Chinese Army Unit 61398 as an Advanced Persistent Threat

Question

Answer
1. Introduction
The question is emerging about why detection and prevention of APTs was so low in 2013. The low detection is happening because target industries lack the capability to detect APT activities. APT attackers have high skill to cover up their activities and delete traces, making it hard to detect. Another reason is that the capabilities of traditional security measures such as anti-virus, intrusion detection and prevention, and firewall are not enough to detect and prevent APT. The existing security measures are only capable of detecting known attacks and malware, whereas APT attackers are using new malware and attack methods to compromise the target efficiency. Known malware and attack methods are actually still of minor use. This is what happened to Coca-Cola. Even though they have an information security program and traditional security measures, these are not enough to prevent their information from APT attacks. In 2009, Coca-Cola detected an APT attack plot on their networks. The attacks involved a group of hackers who were using advanced malware and remote system administration tools to gain unauthorized access to Coca-Cola’s network and affect the company’s operations. These APT attackers were trying to build persistence to stay within Coca-Cola’s network and steal sensitive information for a long time. But unfortunately, from 2009 to 2012, Coca-Cola lost its sensitive files to APT attackers. The results of forensic investigation on data stored in Coca-Cola’s breached systems have found that the malware had already deleted traces and the attackers had cleaned the remote administration tools. This investigation was conducted after Coca-Cola received reports of its sensitive files being copied by malware to unknown locations. In this case, migration of data from a well-known location, the unusual deleted file evidence, and support from reports can be indications of APT attacks.
1.1 Definition of Advanced Persistent Threat
Although the term “advanced persistent threat” has been popular since the early 2000s, it actually dates back to 2006. It is widely believed that the origin of the term APT comes from the United States Air Force. It is thought that they were the first people to use the term to describe a specific type of cyber threat. This belief is strengthened by a quote from a Lt. Col. Greg Rattray in 2009 stated, “The Airforce, by 2006, had identified the complete process of an advanced threat.” This quote shows that by that year they had a complete understanding of the processes and life-cycle of APT.
APT should not be confused with the term AET (Advanced Evasion Technique) which was proposed by network security firm Stonesoft. AET refers to means and methods that penetrate and exploit IT network vulnerabilities, while effectively evading network security systems, appliances, and controls. The AET attacks are the delivery and exploitation phase in the Cyber Kill Chain SM, the APT is the overarching structure and framework for the entire cyber kill chain.
An advanced persistent threat (APT) is a wide-ranging, sophisticated, sustained, and targeted attack against a specific group of people with the aim of achieving a specific agenda. An APT attack includes a number of different steps and a lot of different techniques often spanning a long period of time (such as several months or years). Anti-forensics methods, such as attempts to delete or alter log files, and false data injection, can also be and are often used in APT attacks, increasing the difficulty and complexity of detecting the attack and attribution.
1.2 Overview of Chinese Army Unit 61398
Chinese Army Unit 61398 is a cyber-warfare information operations unit of the People’s Liberation Army (PLA) of China. Though there is no public information about this unit’s numerical designator, it is commonly referred to by the identifier “61398”. Analysts have confirmed that APT activity surrounding Operation Shady RAT is being conducted using the resources of 61398, and APT attacks are traced back to infrastructure around Shanghai. It is unknown how many people work for 61398, but the number is suspected to be quite large and most likely staffed by a variety of military and civilian personnel. This is deduced from the sheer number of English-speaking APT operators observed online in Operation Shady RAT data who may or may not be native English speakers and the wide range of network intrusions into all sectors from this particular threat group.
2. History of Chinese Cyber Espionage
2.1 Early Cyber Espionage Activities
2.2 Emergence of Chinese Army Unit 61398
3. Tactics, Techniques, and Procedures
3.1 Target Selection and Reconnaissance
3.2 Exploitation and Delivery of Malware
3.3 Command and Control Infrastructure
3.4 Data Exfiltration Techniques
4. Notable Cyber Attacks Linked to Unit 61398
4.1 Operation Aurora
4.2 Operation Shady RAT
4.3 Operation Aurora Panda
5. Motivations and Objectives
5.1 Economic Espionage
5.2 Military and Political Intelligence Gathering
5.3 Support for Chinese Industries
6. International Response and Diplomatic Impact
6.1 Accusations and Denials
6.2 Diplomatic Tensions and Consequences
7. Countermeasures and Defense Strategies
7.1 Network Segmentation and Isolation
7.2 Intrusion Detection and Prevention Systems
7.3 Employee Education and Awareness Programs
7.4 Incident Response and Recovery Plans
8. Future Implications and Trends
8.1 Evolution of Chinese Cyber Operations
8.2 Collaboration with Other Threat Actors
8.3 Impact on Global Cybersecurity Landscape

Get your college paper done by experts

Do my question How much will it cost?

Place an order in 3 easy steps. Takes less than 5 mins.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *