PLA) – even if it lacks a “smoking gun.”