
Mandiant Exposes APT1, One of China’s Cyber Espionage Units - holograham
https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/
======
nohat
"Without establishing a solid connection to China, there will always be room
for observers to dismiss APT actions as uncoordinated, solely criminal in
nature, or peripheral to larger national security and global economic
concerns. We hope that this report will lead to increased understanding and
coordinated action in countering APT network breaches."

This really is the key point. People generally believed that the major hacks
have been Chinese government based, but without publicized proof public policy
is unlikely to change. China (and people who don't want to insult China) can
get away with dismissing the mountain of circumstantial evidence because few
people with power want to directly accuse it. Maybe this report will start to
change the situation.

~~~
martindale
Strong ties have been established with attacks like this already, this isn't
the first time. Sadly my source [1] has disappeared, but I literally just
finished an aggregation of other content [2] this morning.

[1]: <http://en.wikipedia.org/wiki/Titan_Rain#cite_note-SANS-2> \-- archived
at
[http://web.archive.org/web/20051214143959/http://www.breitba...](http://web.archive.org/web/20051214143959/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html)
but I can't find any further quotes from the SANS Institute on what their
deductions were based on.

[2]:
[https://plus.google.com/112353210404102902472/posts/T4THntTx...](https://plus.google.com/112353210404102902472/posts/T4THntTxbRE)

~~~
nohat
I agree that pretty much anyone who gave a cursory inspection would come to
the conclusion that the attacks were from Chinese intelligence. There were
still lots of defences of China claiming it could be patriotic hackers, or
that the evidence was circumstantial. I think some of this was that if US
officials make it clear that they know the attacks are from China it puts them
under pressure to act (potentially in a way that would anger China).
Diplomatically it's more convenient to pretend not to be sure.

~~~
joequant
There's also the matter of "is this worth starting a war over?"

One thing about this is that Chinese military is not the same thing as Chinese
intelligence. The main Chinese intelligence agency is the Ministry of State
Security. Mixing up the PLA with the MSS is like mixing up the DOD with the
CIA.

I doubt that the United States government will do anything more than "raise
the issue." The trouble is that if the US does something like file a formal
diplomatic protest, it will be a promise by the United States not to try to do
anything similar, and I don't see how the US would consider that to be in its
national interest.

One other interesting thing is that the Chinese hacker community is very
different from the US hacker community, in that US hackers tend to hate the
military and authoritarian systems whereas the Chinese hacker community sees
themselves as patriotic defenders of the motherland. A lot of this has to do
with differences in history (i.e. the US involvement with Vietnam). Something
that gives you an idea of the difference is that if you go to any newsstand,
you'll see a lot of military magazines, and so hackers in China are "solider
wannabees" in ways that hackers in the US aren't.

~~~
greedo
APT is just an externality for US biz right now. The fact that the Chinese
were able to steal the plans to the JSF doesn't really hurt Lockheed-Martin's
ability to sell the plane to the US or allies. Of course it hurts the ability
of the buyers to effectively deploy the JSF against anyone able to buy JSF
data from the Chinese; but LockMart really doesn't care too much about that.

------
brown9-2
An interesting side-note on Mandiant's report:

 _And of course Mandiant's not just releasing this information for fun.
Chinese hacking is big business for them. Brad Stone and Michael Riley
reported earlier this month for Businessweek that Mandiant's 2012 revenue of
more than $100 million represented a 76 percent year-on-year increase. They
say they represent 30 percent of the Fortune 100. Mandiant is so dominant in
the China-focused counter-espionage game that the New York Times' reporting on
the Mandiant report and other sources of information abotu Chinese hacking had
to include an awkward disclaimer_

[http://www.slate.com/blogs/moneybox/2013/02/19/mandiant_is_t...](http://www.slate.com/blogs/moneybox/2013/02/19/mandiant_is_the_big_winner_from_increased_anxiety_about_chinese_hacking.html)

~~~
bitcartel
Mandiant report debunked:

Part 1: [http://cybernonsense.blogspot.com/2013/02/chinese-hackers-
an...](http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-
malware.html)

Part 2: [http://cybernonsense.blogspot.com/2013/02/chinese-hackers-
an...](http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-
malware_19.html)

Part 3: [http://cybernonsense.blogspot.com/2013/02/chinese-hackers-
an...](http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-
malware_4130.html)

EDIT: Updated to include links to all three parts

~~~
nikcub
There is a lot of jealousy between security companies, especially since
Mandiant is getting a lot of the spotlight with the China hacks.

