Apt organization tracking and traceability

kidicc 2021-09-15 09:32:42


In the attack and defense drill , High quality blue team reports often need to be traced to the attack team 、 Domestic criminal gangs 、 Abroad APT attack .
At this stage, the red team often protects its own information better , According to the previous successful cases of traceability, it is still through the front end js Get users ID Information 、mysql Counteract 、 High cross honeypot, bait delivery and other means to obtain .
Except the red team , Domestic Mafia gangs and foreign APT Attack can also add points , So I usually do APT The tracking and discovery of the organization plays an important role .

APT Attack definition

APT attack (Advanced Persistent Threat, High level persistent threat ) Organization ( Especially the government ) Or small groups use the current advanced attack methods to carry out long-term and sustained network attacks on specific targets .APT The advanced embodiment of attack lies in accurate information collection 、 A high degree of concealment 、 And the use of a variety of complex network infrastructure 、 The precise attack of application vulnerabilities on the target . The attack form of the attacker is more advanced and advanced , It is called the highest level security confrontation in cyberspace .APT It's hackers who steal core information , Network attacks and attacks against customers .

APT( High level long-term threat ) There are three elements : senior 、 long-term 、 threat . Advanced emphasizes the use of sophisticated malware and technology to exploit vulnerabilities in the system . The long-term implication is that an external force will continue to monitor specific targets , And get data from it . A threat is an attack that is artificially planned .

APT The principle of attack is more advanced and advanced than other forms of attack , Its advanced nature is mainly reflected in APT Before launching an attack, it is necessary to accurately collect the business process and target system of the target . In the process of collecting , This attack will actively exploit the vulnerability of the trusted system and application of the attacked object , Use these vulnerabilities to build the network needed by the attacker , And make use of 0day Vulnerability to attack

APT Organization chart

APT Common ways to attack

  • Harpoon attack
  • Puddle attack
  • Download by road
  • social engineering
  • Instant messaging tools deceive

Take stock of those who attack China APT organization Top5

APT-C-00 Anemone

OceanLotus( Anemone )APT The organization is a long-term organization for China and other East Asian countries 、 Southeast Asian countries ( region ) The government 、 Scientific research institutions 、 Attacks in areas such as maritime enterprises APT organization , The organization is also the most active in China APT One of the organizations , This organization mainly uses spear attack and water pit attack , Infiltrate with a variety of social engineering means , Spread special Trojan programs to specific target groups in China , Secret control of some government personnel 、 Computer systems for outsourcers and industry experts , Stealing confidential information in related fields of the system , By tracking its attack tactics and targets over the years ,OceanLotus It is likely to have a background of foreign government support 、 Highly organized 、 Specialized overseas national hacker organization

APT-C-06 Darkhotel

APT-C-06 The organization is a long-term active overseas organization APT organization , Its main target is China and other countries . The main purpose of the attack is to steal sensitive data and information for cyber espionage attacks , among DarkHotel Our activities can be regarded as APT-C-06 Organize one of a series of attacks . In the attack on China , The organization is mainly aimed at the government 、 Attack in the field of scientific research , And very focused on a particular field , Related attacks can be traced back to 2007 year , It's still very active .

APT-C-08 Araliaceae

Araliaceae (APT-C-08)APT The organization is a long-term target for China 、 Pakistan and other countries carry out attacks APT organization , Mainly attacking the government 、 Relevant units in electric power and military industry , Mainly stealing sensitive information , With a strong political background , It is currently an active overseas enterprise that attacks domestic targets APT One of the organizations .

APT-C-01 Poison Yunteng

APT-C-01 The organization is a long-term organization for domestic defense 、 The government 、 Important institutions in the fields of science, technology and education carry out cyber espionage attacks APT gangs , Its earliest attacks can be traced back to 2007 year , The gang is good at harpoon attack and puddle attack on the target , Implant the modified ZXShell、Poison Ivy、XRAT Commercial Trojan horse , And use dynamic domain names as its control infrastructure .

APT-C-24 Rattlesnake

Rattlesnake (SideWinder) The organization is a mature attack organization , The APT Organizations are good at using office Loophole 、hta Script 、 White and black 、VB Trojan horse and other technologies to attack , And attack tactics are still evolving . At present, the organization's attack targets are mainly in Pakistan , But because of Geography , Nor does it rule out launching attacks against targets in China , Therefore, the relevant departments 、 Units and enterprises must not take it lightly .

APT Organization discovery traceability

Internal passive discovery

Alarm through safety equipment , Found a match IOC Or horizontal attacks in the intranet , Further analyze the source of evidence collection ( It's usually hard to find )

Internal proactive reporting

Through the active reporting of the attacked person , Such as mail phishing 、 Terminal exception events . It is necessary to strengthen the internal network security publicity

Internal active trapping

Through high cross honeypot equipment , Or seduce information . Trap related organizations to attack , Then capture relevant samples and organization information .

External open source intelligence

Second hand intelligence

The content of second-hand intelligence lacks accuracy research and judgment , The authenticity of the content needs to be considered , It can only be used as a reference

  • Threat analysis report of domestic and foreign security manufacturers 、 Safety information and news information
  • Safety manufacturer's safety notice
  • Social networks ,twitter、 The official account, etc
  • APT Historical report sorting site

The types of intelligence we need to focus on

  • Security news
  • Blackmail Software 、 Mining virus 、 Analysis of malicious code such as exploit software
  • 0day Analysis of vulnerability and vulnerability utilization technology
  • Attacks , Directed against , Malicious mail delivery , Supply chain attacks, etc
  • APT Organization analysis report 、APT Event analysis 、APT technology

First hand information

Malware capture analysis
Wikileaks secret document disclosure

The attacker found

For different APT organization , Often use different attack methods , For example, poison cloud vine , It can be seen from the online bug information that it will download a control domain name named tiny1detvghrt.tmp Malice payload. adopt ZoomEye or fofa And other space search engines , Search for the corresponding content , It is possible to search the corresponding payload Download the machine , And then... To it IP Attribution of , Historical port , Further analyze the activity time and other information of the service

APT Organizational resolution means

about APT Organizations usually attack from their entrance 、 Encoding mode 、 encryption 、 Malicious tools 、 Exploit 、IOC、 Task activities to distinguish

Traditional means
Malicious sample capture
Static analysis :
file name 、 file size 、 Time cut 、 Shell information 、 Compiler information 、 entry point 、 Code segment size 、 The name of the virus 、SSDEEP
dynamic analysis : Derived file name 、 Derived file path 、 Registry keys and key values 、 domain name 、IP、URL、IP Location

Emerging means
machine learning :
For data training , Through multi-dimensional data comparison . Build a data model

Structured output

type Content
Organization name XXX
Attack the target The government 、 energy
Attack the country China
Attack purposes To steal information 、 Sensitive information 、 blackmail
Attack time cycle time
attacks Harpoon attack → Put on the ps Script →RAT
Bait type doc、lnk etc.
Write language C、C#、VB、powershell etc.
arsenal CVE-xxx-xxx

APT defense

At present, the popular defense in the industry APT There are three ways of thinking :
1、 Use advanced detection technology and associated data analysis to find APT Behavior , A typical company is FireEye;
2、 Adopt data encryption and data leakage prevention (DLP) To prevent the leakage of sensitive data , A typical company is Symantec ;
3、 Adopt identity authentication and user authority management technology , Strictly control intranet access to core data and services , A typical company is RSA.
The best defense way for general enterprises is to improve personnel's safety awareness , because APT Attack entry points are often attack chains constructed for specific personnel , The second is all kinds of safety measures .

APT Traceability and blue team work

As a blue team , Our main focus is on attack capture and target matching .
1、 Counter attack the host that we initiated the scan from the daily , Then look for malicious programs from broilers 、 Remote control Trojan etc , Then, after sandbox analysis, the IOC Target matching with features
2、 Extract malicious programs from anti-virus or mail gateways 、 file , Then analyze its IOC Target matching with features
3、 Highly interactive honeypot capture , In the high interaction honeypot, there are often malicious programs left by attackers , Further extraction and Analysis , Last match
4、 Track the impact on the energy industry 、 There are attacks in the power industry APT organization , Collect their attack methods and samples , Internal monitoring and matching , After discovering the attack, you can quickly compare


In the daily work of the blue team , analysis APT The organization's attack methods and processes help us better defend against its attacks , At the same time, it can be on its attack path node , Targeted deployment of countermeasures , Help us better carry out traceability and anti-counterfeiting work . The ultimate goal is to explore its attack purpose and target range , Try to find out in time APT attack

Reference material

360 Core security technology blog
2020 The global APT Annual report
APT Related information

Please bring the original link to reprint ,thank
Similar articles