Hacker News new | past | comments | ask | show | jobs | submit login
Mandiant Exposes APT1, One of China’s Cyber Espionage Units (mandiant.com)
140 points by holograham on Feb 19, 2013 | hide | past | web | favorite | 61 comments

"Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches."

This really is the key point. People generally believed that the major hacks have been Chinese government based, but without publicized proof public policy is unlikely to change. China (and people who don't want to insult China) can get away with dismissing the mountain of circumstantial evidence because few people with power want to directly accuse it. Maybe this report will start to change the situation.

Strong ties have been established with attacks like this already, this isn't the first time. Sadly my source [1] has disappeared, but I literally just finished an aggregation of other content [2] this morning.

[1]: http://en.wikipedia.org/wiki/Titan_Rain#cite_note-SANS-2 -- archived at http://web.archive.org/web/20051214143959/http://www.breitba... but I can't find any further quotes from the SANS Institute on what their deductions were based on.

[2]: https://plus.google.com/112353210404102902472/posts/T4THntTx...

I agree that pretty much anyone who gave a cursory inspection would come to the conclusion that the attacks were from Chinese intelligence. There were still lots of defences of China claiming it could be patriotic hackers, or that the evidence was circumstantial. I think some of this was that if US officials make it clear that they know the attacks are from China it puts them under pressure to act (potentially in a way that would anger China). Diplomatically it's more convenient to pretend not to be sure.

There's also the matter of "is this worth starting a war over?"

One thing about this is that Chinese military is not the same thing as Chinese intelligence. The main Chinese intelligence agency is the Ministry of State Security. Mixing up the PLA with the MSS is like mixing up the DOD with the CIA.

I doubt that the United States government will do anything more than "raise the issue." The trouble is that if the US does something like file a formal diplomatic protest, it will be a promise by the United States not to try to do anything similar, and I don't see how the US would consider that to be in its national interest.

One other interesting thing is that the Chinese hacker community is very different from the US hacker community, in that US hackers tend to hate the military and authoritarian systems whereas the Chinese hacker community sees themselves as patriotic defenders of the motherland. A lot of this has to do with differences in history (i.e. the US involvement with Vietnam). Something that gives you an idea of the difference is that if you go to any newsstand, you'll see a lot of military magazines, and so hackers in China are "solider wannabees" in ways that hackers in the US aren't.

APT is just an externality for US biz right now. The fact that the Chinese were able to steal the plans to the JSF doesn't really hurt Lockheed-Martin's ability to sell the plane to the US or allies. Of course it hurts the ability of the buyers to effectively deploy the JSF against anyone able to buy JSF data from the Chinese; but LockMart really doesn't care too much about that.

"...Mixing up the PLA with the MSS is like mixing up the DOD with the CIA."

DoD & the "Intelligence Community" have been working together a lot more closely than you think, especially since 11-Sep-2001.


To quote the CEO of Mandiant:

“Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.” — Kevin Mandia

Also, It would depend on what kind of evidence China has on US hacking China.

USCYBERCOM is still trying to get its shit together, so to speak. Flamer is a great example of this. We took a bunch of toys that the NSA had laying around (MD5 collision research, a few 0days purchased from defense contractors, etc) and went over to Israel's house to have them show us how to put them into play.

An interesting side-note on Mandiant's report:

And of course Mandiant's not just releasing this information for fun. Chinese hacking is big business for them. Brad Stone and Michael Riley reported earlier this month for Businessweek that Mandiant's 2012 revenue of more than $100 million represented a 76 percent year-on-year increase. They say they represent 30 percent of the Fortune 100. Mandiant is so dominant in the China-focused counter-espionage game that the New York Times' reporting on the Mandiant report and other sources of information abotu Chinese hacking had to include an awkward disclaimer


There is a lot of jealousy between security companies, especially since Mandiant is getting a lot of the spotlight with the China hacks.

The way those posts are written with personal attacks against particular people I wouldn't be surprised if it was written by somebody at a competing firm.

That's quite plausible. I think the posts are worth reading to remind oneself that healthy skepticism is a good thing.

"Investigators say the surge of malware attacks on U.S. companies may be coming from Eastern European cybercriminals rather than being Chinese state-sponsored espionage."


that 'debunking' is full of such impossibly bad writing i have no choice but to dismiss it. I cant say Mandiant is correct either, but at least they know how to construct a sentence.

So non-native speakers should be dismissed?

perhaps i spoke too soon, reading from Part I instead of Part III is much more coherent.

I opened the provided link, read a few paragraphs, scanned the rest of the post, and decided that the post does not contain a complete thought. In my opinion part III (the linked part) is substantially worse than parts I and II and the OP does a severe dis-service by linking the third part directly.

Additionally the math flagged my BS detector, which doesnt say the rest is wrong, but makes me even more wary since this is the only part i have enough facts about to make a complete decision on:

| The breakdown per minute at this pace equals 396 megabytes per minute 6.6 megabytes per second to pull this off non-stop for 10 months straight.



When their first blog post was 6 days ago and they smell strongly of disinformation, yes.

If they can't do simple math, yes. In their "debunking" they forgot that a day is not equal to an hour, and most of it is nonsensical.

No, but my brain broke trying to if there is a shred of logic in their posts.

I haven't read the report yet, but it's on my list.

That said, our (USA) national interests are at stake here. So far, we've left it up to the individual commercial parties to police and defend their own networks and that isn't working as well as we would like.

I know that there was once a trial balloon floated to get the NSA to help commercial interests properly detect and defend their IT infrastructure. IIRC, the privacy interests considered that a bigger risk than the Chinese. I'm not sure that isn't a bit myopic.

When a company like RSA gets hacked, you need to think about the guy with a gun banging at your door, not the boogeyman under the bed.

The biggest problem with the NSA proposal was that it was dishonest. Industry has been asking them for threat alerts based on tier 1 network surveillance for some time, but the NSA (dba Cyber Command) has continually questioned whether they were chartered to share that information. As a response they offered to share data only with organizations that would place NSA instrumentation inside their private networks, which is what raised the privacy concerns.

Simply put, defense is hard. That's the main reason you've seen all of the national intelligence organizations playing hot potato with the issue. Hopefully this will be changing a bit for the better based on the executive order Obama signed recently that directs DHS, NSA and the FBI to expand their programs that share active threat information with private companies.

I hear you and I don't want to underestimate or diminish the concerns that private companies have.

That said, the threat vectors for APTs aren't always solely network-based. IIRC, the behavior of the APT that struck RSA was fairly targeted and changed behavior once inside the network. It isn't unreasonable to think that the NSA would want to talk about putting sensors inside a private network where they could detect "successful" penetrations.

Again, we have every right to be wary of letting the (government) camel nose in the tent. I'm just saying that if you don't kinda sorta trust your government to help you fight a serious foreign power with nearly unlimited resources, you might need to reconsider your position. The threat from China is real and ongoing versus the theoretical threat from the US Government.

One problem is that multinational corporations are multinational with significant operations inside of China. I doubt that the NSA is going to be of much help in helping a US company secure its networks inside of China, and if that company has large numbers of Chinese employees in China, there are security issues with having US intelligence companies sharing sensitive US intelligence.

For example, the NYTimes has a bureau in Shanghai, and if they use a private contractor to help strengthen their networks, then I don't think that the Chinese government would be cancelling visas. If the NYTimes brought in the NSA, then I give the Chinese government five minutes before all of the visa get cancelled and the journalists get expelled.

Defense is hard; that doesn't mean measures shouldn't be taken to protect your assets. However, due to how western businesses operate, it's almost trivial to successfully attack them. The attack surface is just too large, and most businesses can't afford security measures and restrictions that would truly make them safe.

This is the real conversation we need to be having; why are companies having to go toe-to-toe with nations, without the backing or support of their own government?

The unfortunate answer is quite simple: because we don't trust our own government. And with (some) good reason.

