Mandiant APT1 Report: 25 Best Commentaries

Posted: 08/03/2013 in Uncategorized

Immediately after reading the report grab the appendix of Key Indicators (KI) and Indicators of Compromise (IOC) and parse the last six weeks of network traffic you have captured. Uh, oh, have not have been recording network traffic? Fix that. Today. Download and install WireShark or other packet capture tool right now. Then, call Solera Networks or RSA Netwitness and get some real tools. Better yet, install Solera’s free tool while you are waiting for the call back. Begin to parse that network traffic looking for signs that you too are compromised by Unit 61398 of the People’s Liberation Army.

Next look at every Windows machine on your network. Start with yours. Mandiant provides a free tool, Redline,  that can quickly check for the Indicators of Compromise.

GO. Stop reading.


If you are on the policy, compliance, or risk management side of the house please continue reading. You have a lot of soul searching to do in the coming weeks. You must reevaluate your role and responsibility in light of a clear and present danger:


A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.


There are hundreds of organizations within governments, financial, technology, and energy sectors, that already know about this. By the end of the week there will be at least a million thanks to Mandiant’s audacious but considered report. Resources, in terms of consultants, vendors, and people, are going to be in high demand. Act fast.


Read more

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s