Exploring IP Ranges With Recorded Future: Are the ‘APT1 Ranges’ Cleaned Up?
Predict 21: The Intelligence Summit Register Today

Exploring IP Ranges With Recorded Future: Are the ‘APT1 Ranges’ Cleaned Up?

January 27, 2015 • Christopher Ahlberg

In this post we’re exploring new functionality in Recorded Future, which allows users to search the Recorded Future holdings for IP ranges. We’ll examine the IP ranges originally used by APT1 and identify continued potentially malicious activity, but unlikely very sophisticated.

Recorded Future’s holdings include a large amount of technical data, like filenames, hashes, and IP addresses. Recently we introduced the ability to search for a range of IP addresses; earlier you could only search by specific addresses. This allows analysts to, for example, rapidly identify activity involving their organization’s IP ranges or that of a particular actor.

In Mandiant’s APT1 report from February 2013 we can find the IP ranges used by APT1 as hop points – all owned by China Unicom, a major Chinese state-owned telecommunications operator.

Table from Mandiant APT1 Report

We can now easily search for these in Recorded Future, as in below. The IP ranges are written in CIDR notation (an address prefix of a specified bit length).

Search Query

This yields us a timeline of events involving these IP ranges. We can see a clear uptick in activity post the report publication in early 2013 (of course) – and some historical data describing the activities of UglyGorilla and his friends setting up infrastructure,

Timeline of Mandiant APT1 Reports

Click image for larger view

From here we can explore the same ranges in the Recorded Future holdings from the time before the Mandiant APT1 report by constraining publishing time to be before February 12, 2012. Time travel can be helpful! We identify two hits from Threat Expert, which Threat Expert at that time reported as having China as a possible country of origin.

Timeline of Mandiant APT1 Reports

Click image for larger view

Now we can try to exclude any specific events that includes Comment Crew/APT1 and their close guys, per below. Obviously we could keep building the exclusion list as we dig in.

Search Query

This yields us a timeline like the following where we’ve filtered out explicit references to APT1 actors (which of course doesn’t mean what’s left is not APT1). We still see a lot of activity coming out of reporting on these IP ranges – so let’s dive in and see what we can find. In the timeline below we can observe ongoing activity, up until this very day.

Timeline of Mandiant APT1 Reports

Click image for larger view

We can easily pivot our analysis to analyzing the sourcing for the above timeline, and we can see how Pastebin is a big source (probably users dumping lists of “bad” IP numbers predominantly), Clean MX (again reporting IPs with issues) and then a series of more specialized security blogs reporting on various issues seen out of these ranges.

Treemap of Mandiant APT1 Reports

Click image for larger view

We can also see entries for these ranges out of Chinese hacker sites like myhack58.com.

Myhack58 Website

Alerting Going Forward

Finally, to stay on top of new events related to these ranges, we can quickly set up an alert to track any further malicious activity.

Create Email Alert

Conclusion

The ability to search IP ranges rather than just individual IP addresses is quite powerful, and allows us to cover a lot of space in one query/analysis. We utilize this to search the hop point IP ranges originally used by APT1 and identify continued potential malicious activity. We make no conclusions on whether this is continued APT1 activity or not, but at the surface level it does not appear to be very serious behavior.

New call-to-action

Related Posts

Using Intelligence to Prioritize AWS Guard Duty Alerts

Using Intelligence to Prioritize AWS Guard Duty Alerts

March 10, 2021 • Meghan McGowan

Security operations teams are inundated with alerts and threats making it difficult for them to...

Announcing Security Intelligence for Splunk — For Free

Announcing Security Intelligence for Splunk — For Free

February 23, 2021 • Ellen Wilson

Today, we’re thrilled to announce the launch of a free 30-day trial of our integration for Splunk...

Special Delivery: Recorded Future Hunting Packages

Special Delivery: Recorded Future Hunting Packages

September 25, 2019 • The Recorded Future Team

Quickly detecting and preventing malicious activity is imperative to effectively protecting your...