A cyber espionage threat group, frequently known as the Comment Group, has recently received a good bit of extra attention in the last few days. On Monday (February 18, 2013) Mandiant released a report detailing a substantial amount of information on the group. In particular it listed a large number of domain names, IP addresses (both command & control and administrative ranges), a very large list of their trojan families (with MD5 hashes to boot), a bit of attribution aimed at outing the group as part of a particular unit within China’s People Liberation Army (PLA), and some of the group’s general tactics techniques and procedures (TTPs). There is a staggering amount of information for people to sift through and as a result there have been many questions raised and confusion around some of the data. In this post I am hoping to add some clarity to the information and clear up some confusion that might help defenders, incident responders, and researchers make more effective use of this data.
As someone who has been looking at, researching, and often combating the Comment Group out of networks for the past 6+ years as either part of my day job, work at Shadowserver, or in my spare time, it is a bit fun to see the spotlight shine on these guys a little bit. It is quite accurate to say that they are one of the largest and certainly the most prolific cyber espionage groups targeting networks worldwide. Like all organizations they are a mix of good and bad. There has been some of the worst and funniest stuff we have ever seen attributed to these guys, and we have also seen some all stars who are absolute wizards on the command prompt. One thing is for certain, the Comment Group has been quite successful at breaching hundreds (likely thousands) of organizations in the past few years. In most cases their method for breaching organizations is fairly “low-tech”, however, it works quite well and easily beats millions upon millions of dollars of layered security measures employed at many organizations ranging from mom & pop shops to the largest companies and government organizations in the world.
read more........http://blog.shadowserver.org/2013/02/22/comment-group-cyber-espionage-additional-information-clarification/