Hacking Book | Free Online Hacking Learning


disclosure of the list of domestic and foreign apt organizations' forces

Posted by graebner at 2020-04-12

Remember the Korean disaster movie Pandora?

After the 6.1-magnitude earthquake in Korean Peninsula, the No.1 nuclear power plant in Busan area exploded, and the nuclear power plant fell into crisis. The explosion caused by a large-scale strong earthquake caused cracks in the nuclear power plant and leakage of radioactive materials. However, the threat of the next round of explosion has hit

For ordinary people, "nuclear" is like the legendary Pandora's box. The information about the box is reinforced layer by layer and protected strictly. But there are always some people with ulterior motives trying to learn more about this mysterious and powerful weapon, and they have made various efforts to do so, such as the recently disclosed high-level attack organization lanbaogu.

Although the name is a little cute, this apt organization is very "tiger". Let's take a look at their "achievements" first:

In March 2011, the Trojan horse related to the organization was first found to attack relevant government agencies.

In November 2011, an attack was carried out on a nuclear industry research institute.

In January 2012, a large scientific research institution was attacked.

In March 2012, an attack was carried out on a military institution.

In June 2012, it attacked several top universities in China.

In June 2013, an attack was carried out on a central organization directly under the central government, and a new type of rat was used at the same time.

In August 2014, the organization used more than five kinds of horizontal mobile malicious codes to conduct a large number of horizontal mobile attacks against key target institutions.

In December 2014, a new rat was discovered. The back door has important functions such as stealing documents with specified extensions.

In September 2015, overseas Chinese offices in many countries were attacked.

In April 2018, a spear mail attack was launched against an important sensitive financial institution in China.

Of course, this is only what we have learned so far, which does not mean that we have mastered all attacks and behaviors of the organization.

Pei Zhiyong, director of 360 Industry Security Research Center, revealed the big secret to Zhaike channel. It is said that lanbaogu's attack targets are mainly in mainland China, mainly focusing on nuclear industry, scientific research and other relevant information. Since 2011, it has carried out continuous cyber espionage activities to key units and departments of the government, military industry, scientific research and finance, which can be said to be very persistent Now.

When it comes to the reasons for the naming of the blue mushroom, Pei Zhiyong, wearing a scarf and slippers, laughs, "our team has specially studied the art of naming."

In fact, there are no uniform rules or norms for the naming of apt organizations, but related organizations generally refer to three principles in the naming process:

Who found, who named;

The attack mode of apt organization or the characteristics of C & C server;

The possible political and geopolitical background of apt attack organization.

According to Pei Zhiyong, they will not only refer to the above three principles, but also bring their own "design" when naming apt organizations.

For example, according to the matching principle of organization and target, apt organizations are divided into three categories: overseas organizations attacking overseas targets, overseas organizations attacking domestic targets, and domestic organizations attacking domestic targets (the fourth category is omitted here);

According to the principle that the real world does not exist, the virtual, legendary and even mythical things are often used to name the APT organization, which is not only cool and mysterious, but also reflects the theme of virtual space war;

In addition, according to the principle of geographical and domain balance, we will consider the geographical characteristics of the attacker and the target, as well as the specific domain characteristics of the attacker. Take chestnut for example. The first apt organization disclosed is "lotus flower". Lotus flower represents the geographical and cultural characteristics of the organization. At the same time, "sea" mainly represents the activity characteristics of the organization's main target in the marine field. Another example is apt's golden eye, which represents the attacker's targeting of financial institutions.

Finally, the naming of apt organization and its actions by 360 can be roughly divided into three series:

Phantasmagoria (overseas organizations attacking overseas targets, named by various legendary or virtual animal images, such as Mermaid, human face lion, etc.)

Magic strain (the overseas organizations attacking the domestic targets, named by various legendary or virtual plant images, such as sea lotus, mahalea, manling flower, etc.)

Superman (the internal organization attacking the internal target, named after various virtual human organs with super power, such as golden eye)

Overall situation of spy organizations

In most people's eyes, these hacker organizations engaged in cyber espionage are SSR with full force value. You can make a big news with your fingers. Of course, there are countless apt organizations in various countries, and there will be a big PK between SSRs. The house guest channel specially wrote a list of forces for the spectators. Click here to check.

No1. US & Russia

There is no doubt that the U.S. and Russia's apt organizations are firmly in the first tier, but the characteristics of the two countries' apt organizations are really different, and even in some places are quite opposite.

First of all, the United States. The American apt organization uses three words to describe it as a technical bull with many weapons and a low profile. At present, the industry considers two apt organizations at the level of anti Hegemony: formula and Soren's eye, whose background is generally considered as NSA (National Security Agency).

Pei Zhiyong said with emotion: "the eternal blue vulnerability exploitation tool that caused the disaster of 512 wanna vry in 2017 is only one weapon in the equation organization Arsenal leaked by the shadow broker. But there is no clear global conclusion about what eternal blue was used to attack. " This shows how low-key the American organization of technical ox x is. If it wasn't for Snowden to come out and talk, there would be a lot of things we really don't know.

On the contrary, Russia's apt organizations have done a lot of high-profile and high-powered work, and often have obvious political goals. Attacks focus on actual results, but if they don't, they may change the world pattern.

What has to be mentioned here is the apt28 organization discovered in 2014. At present, it is generally believed that the giant behind it is the Russian military intelligence unit (Gru). If you are not familiar with this organization, you can recall the event that directly changed the world history to Hillary Clinton's e-mail gate. This ox x organization also helped the pro Russian separatists track the Ukrainian troops, causing more than half of the artillery troops to lose weapons. It is the most influential network attack organization in the political and historical development of the whole world so far.

