Offering daily news and analysis from the majestic Evergreen State and beyond, The Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Elite American security firm: Chinese military is behind attacks on U.S. corporate networks

For many months now, independent security researchers and journalists have been openly speculating that the Chinese military is behind a significant percentage of the increasing number of cyberattacks on U.S. corporate and government networks. Now, elite American security firm Mandiant – which Bloomberg Businessweek profiled in one of its recent issues – has publicly released an incriminating report (PDF) which concludes that the hacking group the company has been watchdogging and doing battle with is in fact a unit of the Chinese military.

Businessweek’s profile of Mandiant described the company as held in very high regard by the federal government and major U.S. corporations when it comes to analyzing and responding to sophisticated cyberattacks. (That explains why thirty percent of the Fortune 100 are Mandiant clients).

As reporters Brad Stone and Michael Riley explained:

Mandiant’s success partly stems from what its customers perceive as a strong relationship with the U.S. government. The firm is retained by major banks and on Wall Street because it has credibility with federal regulators. When the New York Police Department’s counterterrorism unit was breached by Chinese cyberspies, the FBI told the department to call Mandiant, according to a person familiar with the incident. 
Mandiant executives say they have earned this trust, though the relationship likely has roots in the personal connections that Mandia and other company executives have forged with government investigators over the years. “It’s a reputational thing,” says Mischel Kwon, former head of U.S. Computer Emergency Readiness Team, a government cybersecurity agency. “They play well with law enforcement.”

Mandiant’s relationship with other security firms, however, hasn’t been as cordial.

Mandiant’s critics charge that the company does not share intelligence with others in the tightknit and collaborative cybersecurity community. While many security companies keep some of their best findings to themselves, Mandiant is known to share less than most, and its engineers rarely participate in industry working groups. But critics and competitors also tend to acknowledge that Mandiant is good at what it does. “Over the last two years they’ve experienced some growing pains, but they’re definitely the 800-pound gorilla of incident response,” says Rocky DeStefano, founder and CEO of the security firm VisibleRisk.

It would seem with the release of today’s report that the company is making a serious effort to share intelligence… and not just with other firms in the cybersecurity business. The company has made its report on the Chinese hacking group APT1 available for public consumption. For those at least somewhat well-versed in the language of technology, it is fascinating reading.

The report’s executive summary explains that Mandiant has been monitoring and investigating cyberattacks for more than eight years, and has become acquainted with the techniques and the targets of the espionage group known as “APT1” or the Comment Crew. Mandiant has long suspected that the Chinese government was aware of or involved in the group’s activities, but has refrained from making public allegations to that effect, even as speculation mounted.

Now, however, the company is putting some of its cards on the table, so to speak.

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.

And that includes naming names!

Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

Specifically, Mandiant is providing the following:

  • Digital delivery of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.
  • Sample Indicators of Compromise (IOCs) and detailed descriptions of over 40 families of malware in APT1’s arsenal of digital weapons
  • Thirteen (13) X.509 encryption certificates used by APT1
  • A compilation of videos showing actual attacker sessions and their intrusion activities

Mandiant says it is not releasing this information lightly.

“The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one,” the company says in the final section of its executive summary, adding at the end: “We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism.”

And there will no doubt be reprisals, considering that Mandiant’s report will embarrass and anger Beijing. But the firm wants people to know, in no uncertain terms, where the threat is coming from. This is cyber warfare.

The Chinese government will almost certainly respond by dismissing the report and the allegations as baseless, or groundless, or something to that effect. But who is going to believe that? To quote from the conclusion of Mandiant’s report:

Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities.


A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.


APT1 is Unit 61398.

The Chinese government can protest its innocence all it wants. At this point, their credibility is shot. There’s a mountain of evidence tying the Chinese military to cyberattacks on U.S. firms, and Mandiant has just published some of it. What’s more, other security experts agree with Mandiant’s findings. Reuters reports:

Some experts said they doubted Chinese government denials.

“The PLA plays a key role in China’s multi-faceted security strategy, so it makes sense that its resources would be used to facilitate economic cyber espionage that helps the Chinese economy,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, one of Mandiant’s competitors.

One of APT1’s favorite techniques for breaching the security of U.S. corporate networks is to send emails with spoofed authors to people inside the companies they are trying to infiltrate. The emails look like they come from a colleague or even a superior and contain links or attachments that, when clicked or downloaded, allow APT1’s members to remotely install malware on computers behind corporate or government firewalls.

And once a victim has taken the bait, they can go to work, figuratively roaming the halls of their target’s virtual operations, and looking for valuable data to steal. Hundreds of terabytes worth of files have been stolen by the group, Mandiant says.

No doubt some of the trade secrets and proprietary information taken has found its way into the hands of state-owned firms that compete with U.S. firms.

Mandiant’s findings show that the federal government and major corporations’ increasing reliance on the Internet has a major downside. Data is easily copied when it is on a network, even networks that are supposed to be impenetrable. Company after company and agency after agency has discovered alarming security breaches over the last few years and scrambled to respond.

Figuring out the extent of the damage and tracking down who’s responsible is difficult… which is why Mandiant’s business is booming.

For years, I have personally thought of the Internet as analogous to a big city, with red light districts and a seedy underworld. It’s easy to stumble into a bad neighborhood. That’s why I like to browse with armor. I have JavaScript, cookies, plugins, and cross-domain requests disabled by default.

That means I’m far better protected against malware, viruses, and other threats than most people. The downside, of course, is that a lot of websites appear broken when I first visit. But I’ve gotten used to that. I can whitelist sites that I trust, and it’s kind of fun to see which websites are so horribly designed that they are totally unusable without JavaScript. The Web is much faster, and I don’t see ads.

If everyone followed this approach, the Internet would be a safer place. But browsers are not hardened by default. And for every person who uses NoScript and RequestPolicy like I do, there are hundreds who do not.

The government and major corporations also tend to make heavy use of Microsoft Windows, which is extremely difficult to secure because it wasn’t made to be secure. That’s partly why there have been so many successful attacks.

Of course, no operating system or technology is entirely hackproof, but choosing BlackBerry over Android or GNU/Linux over Windows can make following best practices easier. (BlackBerry smartphones support whole device encryption out of the box and are easy to secure, which is a major reason why we like the platform).

The White House told The New York Times it is aware of Mandiant’s report, and sources tell the paper the Obama administration plans to take a tough line with China on the matter in the weeks ahead. Let’s hope they do. It’s time to let China know there will be serious consequences if they continue to wage cyberwarfare against US – their biggest trading partner.