Threat Intelligence

Report on China spy threat may make attackers have to work harder

A new, comprehensive report that details the inner workings of a Chinese-based cyber espionage group targeting U.S. firms is doubtful to end the threat of advanced attackers, but it may help organizations thwart future operations.

Alexandria, Va.-based incident response and forensic firm Mandiant late Monday night released the 60-page report, which offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.

Mandiant named the group APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks. 

According to the report, Mandiant tracked IP addresses, network communication and attack characteristics to trace the unit's central hub to a 12-story facility in Shanghai. The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.

Mandiant admitted that the report likely will incite criticism from some in the security community – but that, ultimately, it will lead to a better understanding of similar threats and raise the cost of doing business to the attackers. The reported included data such as IP addresses, email header information, remote desktop connections and malware make-up that were used in the attacks and which can be used by security professionals to learn if they've been targeted or compromised by that group or similar ones.

Meanwhile, Mandiant is bracing for blowback, even though companies like Dell SecureWorks have traced attacks to China for some time.

“We are acutely aware of the risk this report poses for us," the report said. "We expect reprisals from China, as well as an onslaught of criticism."

Among the naysayers are those who believe researchers have been too quick to settle on China as the source of APT attacks targeting U.S. companies and the government. Despite claiming no involvement, the Chinese government has repeatedly surfaced in news about cyber attacks against U.S. organizations, including during the sophisticated, four-month long surveillance of computer networks at The New York Times. In the report, Mandiant said the group was not to blame for the Times breach discovered in January, though another China-based group was. 

In a Tuesday blog post, Jeffery Carr, CEO of McLean, Va.-based security firm Taia Global, said Mandiant should have considered other nation-states as well.

“My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges – that there are multiple states engaging in this activity; not just China,” Carr wrote. “And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH [analysis of competing hypotheses], rule out competing hypotheses and then use estimative language in your finding.”

A separate point of debate has revolved around politics. How exactly will the U.S. respond considering the economic ties that the two nations have, and the fact that China holds a huge chunk of American debt?

Dmitri Alperovitch, CTO of security intelligence start-up CrowdStrike, said the disclosure by Mandiant speaks to the duty that private-sector researchers have in obtaining crucial information about APTs.

“The security industry can raise a lot of the same information that the government has on attackers,” Alperovitch said. “I think it's an example of effective information sharing that can be done more broadly. You don't necessarily need to the government to step in with more information.”

Alperovitch added that sharing information on highly orchestrated – and often successful – attacks will reduce the impact of them, even if it doesn't stop them from occurring.

“They are not going to go away,” Alperovitch said these sophisticated hacking collectives. “This is a professional organization. The idea that they would just hang it all up and go back to what they are doing is nonsensical. But this emphasizes the need to shift our strategy from being passive to active.”

[hm-iframe width="620" scrolling="no" height="488" frameborder="0" src=""]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.