Threat Intelligence, Incident Response, Malware, TDR

Firm draws link between APT1 espionage group and Siesta campaign

Attackers using evasive malware, which lies dormant until saboteurs are ready to trigger malicious features, have been linked to the Chinese-based espionage group APT1.

According to researchers at FireEye, attack tools and tactics used in a recently identified campaign, dubbed “Siesta,” are consistent with APT1's activities.

Last week, a different security firm, Trend Micro, revealed how the Siesta campaign targeted a diverse range of industries, including the energy, defense and telecommunications sector, via spear phishing emails sent to executives.

At the time, Trend Micro researchers told that one spear phishing ruse consisted of a spoofed email to an exec, designed to look like communication from an internal employee.

In actuality, the email contained an executable disguised as a PDF attachment.

The malware used in the attacks was crafted so that it would "sleep", or lay dormant for a period of time, cutting off connection to the C&C servers, only to later download and execute upon command. Trend Micro researchers believed the Siesta campaign was leveraged to glean valuable data from targeted organizations.

Now, researchers at FireEye have revealed why the Siesta campaign activities were likely executed by APT1 – or by an unknown group using similar attack techniques as the Chinese-based espionage group.

Mandiant, an incident response and forensic firm that first uncovered the inner workings of APT1 in February 2013, was recently acquired by FireEye. APT1 is infamously distinguished as the attack group that targeted numerous U.S. firms to extract sensitive data from victims.

On Wednesday, FireEye researchers Ned Moran and Mike Oppenheim wrote in a blog post that a spear phishing attack linked to the Siesta campaign shared similarities to methods used by APT1. The email targeted a victim in the telecommunications industry on Feb. 20, the researchers said.

In the blog post, FireEye also revealed a number of other indicators showing evidence that the espionage campaigns were carried out by the same group (or a gang using tactics linked closely with APT1).

Of note, FireEye analyzed import hashes, which are used to identify related malware samples by tracking specific backdoor identifiers. In addition to those indicators matching up, the Siesta attackers used a custom alphabet that was also found in previous APT1 malware samples.

The custom alphabet was used by the malware to “decode commands issued by the attack to the victim machine and to Base64 encode the reverse shell from the victims back the [C&C] server,” the blog post explained.

FireEye also noted that malware samples linked to the Siesta campaign and APT1 both used a portable executable (PE) resource, which contained a PDF icon for disguising malicious executables as PDF documents.

In a Thursday email to, FireEye threat analyst Moran confirmed that the malware in the analyzed attack "did have a sleep function," similar to Trend Micro's findings.

He later added that, if the attacks were leveraged by an unknown group as opposed to APT1, "then the shared characteristics are the result of formal or informal sharing of tools and techniques" between the groups.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.