Did Chinese Hackers Penetrate Your Network?

Has China’s APT1 hacker group probed your network? Lancope’s StealthWatch Labs has published a number of IP addresses that security admins may want to check against their logs.

Granted, Lancope would like to sell you its StealthWatch system, which combines flow-based anomaly detection and network performance monitoring into a service. However, its Labs team has published what the company promises will be an updated list of IP addresses in a bid to collectively detect, block, and eliminate “Comment Crew” attacks—no matter the products actually involved.

Although so-called Advanced Persistent Threats can come from all directions, the latest, highest-profile example originated what analyst firm Mandiant said was the Chinese military. The so-called APT1 group is believed to include thousands of people engaged in attacks against companies and agencies in the United States and elsewhere.

To date, Mandiant has contributed a list of MD5 hashes of the software allegedly used by the APT1 attackers; Symatec also provided a list of IP addresses used as command-and-control systems. StealthWatch has said it’s amassed additional hashes, domain names, and IP addresses from malware samples and collected data. According to the company, it’s likely these malware samples are associated with the same attacks, because they used the same command-and-control infrastructure.

Checking for IP addresses and hashes is like looking for mouse droppings: if you find them, chances are that you’ll be infested again. “Due to the persistent nature of these attacks, it is likely that if you were compromised in the past, your network may still be targeted now and in the future,” StealthWatch wrote. “Discovering these indicators can be an important starting point for a thorough forensic investigation.”

The five new domain names that StealthWatch found include:

  • adobeservices.info.tm
  • express.it.cx
  • freewave.us.to
  • news.lflinkup.org
  • public.ddns.us

StealthWatch said it would maintain a list of the MD5 hashes in its blog post, listing the suspect IP addresses on a separate page.

StealthWatch insists that trying to determine whether or not a particular domain is hiding malware can be a tricky proposition. Pointing command-and-control domain names at popular destination addresses helps keep infected hosts hidden from network administrators—but as lots of activity on a given network is directed at these popular destinations, it can be difficult to pick out activity associated with malware infections. When the malware operator is ready to start using the malware, the domain names get pointed at systems under his control. Later, the domain names are pointed back at popular destinations again, effectively rendering the malware dormant.

Likewise, the IP addresses that StealthWatch aggregated are most likely the true command-and control-addresses, Lancope’s service said. But some of the IP addresses may be mixed in with legitimate services, too. Here’s hoping none of those get tossed out with the proverbial bathwater.


Image: rvisoft/Shutterstock.com