Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail

More on Mandiant's APT1 Report: Guilt by Proximity and Wright Patterson AFB

The blog post that I wrote earlier in the week "Mandiant Report APT1 Has Some Critical Analytic Flaws" was based upon my history of interacting with some Mandiant folks online and in person as well as my interpretation of the facts as they were presented in the report. Thanks to some feedback that I received from readers as well as a teleconference that I had with three Mandiant executives yesterday, I've learned some new things that color my earlier article.

1. Mandiant has expanded their original definition of APT

Yesterday, I spoke with three Mandiant executives and learned that their meaning of the term has evolved with the times and it no longer represents a Who, but a What; or more precisely, a well-documented multi-staged process that attackers from multiple nation states have adopted. Mandiant has not formally announced this change (although they probably will later this year) so when I wrote my article on their APT1 report, I was referencing their former definition which I know now is no longer in use. While Mandiant often sees Chinese hackers at work stealing trade secrets and intellectual property, they also acknowledge that other countries may be doing the same thing. I'm happy to report this change because it's been a point of contention between myself and some folks at Mandiant ever since 2010. I'm glad that we're closer to being on the same page.

2. Mandiant did some negative analysis before publishing their report

Another thing I learned from that phone meeting was that there was an effort made to look at alternative  scenarios that might explain the facts that Mandiant had before them. Mandiant isn't a part of the Intelligence Community (even though they have some ex-IC folks working there) and they don't have the time, resources, or manpower to do the same type of analysis that is performed at Langley. It's also not their mission to do nation state attribution so I want to give them at least some credit for the counter-analysis that they did do, even though the significance of their conclusion demanded a more rigorous methodology in my opinion.

Thanks to input from my readers, I've also learned some additional negatives about the report.

1. Mandiant's reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:

• p.10 of Mandiant's report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
• NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
• There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report. 
• An IP registration for UglyGorilla was described by Mandiant as being "across the river" from Unit 61398. In fact, it was 33 kilometers away.

2. Speaking of guilt by proximity, one of the "obviously false" IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled "Yellow Springs". However, a cursory check shows that the address is real except for that one missing "s". Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force's "boot camp for cyber warriors".

Directions via Google Maps

Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH - the address that Mandiant assumed was fake.

3. (UPDATED 23 FEB 13)  On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:

English translation via Google Translate

And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved. 

At the end of the day it's important to remember that Mandiant isn't a U.S. government agency nor are they trained to do intelligence collection and analysis at the same level that it's done at Langley. They're a group of highly skilled professionals who serve their customers as incident responders and have a well-deserved reputation for excellence. 

Add to Cart View detail