APT1: The Good, The Bad, and The Ugly

Thursday, February 21, 2013



My Problem With The Drop Timing and Method:

Mandiant published a document with appendices this week that ostensibly described the inner workings of an APT (Advanced Persistent Threat) operations group out of China. Now this document came as a huge surprise to many in my circle because much of what was published relates directly to ongoing investigations as well as has been the stuff of Secret Squirrel cabal's for some time. This information at this level of clarity (albeit speculative in many respects) has not often been shared outside the secret circles of DoD/DIB/DC3 and a mess of other acronyms to date. So trust me when I say that this came as a big surprise to many AND that it was not a welcome one.

Which brings me to the main contention I have with Mandiant's actions here. I personally believe that this was done primarily as a means of advertising and not much else. There is talk of the release being given the tacit nod by the government to push through the idea that there is a problem and that China is robbing us blind. *Hi Mike Rogers!* I too can see how this would be advantageous to POTUS and the like because it will light the fires under many in the public sector as well as gov and MIL all the while making the general public feel the fear about a Chinese preeminence in the world of "cyber" In essence, this report is a win for a few players and a loss for others and unfortunately some of those on the losing end are in fact US corporations working cases and trying to cope with advanced persistent threats.

That the drop was done right before RSA (which Mandiant will be at) and just after DELL made a splash by outing a Chinese cyberspy is not irrelevant to anyone with a frontal lobe here. Nor does the fact that now Mandiant has made an even bigger name for itself by publishing all of this, speculative as it may be at certain points, as the go to outfit for all your APT needs. It is this idea that I have the most issue with regarding this report. Nor can I really say that the information therein is going to help that many people frankly and I shall reason that out below. What I am left with is the knowledge that much of what they published is valid.

  • China has a mandate to use electronic warfare for espionage and that you can already see in their doctrinal documents
  • China has been in fact targeting not only DoD but also corporations widely to steal IP
  • The PLA is the main means for China's operational mandate being carried out via the MSS
  • The precepts of APT activities (Operational) is well known and once again laid out in this report
  • The appendices are filled with actual data including links to video of the attacks as they were happening

Once again much of the data is inferential and can be always called into question in a court of law. However the amount of the data and the interconnections that are made from it is enough to make the argument that it is in fact China doing this and that it is more than likely it is 61389 aka Comment Crew (APT-1) in these cases. My real questions come from what motives Mandiant had to do this an whether or not this was a cowboy action on their part. If not then was the government at high levels giving the wink and the nod to this release as a means to a political end? Unfortunately, I do indeed think that this was the case. That the Obama administration probably gave tacit approval because it would make their agenda on response to China more solid as well as get those politically reticent to react to change their minds.

The Data:

Some have made bones about everything in this report including the data (Jeff Carr for example) but I can find not too much to be unhappy with in the harder data. The inferences that some others may have issues with more than likely do not understand analysis product for intelligence agencies. In the case of this report they are connecting the dots a lot with data taken from OSINT as well as hard data from hashes on malware sets. In this world there is no real irrefutable evidence and as such you have to go upon the weight of the evidence instead of the cut and dry of it. Personally I deal in this kind of data all the time and all you can do is give your best estimate and let the people in charge make the heavy decisions with what you provide to them.

In the case of the appendices here the data is pretty solid and show's the huge scope of the operations involved. Of course they may in fact be wrong on those they outed (UglyGorilla, DOTA etc.) but the inferential cases are pretty strong that they are in fact some of the players here. For the record though much of this data being released for the first time hurts some while helping others. Just how much hurt there will be on the Chinese side of things though is still up in the air for me but on our side of the fence I can already see where damage may have been done.

Operational Details Benefits & Fallout (US)

This then brings me to the operational details fallout. For us in the US who are trying to defend against this type of attack we can generally benefit. Of course there are down sides to this release and I want to point those out as well. First off though the benefits:

  • This forces APT-1 to re-tool some of their methods
  • This in turn gives some of us some slack time because they may not use their current methods as they have been blown
  • By opening the datasets to the public others (think non US) players can now play the APT home game
  • AV vendors in general will have a boon with hashes and samples to update their systems with
  • The aforementioned policy boost as the public see's the data/report and begins to get serious about it

Then there is the fallout from such a report:

  • The adversary will change their modus operandi that we had been following and had some means to fight
  • Current investigations may be compromised as this stops the adversary currently in your networks and they might pivot
  • This re-sets us all back to square one in many ways in detection and interdiction of APT activities
  • Those already operating successfully within our networks will become even more cautious and go dark

So there is good and bad here and you have to weigh it out. I am guessing that Mandiant did the same mental calculations and decided to go ahead anyway. They say as much in the document that they fully expect reprisals as well as negative feedback from the community anyway. So it was a calculated risk and we will all just have to wait and see as to whether or not it was a good thing overall for anyone other than Mandiant's sales.

Operational Details Fallout (China)

China on the other hand is likely feeling the burn pretty well from this report. Well, at least operationally that is. What I mean here is this; "China is like the honeybadger. He don't give a frak" You see thus far all of this, all of what Mandiant has put out has been the known secret. China has been doing this a long time now and pretty much with impunity. We can say they are doing it and we can even prove they are (up to a point because of attribution issues) and all they will ever do is respond with "China has laws and we do not break them" This has been their go to statement, well that and intoning that they are very very hurt by our statements every time we have accused them of cyber espionage.

