This really is the key point. People generally believed that the major hacks have been Chinese government based, but without publicized proof public policy is unlikely to change. China (and people who don't want to insult China) can get away with dismissing the mountain of circumstantial evidence because few people with power want to directly accuse it. Maybe this report will start to change the situation.
: http://en.wikipedia.org/wiki/Titan_Rain#cite_note-SANS-2 -- archived at http://web.archive.org/web/20051214143959/http://www.breitba... but I can't find any further quotes from the SANS Institute on what their deductions were based on.
One thing about this is that Chinese military is not the same thing as Chinese intelligence. The main Chinese intelligence agency is the Ministry of State Security. Mixing up the PLA with the MSS is like mixing up the DOD with the CIA.
I doubt that the United States government will do anything more than "raise the issue." The trouble is that if the US does something like file a formal diplomatic protest, it will be a promise by the United States not to try to do anything similar, and I don't see how the US would consider that to be in its national interest.
One other interesting thing is that the Chinese hacker community is very different from the US hacker community, in that US hackers tend to hate the military and authoritarian systems whereas the Chinese hacker community sees themselves as patriotic defenders of the motherland. A lot of this has to do with differences in history (i.e. the US involvement with Vietnam). Something that gives you an idea of the difference is that if you go to any newsstand, you'll see a lot of military magazines, and so hackers in China are "solider wannabees" in ways that hackers in the US aren't.
DoD & the "Intelligence Community" have been working together a lot more closely than you think, especially since 11-Sep-2001.
“Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
— Kevin Mandia
And of course Mandiant's not just releasing this information for fun. Chinese hacking is big business for them. Brad Stone and Michael Riley reported earlier this month for Businessweek that Mandiant's 2012 revenue of more than $100 million represented a 76 percent year-on-year increase. They say they represent 30 percent of the Fortune 100. Mandiant is so dominant in the China-focused counter-espionage game that the New York Times' reporting on the Mandiant report and other sources of information abotu Chinese hacking had to include an awkward disclaimer
Part 1: http://cybernonsense.blogspot.com/2013/02/chinese-hackers-an...
Part 2: http://cybernonsense.blogspot.com/2013/02/chinese-hackers-an...
Part 3: http://cybernonsense.blogspot.com/2013/02/chinese-hackers-an...
EDIT: Updated to include links to all three parts
The way those posts are written with personal attacks against particular people I wouldn't be surprised if it was written by somebody at a competing firm.
"Investigators say the surge of malware attacks on U.S. companies may be coming from Eastern European cybercriminals rather than being Chinese state-sponsored espionage."
I opened the provided link, read a few paragraphs, scanned the rest of the post, and decided that the post does not contain a complete thought. In my opinion part III (the linked part) is substantially worse than parts I and II and the OP does a severe dis-service by linking the third part directly.
Additionally the math flagged my BS detector, which doesnt say the rest is wrong, but makes me even more wary since this is the only part i have enough facts about to make a complete decision on:
| The breakdown per minute at this pace equals 396 megabytes per minute 6.6 megabytes per second to pull this off non-stop for 10 months straight.
That said, our (USA) national interests are at stake here. So far, we've left it up to the individual commercial parties to police and defend their own networks and that isn't working as well as we would like.
I know that there was once a trial balloon floated to get the NSA to help commercial interests properly detect and defend their IT infrastructure. IIRC, the privacy interests considered that a bigger risk than the Chinese. I'm not sure that isn't a bit myopic.
When a company like RSA gets hacked, you need to think about the guy with a gun banging at your door, not the boogeyman under the bed.
Simply put, defense is hard. That's the main reason you've seen all of the national intelligence organizations playing hot potato with the issue. Hopefully this will be changing a bit for the better based on the executive order Obama signed recently that directs DHS, NSA and the FBI to expand their programs that share active threat information with private companies.
That said, the threat vectors for APTs aren't always solely network-based. IIRC, the behavior of the APT that struck RSA was fairly targeted and changed behavior once inside the network. It isn't unreasonable to think that the NSA would want to talk about putting sensors inside a private network where they could detect "successful" penetrations.
Again, we have every right to be wary of letting the (government) camel nose in the tent. I'm just saying that if you don't kinda sorta trust your government to help you fight a serious foreign power with nearly unlimited resources, you might need to reconsider your position. The threat from China is real and ongoing versus the theoretical threat from the US Government.
