Mandiant APT1 SSL Connection Activity

by Ron Gula
February 20, 2013

This report searches historic SSL network activity to find indicators of APT1's command and control communications. 

The report leverage's the Passive Vulnerability Scanner's ability to identify the certificate name used in SSL network connections. These realtime logs are sent to the Log Correlation Engine where they are summarized in the SSL_Cert_Summary event. The LCE summarizes all SSL certificate names observed for a given IP address and records logs such as this: 


SSL_Cert_Summary since 2/19/2013 07:21:18 host had SSL sessions involving these server certs: Google Inc VeriSign Trust Network Akamai Technologies Inc GTE Corporation


Mandiant identified a variety of SSL certificates used by the APT1 organization. The following names are used to perform a search: 

  • Widgets
  • LM-68AB71FBD8F5
  • NS
  • SUR
  • NoName

The and names are omitted since they will match against legitimate access to those email services. 

This report creates a single query for any SSL_Cert_Summary event during the past 25 days with contains the a text string for the hostile certificate names. 

It is suggested that the search be run for much longer than 25 days since Mandiant's report claimed that the APT1 organization has been active of several years. If you do have any detections with this report, Tenable has also added a variety of Nessus checks and audits which can be used to help identify this malware.