The reality though is that MSS will just have to change their operational methods not that they will stop doing what they are doing. Nor is it highly likely that those named in the document will have to go 'underground' because they appeared therein. Remember this is the internet and pseudonyms are plentiful. I personally think that this will not effect the MSS/PLA programs all that much other than force them to be a bit more nimble and stealthy. Which by the way will make all our lives even more difficult in the end. After all it is better to know your enemy and know their tactics right? I guess we will just have to see how fast they pivot after this report to see if they can pick up where they left off quickly. For the record though, I really don't see this effecting China all that much. They will continue on in their efforts to be a world super power as well as economic power as they have since Mao told them to.

Final Good, The Bad, and The Ugly:

Well much gnashing of teeth has gone on in the community mine included. In the final analysis though I still feel that this was a win win only for Mandiant and the government. The DIB partners as well as DC3, OSI, NCIS, etc all lose to some extent as they will have to start all over again at some point most likely. Ongoing investigations may have been compromised by some of the data but overall I think that this really is more hype than anything else. The mass media will latch on to this report like a pitbull on flank steak and shake it for all its worth. They won't get all the subtle details out of it and they will report it to the masses who then will only cogitate one quarter of what is being given them.

In other quarters the vendors out there in the security world will be salivating while holding this report up and saying "YOU COULD BE NEXT! IN FACT YOU ARE ALREADY COMPROMISED!!! BUY OUR BLINKY LIGHT PRODUCT TO SEE!" I thought I had it bad before with vendor APT bingo.. God help us all now.. We are doomed. The fact is that out of all of the US only 115 businesses were attacked and audited by Mandiant. Think about that for a moment. We are not all targets of nation state sponsored attacks no matter what the intonation is on this report. They select their targets very well and with reasons so please don't let the vendors out there get you scared.

Overall it's just a matter of letting time pass to see what the ultimate fallout from this report really will be. I am pretty sure though that the most of it will be in the form of douchery and hype. Thanks Mandiant! You really know how to make a hype-y situation all the more hype-y don't you. I wonder how long til they have ad's all over the national stations and cable...


Cross Posted from Krypt3ia

Possibly Related Articles:
Firewalls IDS/IDP Network Access Control Network->General SCADA
China Hacking APT1 Mandiant
Post Rating I Like this!
Gregory MacPherson You are missing the forest for the trees IMHO. Perhaps Kevin et al can be suspected of the profit motive, although given their calendar I wonder whether they need more business. More importantly, the report's message has gone unheeded for OVER TEN YEARS (and I have the ph1lz to prove it). While FEDGOV (and others) fiddled, China poached DECADES of R&D competative advantage out from under our noses. Worse, they did it despite antivirus, firewalls, IDS/IPS etc. to the tune of MILLIONS OF DOLLARS. And that's not to mention the money spent on so-called 'security engineers' to install, configure, and (supposedly) watch for exactly this sort of thing.

No, the real clarion call of the Mandiant report is that the sky already HAS fallen, and it is high time industry and FEDGOV got off their collective tails and figured out how to (a) protect competitive advantage against competent adversaries, and (b) impose a cost on businesses and agencies that fail to accomplish (a).

Another possible take-away from the Mandiant report is that certifications, compliance, and the rest of the security theater infusing the industry has failed. Meanwhile, a Communist country now has more advanced aerospace and naval capabilities, more advanced chemical processing, not to mention a space program - thanks in no small part to the blood, sweat, and collective research and development of the West.

In all fairness, the Chinese are not the only thieves out there, but apparently they are the most prolific of the bunch. All the more reason for businesses and governments to stop chasing ephemeral solutions and engage in some REAL security - while there's still something left to secure.

Krypt3ia @Gregory Aye, but here's the rub: What is Mandiant really offering other than MIR and redline? Is this just another "one tol to rule them all" or are they also advocating behavioral changes to make it harder for the spearphiser to get their goal?

The forest for the trees sir is that the behavior in tandem with some good tech will win the day and all too often the clarion call is "buy this"
Gregory MacPherson Having now spent some significant time with Kevin, Grady Summers, and other Mandiant people, I can unequivocally say ... maybe. Maybe Mandiant is pimping themselves (and hey, it's capitalism so what're ya gonna do?) but then again just maybe they are trying to advance the discussion and help the oligarchs to focus some attention (and resources) on protecting their competitive advantage against competent adversaries?

At least they are giving the *appearance* of trying to improve the situation (which is more than I can say for this self-serving rant).

And I apologize, but I do not understand your last point - "the behavior in tandem with some good tech..." - isn't that EXACTLY what was deployed in all of those companies that were hacked by the PRC? How the heck does that "win the day" when the competitive advantage of the entire Western world is compromised without anyone being the wiser?

Security is about protecting things. Well, exactly what are you protecting by bashing the Mandiant report? Ignorance? The Chinese hackers? Ostriches?

You know the best part? You don't like Mandiant, buy someone else's stuff. Better yet, go write your own. But poo-pooing the problem (and the report that illuminates the problem) is just plain head-in-the-sand dumb.

Sorry – whale biologist (for the Futurama fans out there)


The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked