20130222

Comments on Mandiant APT/China Report

So, Mandiant put out a report recently detailing the ongoings of a group they call 'APT1', linking it to the PLA and so on. It's a pretty good report full of details pretty rarely included in public documentation on this specific subject, http://intelreport.mandiant.com/ As a 30 second background; years ago, circa 2005-2007 I worked for a FLA (four letter acronym) on this exact subject and recognize a lot of the tools in question. Amusingly, I tried to give a talk that was essentially a sanitized appendix of their report at 25C3 ('we got owned by the (rhymes-with-unease) and didn't even get a lessons learned') and was visited by the FBI who 'encouraged' me to not perform the talk. At any rate, a new age has dawned and another page has turned and we're apparently far more open on this subject these days. In particular, I note one of the tools that Mandiant identifies as "BISCUIT"; I worked on what appears to be earlier variants of this tool. There are *a lot* of variants as it morphed over the years. Initially it operated as a DLL named "wauserv.dll", which was supposed to look like the Windows Update DLL "wuauserv.dll" (windows update automatic update server dll). They would change a registry key and point the DLL loaded by Windows Update to their DLL and effectively hijack the Windows Update service (+1 point, clever).

No comments:

Post a Comment