The blog post that I wrote earlier in the week "Mandiant Report APT1 Has Some Critical Analytic Flaws" was based upon my history of interacting with some Mandiant folks online and in person as well as my interpretation of the facts as they were presented in the report. Thanks to some feedback that I received from readers as well as a teleconference that I had with three Mandiant executives yesterday, I've learned some new things that color my earlier article.
1. Mandiant has expanded their original definition of APT
Yesterday, I spoke with three Mandiant executives and learned that their meaning of the term has evolved with the times and it no longer represents a Who, but a What; or more precisely, a well-documented multi-staged process that attackers from multiple nation states have adopted. Mandiant has not formally announced this change (although they probably will later this year) so when I wrote my article on their APT1 report, I was referencing their former definition which I know now is no longer in use. While Mandiant often sees Chinese hackers at work stealing trade secrets and intellectual property, they also acknowledge that other countries may be doing the same thing. I'm happy to report this change because it's been a point of contention between myself and some folks at Mandiant ever since 2010. I'm glad that we're closer to being on the same page.
2. Mandiant did some negative analysis before publishing their report
Another thing I learned from that phone meeting was that there was an effort made to look at alternative scenarios that might explain the facts that Mandiant had before them. Mandiant isn't a part of the Intelligence Community (even though they have some ex-IC folks working there) and they don't have the time, resources, or manpower to do the same type of analysis that is performed at Langley. It's also not their mission to do nation state attribution so I want to give them at least some credit for the counter-analysis that they did do, even though the significance of their conclusion demanded a more rigorous methodology in my opinion.
Thanks to input from my readers, I've also learned some additional negatives about the report.
1. Mandiant's reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:
- p.10 of Mandiant's report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
- NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
- There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report.
- An IP registration for UglyGorilla was described by Mandiant as being "across the river" from Unit 61398. In fact, it was 33 kilometers away.
Directions via Google Maps |
Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH - the address that Mandiant assumed was fake.
3. (UPDATED 23 FEB 13) On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:
And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved.
3. (UPDATED 23 FEB 13) On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:
English translation via Google Translate |
And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved.
At the end of the day it's important to remember that Mandiant isn't a U.S. government agency nor are they trained to do intelligence collection and analysis at the same level that it's done at Langley. They're a group of highly skilled professionals who serve their customers as incident responders and have a well-deserved reputation for excellence.
0 komentar:
Posting Komentar