The way those posts are written with personal attacks against particular
people I wouldn't be surprised if it was written by somebody at a competing
firm.

~~~
bitcartel
That's quite plausible. I think the posts are worth reading to remind oneself
that healthy skepticism is a good thing.

"Investigators say the surge of malware attacks on U.S. companies may be
coming from Eastern European cybercriminals rather than being Chinese state-
sponsored espionage."

[http://news.cnet.com/8301-1009_3-57570194-83/apple-
facebook-...](http://news.cnet.com/8301-1009_3-57570194-83/apple-facebook-
twitter-hacks-said-to-hail-from-eastern-europe/)

------
Nrsolis
I haven't read the report yet, but it's on my list.

That said, our (USA) national interests are at stake here. So far, we've left
it up to the individual commercial parties to police and defend their own
networks and that isn't working as well as we would like.

I know that there was once a trial balloon floated to get the NSA to help
commercial interests properly detect and defend their IT infrastructure. IIRC,
the privacy interests considered that a bigger risk than the Chinese. I'm not
sure that isn't a bit myopic.

When a company like RSA gets hacked, you need to think about the guy with a
gun banging at your door, not the boogeyman under the bed.

~~~
diminoten
This is the real conversation we need to be having; why are companies having
to go toe-to-toe with nations, without the backing or support of their own
government?

~~~
snowwrestler
U.S. companies do receive significant support from their government, typically
in the form of FBI support for the investigation and mitigation of intrusions.

The really sophisticated stuff is on the military side, which is a black box.
But who is to say that the NSA or DOD is not actively engaged in trying to
analyze or degrade the capabilities of Chinese APTs? It's possible someone in
the NSA is reading the Mandiant report right now thinking "not bad, they got
almost half of what we know."

The recent Obama executive order should help get more of such info into the
hands of companies.

~~~
greedo
From what I've heard, the US govt has basically decided that the best defense
is a good offense. You don't hear of any of their successes because a) the US
doesn't want to let it out, and b) the Chinese aren't especially fond of
losing face.

------
stcredzero
I am not an expert, but from my work experience, I'd guess that about 80% of
all of the companies in the world have ineffective defenses and are
essentially open to this kind of attack. The people doing this to US companies
probably think of themselves as superior and think of us as hapless rubes.

~~~
JPKab
Yeah, when you look at the industry standards that large enterprises use for
IT security, is it any wonder?

I am not an IT security expert by any means, but what I've noticed when I look
at all of the industry certifications is a focus on taking network engineers
and educating them enough to make them able to defend against attackers. What
I don't see is any push to take software engineers and educate them about the
lower level stuff to defend against hackers. Why is this a problem?

In your typical large enterprise, software people are paid much better than
network people. (remember, we're not talking about Google or Rackspace.
administering a typical corporate network is relatively simplistic, since the
level of variance in software is higher than in network configurations).

I used to work in networking, and quickly got bored and learned software and
GTFO of the lame networking world. The networking people I currently know who
have obtained the CISSPA security certs have no friggin clue how to code, and
frankly just aren't that smart when it comes to this kind of thing. The people
I want defending our networks are the folks at DEFCON who are hacking into
every other machine in the room just for fun. But if you look at the
requirements for getting these industry certs, I don't think these people
would even qualify. So you end up getting talented penetration testers and
talentless people who have never hacked anything on defense.

------
zht
One major issue that I find with this report is how they link the addresses to
PLA unit 61398.

They essentially find 2 IP addresses that can be traced back to a region of
Shanghai with millions of people, and because one particular building that's
been known to house Unit 61398 is within this broad geographic area, they make
the conclusion that Unit 61398 is involved, which is a key foundation of the
report.

Am I missing something?

~~~
juhanima
Possibly. There are quite a lot more addresses than two. From page 40:

 _Over a two-year period (January 2011 to January 2013) we confirmed 1,905
instances of APT1 actors logging into their hop infrastructure from 832
different IP addresses with Remote Desktop... Of the 832 IP addresses, 817
(98.2%) were Chinese and belong predominantly to four large net blocks in
Shanghai which we will refer to as APT1’s home networks._

Actually their conclusion is not that straightforward:

 _Either a secret, resourced organization full of mainland Chinese speakers
with direct access to Shanghai-based telecommunications infrastructure is
engaged in a multi-year, enterprise scale computer espionage campaign right
outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known
mission._

