More on Mandiant's APT1 Report: Guilt by Proximity and Wright Patterson AFB

The blog post that I wrote earlier in the week "Mandiant Report APT1 Has Some Critical Analytic Flaws" was based upon my history of interacting with some Mandiant folks online and in person as well as my interpretation of the facts as they were presented in the report. Thanks to some feedback that I received from readers as well as a teleconference that I had with three Mandiant executives yesterday, I've learned some new things that color my earlier article.

1. Mandiant has expanded their original definition of APT

Yesterday, I spoke with three Mandiant executives and learned that their meaning of the term has evolved with the times and it no longer represents a Who, but a What; or more precisely, a well-documented multi-staged process that attackers from multiple nation states have adopted. Mandiant has not formally announced this change (although they probably will later this year) so when I wrote my article on their APT1 report, I was referencing their former definition which I know now is no longer in use. While Mandiant often sees Chinese hackers at work stealing trade secrets and intellectual property, they also acknowledge that other countries may be doing the same thing. I'm happy to report this change because it's been a point of contention between myself and some folks at Mandiant ever since 2010. I'm glad that we're closer to being on the same page.

2. Mandiant did some negative analysis before publishing their report

Another thing I learned from that phone meeting was that there was an effort made to look at alternative  scenarios that might explain the facts that Mandiant had before them. Mandiant isn't a part of the Intelligence Community (even though they have some ex-IC folks working there) and they don't have the time, resources, or manpower to do the same type of analysis that is performed at Langley. It's also not their mission to do nation state attribution so I want to give them at least some credit for the counter-analysis that they did do, even though the significance of their conclusion demanded a more rigorous methodology in my opinion.

Thanks to input from my readers, I've also learned some additional negatives about the report.

1. Mandiant's reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:

• p.10 of Mandiant's report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
• NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
• There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report. 
• An IP registration for UglyGorilla was described by Mandiant as being "across the river" from Unit 61398. In fact, it was 33 kilometers away.

2. Speaking of guilt by proximity, one of the "obviously false" IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled "Yellow Springs". However, a cursory check shows that the address is real except for that one missing "s". Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force's "boot camp for cyber warriors".

Directions via Google Maps

Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH - the address that Mandiant assumed was fake.

3. (UPDATED 23 FEB 13)  On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:

English translation via Google Translate

And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved. 

At the end of the day it's important to remember that Mandiant isn't a U.S. government agency nor are they trained to do intelligence collection and analysis at the same level that it's done at Langley. They're a group of highly skilled professionals who serve their customers as incident responders and have a well-deserved reputation for excellence. 

Add to Cart View detail

Where's the "Strike" in CrowdStrike?

I've had mixed feelings about CrowdStrike from the moment that it launched in stealth status last February. On the one hand, I'm a big fan of how Shawn Henry (President of CrowdStrike Services) helped move the FBI from a terribly incompetent position vis a vis cyber investigations (circa 2005-06) to one of the world's premiere cyber investigative bodies in just a few short years. On the other hand, I detest McAfee and I've openly ridiculed their so-called "reports" on more than one occasion. As an Israeli friend of mine put it, Anti-Virus companies aren't security companies. And I might add, they aren't intelligence organizations either. The one thing that McAfee does have are rich executives, including CrowdStrike co-founders Gregg Marston, Dmitri Alperovich, and George Kurtz who arranged CrowdStrike's $26 million Series A funding from Warburg Pincus where Kurtz was an Executive-in-Residence after McAfee was acquired by Intel for $7.86 Billion in cash.

A LinkedIn search shows that the company has been attracting/recruiting lots of talent but so far they haven't announced much in the way of a product line. They did launch an open source reverse-engineering portal called CrowdRE which lets anyone play with a highly regarded Disassembler called IDAPro in a cloud-based server. The benefit to CrowdStrike is that in exchange for providing the portal, it can quickly grow a database of reverse-engineered malware that it can utilize on behalf of its paying customers.

The question that I and others have been asking since last February's launch has to do with the "offensive" hook that CrowdStrike advertises via its tag line "You don't have a malware problem. You have an adversary problem"(tm). The company website claims to offer "Enterprise Adversary Assessment" where "we identify the adversary and find out what they're after." And how do they do that? Back to the website: "Through hunting operations, including host-based detection, threat-specific network analysis, and victim threat profiling".

In case you have any doubt as to who the adversary is, their cool t-shirt makes it pretty clear:

Gee, what a surprise. CrowdStrike has determined that the adversary is China. And that's a continuation of the piss-poor intelligence that Dmitri Alperovich published while at McAfee: Operation Shady Rat (China), Operation Aurora (China) and Operation Night Dragon (China). There's over 30 nation states developing computer network attack, defense, and exploitation capabilities and at least a dozen that are highly proficient and actively conducting cyber espionage yet somehow McAfee's "intelligence analysts" only see China. Not Israel, Russia, Taiwan, France, Germany, or South Korea - just the PRC. In a video interview, CrowdStrike's Director of Intelligence Adam Meyers talks about identifying adversaries via toolmarks and the usual TTPs that every so-called cyber intelligence firm narrowly focuses their attention on but that's not analysis (See Michael Tanji's recent article on the subject "Malware Analysis: The Danger of Connecting The Dots"). In the intelligence community, that's a cognitive trap known as target fixation. If after looking at all of the technical parameters, the only nation state that you see is China, you need to find another job because you suck as an intelligence analyst.

Getting back to CrowdStrike's "offensive" marketing theme, in Shawn Henry's keynote at BlackHat last summer, he made it clear that CrowdStrike wasn't advocating hacking back; that such activities were still illegal. CrowdStrike's latest high profile FBI hire Steven Chabinsky has also made it clear that the laws currently don't support even something as mild as a company encrypting its own data found on a foreign server. So what's the point in promoting a "take the fight to the adversary" approach when it's impossible to do in the current legal climate?

The bottom line is that, in my opinion, CrowdStrike cannot currently deliver anything unique in the infosec space that Mandiant and other companies aren't already doing unless it significantly improves its sources and methods regarding identifying adversary state and non-state actors and pushes the envelope on active defense. It's not enough to have a cool t-shirt that says "Change the Game". They literally have to do it.

Add to Cart View detail