Hackers Get Hungry

26 May 2017


How extended lunch breaks helped us identify one of the largest cyber espionage campaigns ever seen

Our threat intelligence team recently released a report on cyber espionage group APT10 and their targeting of managed IT service providers around the world. As a part of our reporting, we made reference to the daily activities of the hackers responsible for this campaign, including their habit of taking an extended midday break.

This two-hour lunch was of particular interest to our strategic threat intelligence analysts, and indeed the BBC’s Gordon Corera. The role of our strategic analysts is to help us understand the geopolitical and cultural context behind cyber threats, and this was no exception. Their understanding of Chinese culture and society informed us that this two-hour lunch break is actually relatively common across China, where many workers take such a break during the summer months due to the hot climate; a lunch break of up to 1.5 hours is also common in winter.

This analysis was part of a much broader effort to attribute APT10 as a China-based threat actor, in line with reporting from the rest of the security community. This analysis included an examination of when APT10 performed certain actions, for example, registering domain names and compiling malware.

First, we began with gathering a large dataset of these timestamped actions, and plotting them as follows:

Cloudhopper image 2
Cloudhopper image 2

Visible in the above graphs is a clear pattern, which appears to show two primary clusters of activity along the horizontal axis (representing time).

The sophistication of APT10, and other reporting, indicates that this threat actor is highly organised and almost certainly has full time staff members working in support of its mission. Therefore, the clusters above almost certainly represent morning and afternoon activity as a part of a standard working day.

While the graphs above plot the data in UTC time, we can apply a “time shift” to attempt to align the working hours shown in the data to an actual time zone. In this instance, changing this shift to UTC+8 shows the bulk of activity taking place between 0800-1130 and 1400-1800, with a 2-2.5 hour gap in activity during the middle of the day.

Given this, UTC+8 seems a likely time zone for the threat actors’ operations. UTC+8 aligns to China Standard Time (CST), as well as a number of other time zones.

Cloudhopper image 4
Cloudhopper image 4

Of course, time zone analysis isn’t the only reason we were able to attribute this activity to APT10, and APT10 as a China-based threat actor. More information on this, and the rest of our analysis, is contained in our full report and technical annex.