(Update 20/feb/2013: New signatures added)
As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.
The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.
Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.
Snort signatures from the Mandiant report: apt1-unit68398.rar
The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at admin@securityartwork.es.
Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.