Exploring ip ranges with recorded future: would be the ‘apt1 ranges’ cleared up?

Contents

The month of january 27, 2015 •; Christopher Ahlberg

Within this publish we’re exploring new functionality in Recorded Future, which enables users to look the Recorded Future holdings for IP ranges. We’ll check out the IP ranges initially utilized by APT1 and identify ongoing potentially malicious activity, but unlikely very sophisticated.

Recorded Future’s holdings include a lot of technical data, like filenames, hashes, and IP addresses. Lately we introduced the opportunity to look for a selection of IP addresses earlier you can only search by specific addresses. This enables analysts to, for instance, quickly identify activity involving their organization’s IP ranges or what particular actor.

In Mandiant’s APT1 report from Feb 2013 we are able to discover the IP ranges utilized by APT1 as hop points – all of China Unicom, a significant Chinese condition-owned telecommunications operator.

Table from Mandiant APT1 Report

We are able to now easily look for these in Recorded Future, as with below. The IP ranges are designed in CIDR notation (a previous address prefix of the specified bit length).

This yields us a period of occasions involving these IP ranges. We are able to visit a obvious uptick in activity publish the report publication at the begining of 2013 (obviously) – and a few historic data describing those activities of UglyGorilla and the buddies establishing infrastructure,

Came from here we are able to explore exactly the same ranges within the Recorded Future holdings from the moment prior to the Mandiant APT1 report by constraining publishing time for you to be before Feb 12, 2012. Time travel could be useful! We identify two hits from Threat Expert, which Threat Expert in those days reported as getting China just as one country of origin.

Now we are able to attempt to exclude any sort of occasions which includes Comment Crew/APT1 as well as their close guys, per below. Clearly we’re able to keep building the exclusion list once we dig in.

This yields us a period such as the following where we’ve filtered out explicit references to APT1 actors (which obviously doesn’t mean what’s left isn’t APT1). We still see lots of activity appearing out of reporting on these IP ranges – so let’s join in and find out what we should will find. Within the timeline here we can watch ongoing activity, up to this time.

You can pivot our analysis to analyzing the sourcing for that above timeline, so we can easily see how Pastebin is a huge source (most likely users dumping lists of “;bad” IP figures predominantly), Clean MX (again reporting IPs with issues) along with number of more specialized security blogs reporting on various issues seen from these ranges.

We are able to also see records of these ranges from Chinese hacker sites like myhack58.com.

Alerting Moving Forward

Finally, to remain on the top of recent occasions associated with these ranges, we are able to rapidly setup a reminder to trace any more malicious activity.

Conclusion

The opportunity to search IP ranges as opposed to just individual IP addresses is very effective, and enables us to pay for much space in a single query/analysis. We employ this to look the hop point IP ranges initially utilized by APT1 and identify ongoing potential malicious activity. We make no conclusions on whether this really is ongoing APT1 activity or otherwise, but in the surface level it doesn’t seem to be serious behavior.

The month of january 27, 2015 •; Christopher Ahlberg

Within this publish we’re exploring new functionality in Recorded Future, which enables users to look the Recorded Future holdings for IP ranges. We’ll check out the IP ranges initially utilized by APT1 and identify ongoing potentially malicious activity, but unlikely very sophisticated.

Recorded Future’s holdings include a lot of technical data, like filenames, hashes, and IP addresses. Lately we introduced the opportunity to look for a selection of IP addresses earlier you can only search by specific addresses. This enables analysts to, for instance, quickly identify activity involving their organization’s IP ranges or what particular actor.

In Mandiant’s APT1 report from Feb 2013 we are able to discover the IP ranges utilized by APT1 as hop points – all of China Unicom, a significant Chinese condition-owned telecommunications operator.

Table from Mandiant APT1 Report

We are able to now easily look for these in Recorded Future, as with below. The IP ranges are designed in CIDR notation (a previous address prefix of the specified bit length).

This yields us a period of occasions involving these IP ranges. We are able to visit a obvious uptick in activity publish the report publication at the begining of 2013 (obviously) – and a few historic data describing those activities of UglyGorilla and the buddies establishing infrastructure,

Came from here we are able to explore exactly the same ranges within the Recorded Future holdings from the moment prior to the Mandiant APT1 report by constraining publishing time for you to be before Feb 12, 2012. Time travel could be useful! We identify two hits from Threat Expert, which Threat Expert in those days reported as getting China just as one country of origin.

Now we are able to attempt to exclude any sort of occasions which includes Comment Crew/APT1 as well as their close guys, per below. Clearly we’re able to keep building the exclusion list once we dig in.

This yields us a period such as the following where we’ve filtered out explicit references to APT1 actors (which obviously doesn’t mean what’s left isn’t APT1). We still see lots of activity appearing out of reporting on these IP ranges – so let’s join in and find out what we should will find. Within the timeline here we can watch ongoing activity, up to this time.

You can pivot our analysis to analyzing the sourcing for that above timeline, so we can easily see how Pastebin is a huge source (most likely users dumping lists of “;bad” IP figures predominantly), Clean MX (again reporting IPs with issues) along with number of more specialized security blogs reporting on various issues seen from these ranges.

We are able to also see records of these ranges from Chinese hacker sites like myhack58.com.

Alerting Moving Forward

Finally, to remain on the top of recent occasions associated with these ranges, we are able to rapidly setup a reminder to trace any more malicious activity.

Conclusion

The opportunity to search IP ranges as opposed to just individual IP addresses is very effective, and enables us to pay for much space in a single query/analysis. We employ this to look the hop point IP ranges initially utilized by APT1 and identify ongoing potential malicious activity. We make no conclusions on whether this really is ongoing APT1 activity or otherwise, but in the surface level it doesn’t seem to be serious behavior.

Resourse: https://recordedfuture.com/ip-range-search/

Exploring the Abandoned Northridge Mall