menu
FlowTraq > Blog > Tech Thoughts > Have You Been Targeted by Chinese Espionage Units?

Have You Been Targeted by Chinese Espionage Units?

Dr. John Murphy
By | March 28, 2013


Facebooktwitterlinkedin

Using Mandiant’s Analysis and FlowTraq to Identify Threats

Recently hacking attempts have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make use of subtle tricks like naming a file “filename.pdf     .exe” so that the filename is truncated at the .pdf. There are a number of interesting articles on the subject, as well as Mandiant’s excellent analysis “APT1: Exposing One of China’s Cyber Espionage Units

When reading through Mandiant’s analysis, we can see how FlowTraq can be used to track down these spear-phishing attempts. They have identified a broad set of IP addresses associated with this military unit for various tasks, though as with any security analysis it can never be entirely complete. Table 8 on page 40 of their analysis includes IP addresses associated with their ‘hop points’: intermediary systems used as bridges so that their attacks are disguised, using techniques including FTP and Remote Desktop. We’ve annotated the list with the best-fit CIDR block.

223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
101.80.0.0 - 101.95.255.255 (101.80.0.0/12)

FlowTraq’s unique filtering ability allows you to search, and alert for IP CIDR blocks, such as above. You can either put each in its own filter line, or paste the following string into a single line:
223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 114.80.0.0/12, 101.80.0.0/12
If you see connections to your network to or from these IP ranges over the last year, examine the protocols in use. If you see FTP command channels (TCP port 21) or Windows Remote Desktop (TCP port 3389) or any other file transfer or control protocol, we recommend investigating that connection, and we urge you to read Mandiant’s report to understand the nature of the potential threat.

Later in their report, Table 9 shows the connections they have seen using the “HUC Packet Transmit Tool” (HTRAN), a tunneling tool allowing, in this case, the attacker to make use of middle-man networks. HTRAN can be configured to use a number of ports, but TCP ports 80 and 443 are common. Mandiant specifically lists 443 as being seen in the wild. The list of IP addresses looks similar to the ‘hop point’ ranges shown earlier.

223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
143.89.0.0 - 143.89.255.255 (143.89.0.0/16, Hong Kong University of Science and Technology)

(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 139.226.0.0/15, 143.89.0.0/16)

Finally, they identified a number of domain names used in these attacks that have resolved to IP addresses that should look familiar by now. All of them belong to China Unicom Shanghai Network.
223.166.0.0 - 223.167.255.255 (223.166.0.0/15)
58.246.0.0 - 58.247.255.255 (58.246.0.0/15)
112.64.0.0 - 112.65.255.255 (112.64.0.0/15)
114.80.0.0 - 114.95.255.255 (114.80.0.0/12)
139.226.0.0 - 139.227.255.255 (139.226.0.0/15)
222.64.0.0 - 222.73.255.255 (222.64.0.0/13 and 222.72.0.0/15)
116.224.0.0 – 116.239.255.255 (116.224.0.0/12)

(Single line: 223.166.0.0/15, 58.246.0.0/15, 112.64.0.0/15, 114.80.0.0/12, 139.226.0.0/15, 222.64.0.0/13, 222.72.0.0/15, 116.224.0.0/12)

Our hats are off to the folks at Mandiant for some impressive detective work. Again, we highly recommend visiting their site to learn more about not only this particular threat (especially if you detect connections to any of the IP ranges listed here), but also the tools and techniques being used in this domain. That will enable you both to search your NetFlow record and also to educate your users about what to watch for.

Identify Threats on Your Network Right Now!

Download a free 14-day Trial of FlowTraq NetFlow Montoring solution and put the results of Mandiant’s analysis to work for you today.