Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Report

Investigating Advanced Persistent Threat 1 (APT1)

  • Abstract

    In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1)—one of China's alleged cyber espionage groups—and provided a detailed report of APT1 operations, along with 3,000 indicators of the group's activity since 2006. This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure: the system of hops, distribution points or relays, and the command and control (C2) servers that sit between APT1's victims and main C2 servers located overseas. To build that infrastructure, APT1 chose and exploited particular organizations to obfuscate communications while remaining in plain sight.

    This analysis, based on data from IP addresses known to be associated with APT1 and domain names provided by Mandiant, was conducted using a combination of System for Internet Level Knowledge (SiLK) tools, Microsoft Excel, and custom Python scripts. The study detailed in this report can be replicated easily using available sources and tools. By combining key unclassified information, the authors successfully described a large, malicious network used to steal important information.

  • Download

Cite This Report

SEI

Shick, Deana; & Horneman, Angela. Investigating Advanced Persistent Threat 1 (APT1) (CMU/SEI-2014-TR-001). Software Engineering Institute, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=90426

IEEE

Shick. Deana, and Horneman. Angela, "Investigating Advanced Persistent Threat 1 (APT1)," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2014-TR-001, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=90426

APA

Shick, Deana., & Horneman, Angela. (2014). Investigating Advanced Persistent Threat 1 (APT1) (CMU/SEI-2014-TR-001). Retrieved December 19, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=90426

CHI

Deana Shick, & Angela Horneman. Investigating Advanced Persistent Threat 1 (APT1) (CMU/SEI-2014-TR-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=90426

MLA

Shick, Deana., & Horneman, Angela. 2014. Investigating Advanced Persistent Threat 1 (APT1) (Technical Report CMU/SEI-2014-TR-001). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=90426