APT Intelligence Update

Today, Virginia based cyber-security firm MANDIANT released a 60+ page intelligence report describing an Advanced Persistent Threat (APT) actor named APT-1 (others familiar with the group may know them as WebC2).

This report is unprecedented in its fidelity, and we recommend any security practitioner that believes they are being targeted by this specific actor, or any advanced attacker, to read it to completion as soon as possible.

This report contains several key details on how APT-1 compromises its victims, pivots throughout their infrastructure, and eventually exfiltrates coveted intellectual property. MANDIANT has described these tools and tactics in sufficient-enough detail where we have been able to write many high-fidelity indicators suitable for use in an incident detection system (IDS).

After reviewing and processing the report, the Threat Stack team is announcing the initial release of over 2000 network DNS indicators that can be used to quickly identify this specific actor (or other advanced attackers sharing the same tools and behaviors).


If you are already a Threat Stack customer, these rules have been automatically deployed to your Network IDS agents and are already active. If not, we are open-sourcing these rules under GPL and you may use them in popular open-source IDS software such as Snort (http://www.snort.org/) or Suricata (http://www.openinfosecfoundation.org/).

As we grow, the Threat Stack team will be maintaining our own GPL rule-set for the benefit the community starting by improving and adding to this set of indicators as we digest the report. We encourage users of the rules to contact with us any improvements so we can disseminate them to the group.

If you have any questions, please contact [email protected]


– The Threat Stack Team