For many months now, inde­pen­dent secu­ri­ty researchers and jour­nal­ists have been open­ly spec­u­lat­ing that the Chi­nese mil­i­tary is behind a sig­nif­i­cant per­cent­age of the increas­ing num­ber of cyber­at­tacks on U.S. cor­po­rate and gov­ern­ment net­works. Now, elite Amer­i­can secu­ri­ty firm Man­di­ant — which Bloomberg Busi­ness­week pro­filed in one of its recent issues — has pub­licly released an incrim­i­nat­ing report (PDF) which con­cludes that the hack­ing group the com­pa­ny has been watch­dog­ging and doing bat­tle with is in fact a unit of the Chi­nese military.

Busi­ness­week’s pro­file of Man­di­ant described the com­pa­ny as held in very high regard by the fed­er­al gov­ern­ment and major U.S. cor­po­ra­tions when it comes to ana­lyz­ing and respond­ing to sophis­ti­cat­ed cyber­at­tacks. (That explains why thir­ty per­cent of the For­tune 100 are Man­di­ant clients).

As reporters Brad Stone and Michael Riley explained:

Mandiant’s suc­cess part­ly stems from what its cus­tomers per­ceive as a strong rela­tion­ship with the U.S. gov­ern­ment. The firm is retained by major banks and on Wall Street because it has cred­i­bil­i­ty with fed­er­al reg­u­la­tors. When the New York Police Department’s coun­tert­er­ror­ism unit was breached by Chi­nese cyber­spies, the FBI told the depart­ment to call Man­di­ant, accord­ing to a per­son famil­iar with the inci­dent. 
Man­di­ant exec­u­tives say they have earned this trust, though the rela­tion­ship like­ly has roots in the per­son­al con­nec­tions that Man­dia and oth­er com­pa­ny exec­u­tives have forged with gov­ern­ment inves­ti­ga­tors over the years. “It’s a rep­u­ta­tion­al thing,” says Mis­chel Kwon, for­mer head of U.S. Com­put­er Emer­gency Readi­ness Team, a gov­ern­ment cyber­se­cu­ri­ty agency. “They play well with law enforcement.”

Man­di­ant’s rela­tion­ship with oth­er secu­ri­ty firms, how­ev­er, has­n’t been as cordial.

Mandiant’s crit­ics charge that the com­pa­ny does not share intel­li­gence with oth­ers in the tightknit and col­lab­o­ra­tive cyber­se­cu­ri­ty com­mu­ni­ty. While many secu­ri­ty com­pa­nies keep some of their best find­ings to them­selves, Man­di­ant is known to share less than most, and its engi­neers rarely par­tic­i­pate in indus­try work­ing groups. But crit­ics and com­peti­tors also tend to acknowl­edge that Man­di­ant is good at what it does. “Over the last two years they’ve expe­ri­enced some grow­ing pains, but they’re def­i­nite­ly the 800-pound goril­la of inci­dent response,” says Rocky DeSte­fano, founder and CEO of the secu­ri­ty firm VisibleRisk.

It would seem with the release of today’s report that the com­pa­ny is mak­ing a seri­ous effort to share intel­li­gence… and not just with oth­er firms in the cyber­se­cu­ri­ty busi­ness. The com­pa­ny has made its report on the Chi­nese hack­ing group APT1 avail­able for pub­lic con­sump­tion. For those at least some­what well-versed in the lan­guage of tech­nol­o­gy, it is fas­ci­nat­ing reading.

The report’s exec­u­tive sum­ma­ry explains that Man­di­ant has been mon­i­tor­ing and inves­ti­gat­ing cyber­at­tacks for more than eight years, and has become acquaint­ed with the tech­niques and the tar­gets of the espi­onage group known as “APT1” or the Com­ment Crew. Man­di­ant has long sus­pect­ed that the Chi­nese gov­ern­ment was aware of or involved in the group’s activ­i­ties, but has refrained from mak­ing pub­lic alle­ga­tions to that effect, even as spec­u­la­tion mounted.