For example, the NYTimes has a bureau in Shanghai, and if they use a private contractor to help strengthen their networks, then I don't think that the Chinese government would be cancelling visas. If the NYTimes brought in the NSA, then I give the Chinese government five minutes before all of the visa get cancelled and the journalists get expelled.
The really sophisticated stuff is on the military side, which is a black box. But who is to say that the NSA or DOD is not actively engaged in trying to analyze or degrade the capabilities of Chinese APTs? It's possible someone in the NSA is reading the Mandiant report right now thinking "not bad, they got almost half of what we know."
The recent Obama executive order should help get more of such info into the hands of companies.
If you are a software company and you let it be known that you actively cooperate with the NSA and CIA, I doubt you'll be doing much business in China. I doubt France is going to let you in, either.
Outside of a few industries, the business losses from actively cooperating with a national government are going to be much larger than any losses due to hacking.
I am not an IT security expert by any means, but what I've noticed when I look at all of the industry certifications is a focus on taking network engineers and educating them enough to make them able to defend against attackers. What I don't see is any push to take software engineers and educate them about the lower level stuff to defend against hackers. Why is this a problem?
In your typical large enterprise, software people are paid much better than network people. (remember, we're not talking about Google or Rackspace. administering a typical corporate network is relatively simplistic, since the level of variance in software is higher than in network configurations).
I used to work in networking, and quickly got bored and learned software and GTFO of the lame networking world. The networking people I currently know who have obtained the CISSPA security certs have no friggin clue how to code, and frankly just aren't that smart when it comes to this kind of thing. The people I want defending our networks are the folks at DEFCON who are hacking into every other machine in the room just for fun. But if you look at the requirements for getting these industry certs, I don't think these people would even qualify. So you end up getting talented penetration testers and talentless people who have never hacked anything on defense.
They essentially find 2 IP addresses that can be traced back to a region of Shanghai with millions of people, and because one particular building that's been known to house Unit 61398 is within this broad geographic area, they make the conclusion that Unit 61398 is involved, which is a key foundation of the report.
Am I missing something?
Over a two-year period (January 2011 to
January 2013) we confirmed 1,905 instances of APT1 actors logging into their hop infrastructure from 832 different
IP addresses with Remote Desktop... Of the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in Shanghai which we will refer to as APT1’s home networks.
Actually their conclusion is not that straightforward:
Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based
telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign
right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.
Or APT1 is Unit 61398.
I don't have any idea of how much of this can be taken for its face value though, as they don't share much of how they have gathered the information in the report. And granted, Shanghai is a big place.
In other words, you'd
1) expect to find a lot of PLA spooks in that location
2) expect to find that any China related hackers have their address there, because that's the last point that they can change their IP address before the packets head over to the US
Doesn't mean that the two groups are connected....
One thing that surprised me looking in this is how most internet traffic goes through a very few links. There are only two major connection points between the US and China and the neighorhood with the IP blocks hosts one of them.
In particular, if you the hackers were physically located in Beijing, I'd bet that the packets would look like they came from that part of Pudong.
Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most
prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in
Does anyone know what some of the other "APT groups" are / where they are located? (Original site seems to be down)
The overwhelming majority of APT groups that actively target private corporations, individuals, the media and Mandiant's commercial customers are in China.
There seems to be a common myth that the "law" in "international law" is in anywhere near as strong as "domestic law". International law is mostly meaningless and just comprises agreements between countries that could be broken or ignored.
'Wultz Attorney Robert Tolchin told msnbc.com that with the court judgment in hand his clients can seek Iranian and Syrian assets to collect the award.
Tolchin said he couldn’t be specific, but he would explore “various avenues.”
“There is a lot of litigation by people seeking the turnover of Iranian assets,” Tolchin said. “The Iranians have kept U.S. courts busy.”'
Iran and Syria aren't subject to this problem because the amount of business that US companies do in Iran and Syria is trivial.
so data on countries like Russia, US, middle eastern and European countries.
That the Chinese are doing this, we knew from many corp and military espionage stories.
I wonder about Mandiant. The Chinese will probably target target them with all their might, but then they will get a lot of work in USA. Going public must've been a tough decision.
I suspect, as you state, they'll get a good amount of business out of it. And it's a lot easier for them to stay secure than the average company.
I should imagine going public wasn't too difficult- it was already known that they were hired by the New York Times to investigate hacking attempts against them.
Investigate and release a public report are two different things. Looks like they gambled that they could win a lot of new business, given that this Chinese hacking is prevalent and their study makes that point even clearer.