In the attack and defense drill , High quality blue team reports often need to be traced to the attack team 、 Domestic criminal gangs 、 Abroad APT attack .

At this stage, the red team often protects its own information better , According to the previous successful cases of traceability, it is still through the front end js Get users ID Information 、mysql Counteract 、 High cross honeypot, bait delivery and other means to obtain .

Except the red team , Domestic Mafia gangs and foreign APT Attack can also add points , So I usually do APT The tracking and discovery of the organization plays an important role .

APT Attack definition

APT attack (Advanced Persistent Threat, High level persistent threat ) Organization ( Especially the government ) Or small groups use the current advanced attack methods to carry out long-term and sustained network attacks on specific targets .APT The advanced embodiment of attack lies in accurate information collection 、 A high degree of concealment 、 And the use of a variety of complex network infrastructure 、 The precise attack of application vulnerabilities on the target . The attack form of the attacker is more advanced and advanced , It is called the highest level security confrontation in cyberspace .APT It's hackers who steal core information , Network attacks and attacks against customers .

APT( High level long-term threat ) There are three elements : senior 、 long-term 、 threat . Advanced emphasizes the use of sophisticated malware and technology to exploit vulnerabilities in the system . The long-term implication is that an external force will continue to monitor specific targets , And get data from it . A threat is an attack that is artificially planned .

APT The principle of attack is more advanced and advanced than other forms of attack , Its advanced nature is mainly reflected in APT Before launching an attack, it is necessary to accurately collect the business process and target system of the target . In the process of collecting , This attack will actively exploit the vulnerability of the trusted system and application of the attacked object , Use these vulnerabilities to build the network needed by the attacker , And make use of 0day Vulnerability to attack

APT Organization chart

APT Common ways to attack

  • Harpoon attack
  • Puddle attack
  • Download by road
  • social engineering
  • Instant messaging tools deceive

Take stock of those who attack China APT organization Top5

APT-C-00 Anemone

OceanLotus( Anemone )APT The organization is a long-term organization for China and other East Asian countries 、 Southeast Asian countries ( region ) The government 、 Scientific research institutions 、 Attacks in areas such as maritime enterprises APT organization , The organization is also the most active in China APT One of the organizations , This organization mainly uses spear attack and water pit attack , Infiltrate with a variety of social engineering means , Spread special Trojan programs to specific target groups in China , Secret control of some government personnel 、 Computer systems for outsourcers and industry experts , Stealing confidential information in related fields of the system , By tracking its attack tactics and targets over the years ,OceanLotus It is likely to have a background of foreign government support 、 Highly organized 、 Specialized overseas national hacker organization

APT-C-06 Darkhotel

APT-C-06 The organization is a long-term active overseas organization APT organization , Its main target is China and other countries . The main purpose of the attack is to steal sensitive data and information for cyber espionage attacks , among DarkHotel Our activities can be regarded as APT-C-06 Organize one of a series of attacks . In the attack on China , The organization is mainly aimed at the government 、 Attack in the field of scientific research , And very focused on a particular field , Related attacks can be traced back to 2007 year , It's still very active .

APT-C-08 Araliaceae

Araliaceae (APT-C-08)APT The organization is a long-term target for China 、 Pakistan and other countries carry out attacks APT organization , Mainly attacking the government 、 Relevant units in electric power and military industry , Mainly stealing sensitive information , With a strong political background , It is currently an active overseas enterprise that attacks domestic targets APT One of the organizations .

APT-C-01 Poison Yunteng

APT-C-01 The organization is a long-term organization for domestic defense 、 The government 、 Important institutions in the fields of science, technology and education carry out cyber espionage attacks APT gangs , Its earliest attacks can be traced back to 2007 year , The gang is good at harpoon attack and puddle attack on the target , Implant the modified ZXShell、Poison Ivy、XRAT Commercial Trojan horse , And use dynamic domain names as its control infrastructure .

APT-C-24 Rattlesnake

Rattlesnake (SideWinder) The organization is a mature attack organization , The APT Organizations are good at using office Loophole 、hta Script 、 White and black 、VB Trojan horse and other technologies to attack , And attack tactics are still evolving . At present, the organization's attack targets are mainly in Pakistan , But because of Geography , Nor does it rule out launching attacks against targets in China , Therefore, the relevant departments 、 Units and enterprises must not take it lightly .