Now, how­ev­er, the com­pa­ny is putting some of its cards on the table, so to speak.

Our analy­sis has led us to con­clude that APT1 is like­ly gov­ern­ment-spon­sored and one of the most per­sis­tent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-run­ning and exten­sive cyber espi­onage cam­paign in large part because it receives direct gov­ern­ment sup­port. In seek­ing to iden­ti­fy the orga­ni­za­tion behind this activ­i­ty, our research found that People’s Lib­er­a­tion Army (PLA’s) Unit 61398 is sim­i­lar to APT1 in its mis­sion, capa­bil­i­ties, and resources. PLA Unit 61398 is also locat­ed in pre­cise­ly the same area from which APT1 activ­i­ty appears to originate.

And that includes nam­ing names!

Man­di­ant is releas­ing more than 3,000 indi­ca­tors to bol­ster defens­es against APT1 operations.

Specif­i­cal­ly, Man­di­ant is pro­vid­ing the following:

  • Dig­i­tal deliv­ery of over 3,000 APT1 indi­ca­tors, such as domain names, IP address­es, and MD5 hash­es of malware.
  • Sam­ple Indi­ca­tors of Com­pro­mise (IOCs) and detailed descrip­tions of over 40 fam­i­lies of mal­ware in APT1’s arse­nal of dig­i­tal weapons
  • Thir­teen (13) X.509 encryp­tion cer­tifi­cates used by APT1
  • A com­pi­la­tion of videos show­ing actu­al attack­er ses­sions and their intru­sion activities

Man­di­ant says it is not releas­ing this infor­ma­tion lightly.

“The deci­sion to pub­lish a sig­nif­i­cant part of our intel­li­gence about Unit 61398 was a painstak­ing one,” the com­pa­ny says in the final sec­tion of its exec­u­tive sum­ma­ry, adding at the end: “We are acute­ly aware of the risk this report pos­es for us. We expect reprisals from Chi­na as well as an onslaught of criticism.”

And there will no doubt be reprisals, con­sid­er­ing that Man­di­ant’s report will embar­rass and anger Bei­jing. But the firm wants peo­ple to know, in no uncer­tain terms, where the threat is com­ing from. This is cyber warfare.

The Chi­nese gov­ern­ment will almost cer­tain­ly respond by dis­miss­ing the report and the alle­ga­tions as base­less, or ground­less, or some­thing to that effect. But who is going to believe that? To quote from the con­clu­sion of Man­di­ant’s report:

Com­bin­ing our direct obser­va­tions with care­ful­ly researched and cor­re­lat­ed find­ings; we believe the facts dic­tate only two possibilities.


A secret, resourced orga­ni­za­tion full of main­land Chi­nese speak­ers with direct access to Shang­hai-based telecom­mu­ni­ca­tions infra­struc­ture is engaged in a mul­ti-year, enter­prise scale com­put­er espi­onage cam­paign right out­side of Unit 61398’s gates, per­form­ing tasks sim­i­lar to Unit 61398’s known mission.


APT1 is Unit 61398.

The Chi­nese gov­ern­ment can protest its inno­cence all it wants. At this point, their cred­i­bil­i­ty is shot. There’s a moun­tain of evi­dence tying the Chi­nese mil­i­tary to cyber­at­tacks on U.S. firms, and Man­di­ant has just pub­lished some of it. What’s more, oth­er secu­ri­ty experts agree with Man­di­ant’s find­ings. Reuters reports:

Some experts said they doubt­ed Chi­nese gov­ern­ment denials.

“The PLA plays a key role in Chi­na’s mul­ti-faceted secu­ri­ty strat­e­gy, so it makes sense that its resources would be used to facil­i­tate eco­nom­ic cyber espi­onage that helps the Chi­nese econ­o­my,” said Dmitri Alper­ovitch, chief tech­nol­o­gy offi­cer and co-founder of Crowd­Strike, one of Man­di­ant’s competitors.