 _Or APT1 is Unit 61398._

I don't have any idea of how much of this can be taken for its face value
though, as they don't share much of how they have gathered the information in
the report. And granted, Shanghai is a big place.

~~~
joequant
And the particular neighborhood which the report targets happens to be the
place where the main US-China cable hits the China network...

<http://en.wikipedia.org/wiki/TPE_%28cable_system%29>

In other words, you'd

1) expect to find a lot of PLA spooks in that location 2) expect to find that
any China related hackers have their address there, because that's the last
point that they can change their IP address before the packets head over to
the US

Doesn't mean that the two groups are connected....

One thing that surprised me looking in this is how most internet traffic goes
through a very few links. There are only two major connection points between
the US and China and the neighorhood with the IP blocks hosts one of them.

In particular, if you the hackers were physically located in Beijing, I'd bet
that the packets would look like they came from that part of Pudong.

------
brown9-2
From the report:

 _Mandiant continues to track dozens of APT groups around the world; however,
this report is focused on the most prolific of these groups. We refer to this
group as “APT1” and it is one of more than 20 APT groups with origins in
China._

Does anyone know what some of the other "APT groups" are / where they are
located? (Original site seems to be down)

~~~
pheleven
Most of them get the fingers pointed at China (PLA or otherwise) or Russian
Mafia.

~~~
dguido
Criminal groups are generally referred to by Mandiant as "CDT" for "Card Data
Theft."

The overwhelming majority of APT groups that actively target private
corporations, individuals, the media and Mandiant's commercial customers are
in China.

------
mechatronic
Seems like if someone wanted to hack a US company, the best thing to do would
be to make the attack look like it originated "somewhere" in China...

------
misterbwong
Site seems to be down right now. Here's a link to the report from reddit:
<http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf>

------
hughw
Could somebody file suit against the Chinese government? Could they prove a
case to the standard required in a civil case?

~~~
brown9-2
In which court would that suit be held in, and who would be the judge of any
case? If the judging body ruled against China, how would any sort of
punishment or punitive damages be enforced?

There seems to be a common myth that the "law" in "international law" is in
anywhere near as strong as "domestic law". International law is mostly
meaningless and just comprises agreements between countries that could be
broken or ignored.

~~~
hughw
The plaintiff would not be invoking any international law. Individuals working
for the Chinese government stole computer secrets from U.S companies, stored
in computers on U.S. soil. That's covered by U.S. and state civil and criminal
laws. If they prove their case, and a judgement is awarded, China has to pay
up. If they don't pay up, then a judge sends a sheriff or a marshal to seize
property. Here's a random link about a lawsuit against Iran and Syria
[http://usnews.nbcnews.com/_news/2012/05/16/11733643-family-w...](http://usnews.nbcnews.com/_news/2012/05/16/11733643-family-
wins-323-million-against-iran-syria-over-terrorist-attack?lite).

'Wultz Attorney Robert Tolchin told msnbc.com that with the court judgment in
hand his clients can seek Iranian and Syrian assets to collect the award.
Tolchin said he couldn’t be specific, but he would explore “various avenues.”
“There is a lot of litigation by people seeking the turnover of Iranian
assets,” Tolchin said. “The Iranians have kept U.S. courts busy.”'

~~~
joequant
At which point China kicks the US company out of China, and said company loses
far, far more than any amount that is due to hacking.

Iran and Syria aren't subject to this problem because the amount of business
that US companies do in Iran and Syria is trivial.

------
rdl
I guess all the security vendors in the US should be sending thank-you notes
to China. Also, probably to Oracle/Sun.

------
pwnna
one thing that would be cool to see is not just china, but how governments in
general engage in hacking attempts for espionage and other purposes.

so data on countries like Russia, US, middle eastern and European countries.

------
OGinparadise
This is pretty cool, they hacked the hacker
<http://www.youtube.com/watch?v=6p7FqSav6Ho>

That the Chinese are doing this, we knew from many corp and military espionage
stories.

I wonder about Mandiant. The Chinese will probably target target them with all
their might, but then they will get a lot of work in USA. Going public must've
been a tough decision.

~~~
untog
I should imagine going public wasn't too difficult- it was already known that
they were hired by the New York Times to investigate hacking attempts against
them.

I suspect, as you state, they'll get a good amount of business out of it. And
it's a lot easier for them to stay secure than the average company.

~~~
OGinparadise
All of what you say is true, but then there was
<http://en.wikipedia.org/wiki/HBGary> Security is probably a relative thing,
depending on how much they really want to get you.

 _I should imagine going public wasn't too difficult- it was already known
that they were hired by the New York Times to investigate hacking attempts
against them._

Investigate and release a public report are two different things. Looks like
they gambled that they could win a lot of new business, given that this
Chinese hacking is prevalent and their study makes that point even clearer.

------
caycep
site is down. it's either the chinese or HN!