APT Organization discovery traceability

Internal passive discovery

Alarm through safety equipment , Found a match IOC Or horizontal attacks in the intranet , Further analyze the source of evidence collection ( It's usually hard to find )

Internal proactive reporting

Through the active reporting of the attacked person , Such as mail phishing 、 Terminal exception events . It is necessary to strengthen the internal network security publicity

Internal active trapping

Through high cross honeypot equipment , Or seduce information . Trap related organizations to attack , Then capture relevant samples and organization information .

External open source intelligence

Second hand intelligence

The content of second-hand intelligence lacks accuracy research and judgment , The authenticity of the content needs to be considered , It can only be used as a reference

  • Threat analysis report of domestic and foreign security manufacturers 、 Safety information and news information
  • Safety manufacturer's safety notice
  • Social networks ,twitter、 The official account, etc
  • APT Historical report sorting site

The types of intelligence we need to focus on

  • Security news
  • Blackmail Software 、 Mining virus 、 Analysis of malicious code such as exploit software
  • 0day Analysis of vulnerability and vulnerability utilization technology
  • Attacks , Directed against , Malicious mail delivery , Supply chain attacks, etc
  • APT Organization analysis report 、APT Event analysis 、APT technology

First hand information

Malware capture analysis

Wikileaks secret document disclosure

The attacker found

For different APT organization , Often use different attack methods , For example, poison cloud vine , It can be seen from the online bug information that it will download a control domain name named tiny1detvghrt.tmp Malice payload. adopt ZoomEye or fofa And other space search engines , Search for the corresponding content , It is possible to search the corresponding payload Download the machine , And then... To it IP Attribution of , Historical port , Further analyze the activity time and other information of the service

APT Organizational resolution means

about APT Organizations usually attack from their entrance 、 Encoding mode 、 encryption 、 Malicious tools 、 Exploit 、IOC、 Task activities to distinguish

Traditional means

Malicious sample capture

Static analysis :

file name 、 file size 、 Time cut 、 Shell information 、 Compiler information 、 entry point 、 Code segment size 、 The name of the virus 、SSDEEP

dynamic analysis : Derived file name 、 Derived file path 、 Registry keys and key values 、 domain name 、IP、URL、IP Location

Emerging means

machine learning :

For data training , Through multi-dimensional data comparison . Build a data model

Structured output

type Content
Organization name XXX
Attack the target The government 、 energy
Attack the country China
Attack purposes To steal information 、 Sensitive information 、 blackmail
Attack time cycle time
attacks Harpoon attack → Put on the ps Script →RAT
Bait type doc、lnk etc.
Write language C、C#、VB、powershell etc.
arsenal CVE-xxx-xxx

APT defense

At present, the popular defense in the industry APT There are three ways of thinking :

1、 Use advanced detection technology and associated data analysis to find APT Behavior , A typical company is FireEye;

2、 Adopt data encryption and data leakage prevention (DLP) To prevent the leakage of sensitive data , A typical company is Symantec ;

3、 Adopt identity authentication and user authority management technology , Strictly control intranet access to core data and services , A typical company is RSA.

The best defense way for general enterprises is to improve personnel's safety awareness , because APT Attack entry points are often attack chains constructed for specific personnel , The second is all kinds of safety measures .

APT Traceability and blue team work

As a blue team , Our main focus is on attack capture and target matching .

1、 Counter attack the host that we initiated the scan from the daily , Then look for malicious programs from broilers 、 Remote control Trojan etc , Then, after sandbox analysis, the IOC Target matching with features

2、 Extract malicious programs from anti-virus or mail gateways 、 file , Then analyze its IOC Target matching with features

3、 Highly interactive honeypot capture , In the high interaction honeypot, there are often malicious programs left by attackers , Further extraction and Analysis , Last match

4、 Track the impact on the energy industry 、 There are attacks in the power industry APT organization , Collect their attack methods and samples , Internal monitoring and matching , After discovering the attack, you can quickly compare


In the daily work of the blue team , analysis APT The organization's attack methods and processes help us better defend against its attacks , At the same time, it can be on its attack path node , Targeted deployment of countermeasures , Help us better carry out traceability and anti-counterfeiting work . The ultimate goal is to explore its attack purpose and target range , Try to find out in time APT attack

Reference material

360 Core security technology blog

2020 The global APT Annual report

APT Related information

APT More articles on organization tracking and traceability

  1. Based on the knowledge map APT Organization tracking governance

    High level persistent threat (APT) It is increasingly becoming a significant threat to the important assets of governments and enterprises in cyberspace that cannot be ignored . because APT Attacks often have a clear intention to attack , And its attack means have very high concealment and latency , Traditional network detection methods usually can not effectively detect it ...