One of APT1’s favorite tech­niques for breach­ing the secu­ri­ty of U.S. cor­po­rate net­works is to send emails with spoofed authors to peo­ple inside the com­pa­nies they are try­ing to infil­trate. The emails look like they come from a col­league or even a supe­ri­or and con­tain links or attach­ments that, when clicked or down­loaded, allow APT1’s mem­bers to remote­ly install mal­ware on com­put­ers behind cor­po­rate or gov­ern­ment firewalls.

And once a vic­tim has tak­en the bait, they can go to work, fig­u­ra­tive­ly roam­ing the halls of their tar­get’s vir­tu­al oper­a­tions, and look­ing for valu­able data to steal. Hun­dreds of ter­abytes worth of files have been stolen by the group, Man­di­ant says.

No doubt some of the trade secrets and pro­pri­etary infor­ma­tion tak­en has found its way into the hands of state-owned firms that com­pete with U.S. firms.

Man­di­ant’s find­ings show that the fed­er­al gov­ern­ment and major cor­po­ra­tions’ increas­ing reliance on the Inter­net has a major down­side. Data is eas­i­ly copied when it is on a net­work, even net­works that are sup­posed to be impen­e­tra­ble. Com­pa­ny after com­pa­ny and agency after agency has dis­cov­ered alarm­ing secu­ri­ty breach­es over the last few years and scram­bled to respond.

Fig­ur­ing out the extent of the dam­age and track­ing down who’s respon­si­ble is dif­fi­cult… which is why Man­di­ant’s busi­ness is booming.

For years, I have per­son­al­ly thought of the Inter­net as anal­o­gous to a big city, with red light dis­tricts and a seedy under­world. It’s easy to stum­ble into a bad neigh­bor­hood. That’s why I like to browse with armor. I have JavaScript, cook­ies, plu­g­ins, and cross-domain requests dis­abled by default.

That means I’m far bet­ter pro­tect­ed against mal­ware, virus­es, and oth­er threats than most peo­ple. The down­side, of course, is that a lot of web­sites appear bro­ken when I first vis­it. But I’ve got­ten used to that. I can whitelist sites that I trust, and it’s kind of fun to see which web­sites are so hor­ri­bly designed that they are total­ly unus­able with­out JavaScript. The Web is much faster, and I don’t see ads.

If every­one fol­lowed this approach, the Inter­net would be a safer place. But browsers are not hard­ened by default. And for every per­son who uses NoScript and Request­Pol­i­cy like I do, there are hun­dreds who do not.

The gov­ern­ment and major cor­po­ra­tions also tend to make heavy use of Microsoft Win­dows, which is extreme­ly dif­fi­cult to secure because it was­n’t made to be secure. That’s part­ly why there have been so many suc­cess­ful attacks.

Of course, no oper­at­ing sys­tem or tech­nol­o­gy is entire­ly hack­proof, but choos­ing Black­Ber­ry over Android or GNU/Linux over Win­dows can make fol­low­ing best prac­tices eas­i­er. (Black­Ber­ry smart­phones sup­port whole device encryp­tion out of the box and are easy to secure, which is a major rea­son why we like the platform).

The White House told The New York Times it is aware of Man­di­ant’s report, and sources tell the paper the Oba­ma admin­is­tra­tion plans to take a tough line with Chi­na on the mat­ter in the weeks ahead. Let’s hope they do. It’s time to let Chi­na know there will be seri­ous con­se­quences if they con­tin­ue to wage cyber­war­fare against US — their biggest trad­ing partner.

About the author

Andrew Villeneuve is the founder and executive director of the Northwest Progressive Institute, as well as the founder of NPI's sibling, the Northwest Progressive Foundation. He has worked to advance progressive causes for over two decades as a strategist, speaker, author, and organizer. Andrew is also a cybersecurity expert, a veteran facilitator, a delegate to the Washington State Democratic Central Committee, and a member of the Climate Reality Leadership Corps.

Adjacent posts