NO2. Iran & Israel & North Korea & South Korea & an unspeakable country

The second winning team has five members: Iran's apt organization has frequent attacks, and has long targeted countries such as Israel and Pakistan. The targeted Israel is also very bullish. Although it rarely exposes its attack on a certain country, it is the world's largest online arms dealer. Its daily operation is to sell loopholes and Trojans. In 2016, Apple's IOS Trident leak was believed to have something to do with Israel's cyber arms dealer NSO.

Another unexpected player is North Korea. In fact, the attack level of North Korea apt organization is not very high. The key lies in boldness. For example, Lazarus, a hacker organization widely believed to be from North Korea, was found in 2016. He once hacked into Sony TV entertainment company, paralyzed darkseoul of South Korean financial institutions and media companies, and stole 81 million US dollars from the Central Bank of Bangladesh (this matter is not arranged) Except for the mischief. In short, North Korea's apt organization is either motionless or big handed. Every attack is earth shaking.

Where there is North Korea, there is no South Korea. Although the attack of the South Korean apt organization is not obvious, it is common for them to attack and defend each other. In addition, there are many top talents in South Korea. What does it mean to have talents in the cyber war? Strength.

As for the last place, you can use your imagination to guess, and the editor will not give more tips.

Apt organizational growth

It is reasonable to say that these SSR level apt organizations are very difficult to be found, but everything has a growth process, so does apt organizations.

Generally speaking, there are four stages from level s to SSR:

In the first stage, apt uses a lot of private code, which is not easy to hide and expose, and often makes meaningless attacks;

The second stage is to spread the network widely. At this time, the attack means of apt organizations are becoming more and more mature. In order to find the target, they spread the network widely and began to use vulnerability attacks. Apt is easy to be found in these two stages.

The third stage is contraction attack. At this time, the attack is not easy to find, and the target can be found accurately. At the same time, 0day vulnerability is used and the attack code is highly antagonistic;

The fourth stage is invisible attack, which sounds very powerful. It can hide the attack process from the invisible. At this time, these apt organization code weapons pile up into a library and master a large number of 0day vulnerabilities. At present, most apt organizations in the United States have developed into the fourth stage.

Take the example of the main character lanbaogu children's shoes. From 2011 to 2015, it was found in the first two stages. After 2017, it entered the third stage. It can be clearly seen that there were less attacks in 2017-2018.

Specifically, the initial attack mainly uses the binary executable file carried by harpoon mail. The attacker sent the harpoon email to the victim by imitating the official email and induced the victim to click the malicious attachment carried by the email. Most of the mail attachments used by attackers are a WinRAR compressed package, which contains SCR files disguised as word documents. The attachment downloaded later contains a malicious LNK file:

Once the victim is induced to open the LNK file, the LNK file will collect and upload sensitive files in the user's computer by executing the PowerShell malicious script attached to the file, and install the persistent backdoor program to monitor the user's computer for a long time.

Defense of apt organization

In the face of these SSRs, how can we discover and restore the history and panorama of apt's organizational activities? Pei Zhiyong gives an example to introduce a commonly used analysis method, and compares its image as: carrying grapes.

How do you carry it?

It is the same with the traditional personnel to solve the case, first lock the victim, and then sort out the victim's social relations, and each relationship chain is connected with other relationship chains.

In APT attack, first of all, when we determine that a certain sample is a high-level attack sample, we can find relevant clues in historical big data, such as which black and gray samples are homologous with this sample, which malicious servers this sample has linked to, and which computers have been attacked by this sample or homologous sample.

After that, we can develop more clues according to the extended clues. For example, other computers connected to the malicious server may be the target of the attack, and other unknown programs on the infected computer may also be the apt Trojan horse.

Then, the apt homologous Trojan horse out of the extension line may have connected to more servers, so these servers may also be servers of the same apt organization. At the same time, servers with similar activity and behavior characteristics to known malicious servers may also be servers of the same organization.

"In this way, a sample can be associated with a number of clues, and a number of clues can be associated with more clues. It's like carrying a grape, holding a head and carrying a large string. As long as there are enough large-scale security history big data and enough fast analysis and retrieval capabilities for these big data, it can quickly restore an organization's attack scope and attack history. " Pei Zhiyong said.

After all, it depends on big data. This is a good thing. It can not only track the server, but also build a database of hackers' historical gene maps.

Members of apt organization are not top experts at the beginning. Everyone has the Xiaobai period of hacking technology forum. If the hackers start to establish files from the first day of entering the forum, they will leave some information at every step.

Finally, in the face of these SSRs, do we have a defense capability?

"In theory, it's impossible to defend all of them. After all, these organizations have certain goals, and the value of this goal is unlimited. What these apt organizations need to do is to use various means to achieve their goals." Pei Zhiyong told home guest channel.

For the defense side standing in the open, strong contingency, sparse samples, advanced means, and difficult to find all cause the difficulty of apt organization and its action research.

"For us, the most valuable defense strategy is: combining big data technology and high-level security operation and maintenance, find problems in the first time, respond quickly and reduce losses." Pei Zhiyong said.


"Pay attention to us as soon as you like"


The official account of Lei Feng's industry is reported.

Focus on cutting-edge technology and tell the story behind hackers.

Long press the QR code below and identify the concern