One of the primary methods the PLA gains a beachhead inside the target firm is through spear-phishing, which uses a personalized email that entices the victim into clicking on a malicious link.
The Initial Compromise represents the methods intruders use to first penetrate a target organization’s network. As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel — and uses these accounts to send the emails. As a real-world example, this is an email that APT1 sent to Mandiant employees:
At first glance, the email appeared to be from Mandiant’s CEO, Kevin Mandia. However, further scrutiny shows that the email was not sent from a Mandiant email account, but from “email@example.com”. Rocketmail is a free webmail service. The account “firstname.lastname@example.org” does not belong to Mr. Mandia. Rather, an APT1 actor likely signed up for the account specifically for this spear phishing event. If anyone had clicked on the link that day (which no one did, thankfully), their computer would have downloaded a malicious ZIP file named “Internal_Discussion_Press_Release_In_Next_Week8.zip”. This file contained a malicious executable that installs a custom APT1 backdoor that we call WEBC2-TABLE.
Although the files that APT1 actors attach or link to spear phishing emails are not always in ZIP format, this is the predominant trend we have observed in the last several years. Below is a sampling of file names that APT1 has used with their malicious ZIP files:
The example file names include military, economic, and diplomatic themes, suggesting the wide range of industries that APT1 targets. Some names are also generic (e.g., “updated_office_contact_v1.zip”) and could be used for targets in any industry.
On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.”
Bottom line: trust no one.