Because contemporary net/tech culture believes in an extremist version of "those who would trade liberty for security deserve neither" philosophy. Inside the tech community, reasonable proposals are shouted down as the first step on the slippery slope to big brother. Outside the tech community, nobody really cares because they don't intuitively understand the need for network security in the way they might understand the need for border or airport security.

U.S. companies do receive significant support from their government, typically in the form of FBI support for the investigation and mitigation of intrusions.

The really sophisticated stuff is on the military side, which is a black box. But who is to say that the NSA or DOD is not actively engaged in trying to analyze or degrade the capabilities of Chinese APTs? It's possible someone in the NSA is reading the Mandiant report right now thinking "not bad, they got almost half of what we know."

The recent Obama executive order should help get more of such info into the hands of companies.

From what I've heard, the US govt has basically decided that the best defense is a good offense. You don't hear of any of their successes because a) the US doesn't want to let it out, and b) the Chinese aren't especially fond of losing face.

One reason that conversation has been hard to have to date is that a bill like this: http://en.wikipedia.org/wiki/Protecting_Cyberspace_as_a_Nati..., gets reported in the press like this: http://en.wikipedia.org/wiki/Internet_kill_switch

Exactly. And CISPA gets marketed as "SOPA warmed over" by activists eager to build their email lists.

Which government?

If you are a software company and you let it be known that you actively cooperate with the NSA and CIA, I doubt you'll be doing much business in China. I doubt France is going to let you in, either.

Outside of a few industries, the business losses from actively cooperating with a national government are going to be much larger than any losses due to hacking.

This assumes that the government is better at it than private industry.

What makes you think companies are not receiving help from the government?


I am not an expert, but from my work experience, I'd guess that about 80% of all of the companies in the world have ineffective defenses and are essentially open to this kind of attack. The people doing this to US companies probably think of themselves as superior and think of us as hapless rubes.

Yeah, when you look at the industry standards that large enterprises use for IT security, is it any wonder?

I am not an IT security expert by any means, but what I've noticed when I look at all of the industry certifications is a focus on taking network engineers and educating them enough to make them able to defend against attackers. What I don't see is any push to take software engineers and educate them about the lower level stuff to defend against hackers. Why is this a problem?

In your typical large enterprise, software people are paid much better than network people. (remember, we're not talking about Google or Rackspace. administering a typical corporate network is relatively simplistic, since the level of variance in software is higher than in network configurations).

I used to work in networking, and quickly got bored and learned software and GTFO of the lame networking world. The networking people I currently know who have obtained the CISSPA security certs have no friggin clue how to code, and frankly just aren't that smart when it comes to this kind of thing. The people I want defending our networks are the folks at DEFCON who are hacking into every other machine in the room just for fun. But if you look at the requirements for getting these industry certs, I don't think these people would even qualify. So you end up getting talented penetration testers and talentless people who have never hacked anything on defense.

One major issue that I find with this report is how they link the addresses to PLA unit 61398.

They essentially find 2 IP addresses that can be traced back to a region of Shanghai with millions of people, and because one particular building that's been known to house Unit 61398 is within this broad geographic area, they make the conclusion that Unit 61398 is involved, which is a key foundation of the report.

Am I missing something?

Possibly. There are quite a lot more addresses than two. From page 40:

Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their hop infrastructure from 832 different IP addresses with Remote Desktop... Of the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in Shanghai which we will refer to as APT1’s home networks.

Actually their conclusion is not that straightforward:

Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.

Or APT1 is Unit 61398.

I don't have any idea of how much of this can be taken for its face value though, as they don't share much of how they have gathered the information in the report. And granted, Shanghai is a big place.

And the particular neighborhood which the report targets happens to be the place where the main US-China cable hits the China network...


In other words, you'd

1) expect to find a lot of PLA spooks in that location 2) expect to find that any China related hackers have their address there, because that's the last point that they can change their IP address before the packets head over to the US

Doesn't mean that the two groups are connected....

One thing that surprised me looking in this is how most internet traffic goes through a very few links. There are only two major connection points between the US and China and the neighorhood with the IP blocks hosts one of them.

In particular, if you the hackers were physically located in Beijing, I'd bet that the packets would look like they came from that part of Pudong.