  2. Technical report :APT organization Wekby utilize DNS Ask to act as C&C facilities , Attack us secret agencies

    Technical report :APT organization Wekby utilize DNS Ask to act as C&C facilities , Attack us secret agencies In recent weeks Paloalto Networks The researchers noticed that ,APT organization Wekby Launched an attack on some secret agencies in the United States ...

  3. [ There was no. ]APT Organization Profile 2019

    5 Jiaxin APT The organization is disclosed ,2019 yes “ Rising star ” Of the world ? ...

  4. Big net scan found APT An application of organization

    How to discover CobalStike Server side ? answer : sweep HTTP response header: "HTTP/1.1 404 Not Found" balaba-"Server& ...

  5. APT Attack basic science

    0x00 APT The historical origin background of APT This word originated from :2005 British and American CERT The organization has posted emails about targeted social engineering , The first warning to give up the Trojan horse to leak sensitive information , Although not used “APT” This name ...

  6. from APT Learning from attack

    0x01. What is? APT? It can be seen that APT attack , It's called Advanced Sustainable threat attack , Also known as directed threat attack : What is orientation , In other words, the target industry is designated and the attack is launched Here's supply chain and social engineering , What is that ? social engineering , That's social workers , through ...

  7. On APT attack

    First appeared in i spring and autumn author :joe     Team :Arctic Shell Team blog address :   0x1: About APT About :     APT yes ...

  8. Reprint -- No pop ups APT Penetration experiments

    Reprint -- No pop ups APT Penetration experiments The authors : CICA security , Reprinted from FreeBuf.COM APT There are many ways to attack , I study the latest popular APT attacks , Build a local environment to simulate a simple APT attack , In the course of simulated attack, we found that ...

  9. track OceanLotus New download program KerrDown

    The way to attack Two methods will KerrDown The downloader passes to the target . One is to use... With malicious macros Microsoft Office file , The other is to include DLL side-loading Legal procedure RAR The archive . about RAR save ...

  10. On APT attack

    author :joe        Team :Arctic Shell This article is written for reference : https://www.freebuf. ...

Random recommendation

  1. Python Foundation - Use of lists _v2

    Let's continue with what we didn't mention before copy(), Let's continue with the previous list , To observe , Look at using copy() What's different ? #!/usr/bin/env python3 # -*- coding:utf-8 -*- ...

  2. Merge from outer margin to BFC

    Top article :< pure CSS Make silver MacBook Air( Full version )> Last one :<JavaScript Realization Ajax Summary > Author URI :myvin Blogger QQ:851399101( Click on QQ and ...

  3. 【Dancing Link project 】 Problem solving report

    DLX It is used to optimize the exact coverage problem , Because of the ordinary DFS Violent search will time out ,DLX It's a powerful optimization tool , Actually DLX It's very simple , Is the use of cross linked list of fast delete and restore features , stay DFS Delete some rows and columns to reduce the size of the lookup , Make search ...

  4. Hibernate Several primary key generation strategies of

    Primary key type : Business primary key (natural key): The value of business primary key comes from a business data . surrogate key (surrogate key): Proxy primary keys need a way to generate a unique value . Generation strategy of proxy primary key : 1.hib ...

  5. Talking about c# Interface issues , Suitable for novices to understand

    During this time, the project is useful to the interface , At first, I didn't particularly understand the interface , Just know that the interface definition is very simple , I even think this interface is just superfluous ( When it comes to personal development ). Now start team development , I found that the interface is so important and convenient ! Next, let's talk about my paragraph ...

  6. js Judge ie browser

    function isIE() { //ie? if (!!window.ActiveXObject || "ActiveXObject" in window){ document ...

  7. openrisc And Wishbone Bus learning notes —— Bus characteristics

    characteristic : One , The way of Interconnection :  Support point-to-point . Shared bus . Cross (Crossbar) And switch fabric based (Switch fabric) Internet of . Two , Data operation mode : Single reading / Write operations . Block reading / Write operations , Read and rewrite (RMW,Read ...

  8. ④JavaScript Format timestamps

    This part of the code is written according to the online tutorial , Forget where I saw

  9. New concept English (1-141)Sally&#39;s first train ride

    Lesson 141 Sally's first train ride Sally's first train trip Listen to the tape then answer this question. Why was ...

  10. Vicious Keyboard CodeForces - 801A ( violence + simulation )

    Topic link The question : Given a string , Change up to one character , How many can there be at most “VK” Substring ? Ideas : Because of the small amount of data , Try violence . First of all, it is calculated that there are multiple without changing any characters VK String , Then try to change one location at a time ...