From the report:

Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China.

Does anyone know what some of the other "APT groups" are / where they are located? (Original site seems to be down)

Most of them get the fingers pointed at China (PLA or otherwise) or Russian Mafia.

Criminal groups are generally referred to by Mandiant as "CDT" for "Card Data Theft."

The overwhelming majority of APT groups that actively target private corporations, individuals, the media and Mandiant's commercial customers are in China.

Seems like if someone wanted to hack a US company, the best thing to do would be to make the attack look like it originated "somewhere" in China...

Site seems to be down right now. Here's a link to the report from reddit: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Could somebody file suit against the Chinese government? Could they prove a case to the standard required in a civil case?

In which court would that suit be held in, and who would be the judge of any case? If the judging body ruled against China, how would any sort of punishment or punitive damages be enforced?

There seems to be a common myth that the "law" in "international law" is in anywhere near as strong as "domestic law". International law is mostly meaningless and just comprises agreements between countries that could be broken or ignored.

The plaintiff would not be invoking any international law. Individuals working for the Chinese government stole computer secrets from U.S companies, stored in computers on U.S. soil. That's covered by U.S. and state civil and criminal laws. If they prove their case, and a judgement is awarded, China has to pay up. If they don't pay up, then a judge sends a sheriff or a marshal to seize property. Here's a random link about a lawsuit against Iran and Syria http://usnews.nbcnews.com/_news/2012/05/16/11733643-family-w....

'Wultz Attorney Robert Tolchin told msnbc.com that with the court judgment in hand his clients can seek Iranian and Syrian assets to collect the award. Tolchin said he couldn’t be specific, but he would explore “various avenues.” “There is a lot of litigation by people seeking the turnover of Iranian assets,” Tolchin said. “The Iranians have kept U.S. courts busy.”'

At which point China kicks the US company out of China, and said company loses far, far more than any amount that is due to hacking.

Iran and Syria aren't subject to this problem because the amount of business that US companies do in Iran and Syria is trivial.

Possibility: A suit under the Alien Tort Statute: https://en.wikipedia.org/wiki/Alien_Tort_Statute

Legally you can sue the Chinese government in a Chinese court, if you can find a Chinese statute that supports your case.

It is unlikely that you can sue a sovereign in court. You can sue individuals and corporations.

I guess all the security vendors in the US should be sending thank-you notes to China. Also, probably to Oracle/Sun.

one thing that would be cool to see is not just china, but how governments in general engage in hacking attempts for espionage and other purposes.

so data on countries like Russia, US, middle eastern and European countries.

This is pretty cool, they hacked the hacker http://www.youtube.com/watch?v=6p7FqSav6Ho

That the Chinese are doing this, we knew from many corp and military espionage stories.

I wonder about Mandiant. The Chinese will probably target target them with all their might, but then they will get a lot of work in USA. Going public must've been a tough decision.

I should imagine going public wasn't too difficult- it was already known that they were hired by the New York Times to investigate hacking attempts against them.

I suspect, as you state, they'll get a good amount of business out of it. And it's a lot easier for them to stay secure than the average company.

All of what you say is true, but then there was http://en.wikipedia.org/wiki/HBGary Security is probably a relative thing, depending on how much they really want to get you.

I should imagine going public wasn't too difficult- it was already known that they were hired by the New York Times to investigate hacking attempts against them.

Investigate and release a public report are two different things. Looks like they gambled that they could win a lot of new business, given that this Chinese hacking is prevalent and their study makes that point even clearer.

Cool video. Does this really mean Mandiant was recording what was going on on the hacker's machine in China, or is that a "reconstruction of the events"?

Having read the report, it reads as a commercial for Mandiant's services. That's the exact reason for them going public.

Mandiant (and other similar companies) are already under significant fire from foreign hackers. The defense industrial base has pretty significant Advanced Persistent Threat identification, tracking, and mitigating capabilities.

They have a 'security department' within their company, which is a security/analyst company. They have Richard Bejtlich running their network defense and policy.

site is down. it's either the chinese or HN!

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact