(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

APT-1: The Good, The Bad, and The Ugly

with 7 comments


pees leei peesg drkb

My Problem With The Drop Timing and Method:

Mandiant published a document with appendices this week that ostensibly described the inner workings of an APT (Advanced Persistent Threat) operations group out of China. Now this document came as a huge surprise to many in my circle because much of what was published relates directly to ongoing investigations as well as has been the stuff of Secret Squirrel cabal’s for some time. This information at this level of clarity (albeit speculative in many respects) has not often been shared outside the secret circles of DoD/DIB/DC3 and a mess of other acronyms to date. So trust me when I say that this came as a big surprise to many AND that it was not a welcome one.

Which brings me to the main contention I have with Mandiant’s actions here. I personally believe that this was done primarily as a means of advertising and not much else. There is talk of the release being given the tacit nod by the government to push through the idea that there is a problem and that China is robbing us blind. *Hi Mike Rogers!* I too can see how this would be advantageous to POTUS and the like because it will light the fires under many in the public sector as well as gov and MIL all the while making the general public feel the fear about a Chinese preeminence in the world of “cyber” In essence, this report is a win for a few players and a loss for others and unfortunately some of those on the losing end are in fact US corporations working cases and trying to cope with advanced persistent threats.

That the drop was done right before RSA (which Mandiant will be at) and just after DELL made a splash by outing a Chinese cyberspy is not irrelevant to anyone with a frontal lobe here. Nor does the fact that now Mandiant has made an even bigger name for itself by publishing all of this, speculative as it may be at certain points, as the go to outfit for all your APT needs. It is this idea that I have the most issue with regarding this report. Nor can I really say that the information therein is going to help that many people frankly and I shall reason that out below. What I am left with is the knowledge that much of what they published is valid.

  • China has a mandate to use electronic warfare for espionage and that you can already see in their doctrinal documents
  • China has been in fact targeting not only DoD but also corporations widely to steal IP
  • The PLA is the main means for China’s operational mandate being carried out via the MSS
  • The precepts of APT activities (Operational) is well known and once again laid out in this report
  • The appendices are filled with actual data including links to video of the attacks as they were happening

Once again much of the data is inferential and can be always called into question in a court of law. However the amount of the data and the interconnections that are made from it is enough to make the argument that it is in fact China doing this and that it is more than likely it is 61389 aka Comment Crew (APT-1) in these cases. My real questions come from what motives Mandiant had to do this an whether or not this was a cowboy action on their part. If not then was the government at high levels giving the wink and the nod to this release as a means to a political end? Unfortunately, I do indeed think that this was the case. That the Obama administration probably gave tacit approval because it would make their agenda on response to China more solid as well as get those politically reticent to react to change their minds.

The Data:

Some have made bones about everything in this report including the data (Jeff Carr for example) but I can find not too much to be unhappy with in the harder data. The inferences that some others may have issues with more than likely do not understand analysis product for intelligence agencies. In the case of this report they are connecting the dots a lot with data taken from OSINT as well as hard data from hashes on malware sets. In this world there is no real irrefutable evidence and as such you have to go upon the weight of the evidence instead of the cut and dry of it. Personally I deal in this kind of data all the time and all you can do is give your best estimate and let the people in charge make the heavy decisions with what you provide to them.

In the case of the appendices here the data is pretty solid and show’s the huge scope of the operations involved. Of course they may in fact be wrong on those they outed (UglyGorilla, DOTA etc.) but the inferential cases are pretty strong that they are in fact some of the players here. For the record though much of this data being released for the first time hurts some while helping others. Just how much hurt there will be on the Chinese side of things though is still up in the air for me but on our side of the fence I can already see where damage may have been done.

Operational Details Benefits & Fallout (US)

This then brings me to the operational details fallout. For us in the US who are trying to defend against this type of attack we can generally benefit. Of course there are down sides to this release and I want to point those out as well. First off though the benefits:

  • This forces APT-1 to re-tool some of their methods
  • This in turn gives some of us some slack time because they may not use their current methods as they have been blown
  • By opening the datasets to the public others (think non US) players can now play the APT home game
  • AV vendors in general will have a boon with hashes and samples to update their systems with
  • The aforementioned policy boost as the public see’s the data/report and begins to get serious about it

Then there is the fallout from such a report:

  • The adversary will change their modus operandi that we had been following and had some means to fight
  • Current investigations may be compromised as this stops the adversary currently in your networks and they might pivot
  • This re-sets us all back to square one in many ways in detection and interdiction of APT activities
  • Those already operating successfully within our networks will become even more cautious and go dark

So there is good and bad here and you have to weigh it out. I am guessing that Mandiant did the same mental calculations and decided to go ahead anyway. They say as much in the document that they fully expect reprisals as well as negative feedback from the community anyway. So it was a calculated risk and we will all just have to wait and see as to whether or not it was a good thing overall for anyone other than Mandiant’s sales.

Operational Details Fallout (China)

China on the other hand is likely feeling the burn pretty well from this report. Well, at least operationally that is. What I mean here is this; “China is like the honeybadger. He don’t give a fuck” You see thus far all of this, all of what Mandiant has put out has been the known secret. China has been doing this a long time now and pretty much with impunity. We can say they are doing it and we can even prove they are (up to a point because of attribution issues) and all they will ever do is respond with “China has laws and we do not break them” This has been their go to statement, well that and intoning that they are very very hurt by our statements every time we have accused them of cyber espionage.

The reality though is that MSS will just have to change their operational methods not that they will stop doing what they are doing. Nor is it highly likely that those named in the document will have to go ‘underground’ because they appeared therein. Remember this is the internet and pseudonyms are plentiful. I personally think that this will not effect the MSS/PLA programs all that much other than force them to be a bit more nimble and stealthy. Which by the way will make all our lives even more difficult in the end. After all it is better to know your enemy and know their tactics right? I guess we will just have to see how fast they pivot after this report to see if they can pick up where they left off quickly. For the record though, I really don’t see this effecting China all that much. They will continue on in their efforts to be a world super power as well as economic power as they have since Mao told them to.

Final Good, The Bad, and The Ugly:

Well much gnashing of teeth has gone on in the community mine included. In the final analysis though I still feel that this was a win win only for Mandiant and the government. The DIB partners as well as DC3, OSI, NCIS, etc all lose to some extent as they will have to start all over again at some point most likely. Ongoing investigations may have been compromised by some of the data but overall I think that this really is more hype than anything else. The mass media will latch on to this report like a pitbull on flank steak and shake it for all its worth. They won’t get all the subtle details out of it and they will report it to the masses who then will only cogitate one quarter of what is being given them.

In other quarters the vendors out there in the security world will be salivating while holding this report up and saying “YOU COULD BE NEXT! IN FACT YOU ARE ALREADY COMPROMISED!!! BUY OUR BLINKY LIGHT PRODUCT TO SEE!” I thought I had it bad before with vendor APT bingo.. God help us all now.. We are doomed. The fact is that out of all of the US only 115 businesses were attacked and audited by Mandiant. Think about that for a moment. We are not all targets of nation state sponsored attacks no matter what the intonation is on this report. They select their targets very well and with reasons so please don’t let the vendors out there get you scared.

Overall it’s just a matter of letting time pass to see what the ultimate fallout from this report really will be. I am pretty sure though that the most of it will be in the form of douchery and hype. Thanks Mandiant! You really know how to make a hype-y situation all the more hype-y don’t you. I wonder how long til they have ad’s all over the national stations and cable…


Written by Krypt3ia

2013/02/20 at 19:57

Posted in .gov, .mil, APT

7 Responses

Subscribe to comments with RSS.

  1. […] See on […]

  2. […] I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and […]

  3. […] des critiques se font entendre. Jeffrey Carr et d’autres (dont krypt3ia) n’hésitent pas à pointer du doigt les limites et l’opportunisme des analyses telles que […]

  4. Would it have made you feel better if this report was released by an organization that isn’t an INFOSEC service/hardware vendor? I’m curious because it seems like it’s not the actual information that bothers you, but rather the fact that an organization that stands to profit from the information is sounding the alarm – and in a more credible fashion compared to historical precedent.

    The way I see it is this: If the Mandiant report is credible and contains factually correct information – then it doesn’t matter WHO released the information, or for what purpose. It now makes us take the cyber-alarmists a little more seriously and forces us to consider the fact that cyberwhatever is something we should really be paying attention to, and taking seriously. The fact that there are entities that will profit monetarily from this is a distraction. For example, are we mad at Boeing or Northrup for building planes when the Air Force decides it needs a new fighter? Are we upset with Bath Iron Works or Electric Boat when the Navy decides they need new ships? Registering discontent about information because someone will make money isn’t a productive expenditure of energy or thought – at least not when the threat has supposedly been validated as serious and in need of genuine attention.


    2013/02/22 at 14:19

  5. What the report might do is put the cyber-alarmists in an awkward position. Here we have a firm that’s perhaps the best qualified to explain ‘APT’, providing us a ton of evidence that contradicts the stuff we hear from the likes of Richard Clark. It even turns out APT1’s methods were less sophisticated than those used in the ‘Red October’ attacks. In fact, I’d argue it was secrecy on the part of our governments that kept the group in business so long.

    Of course, there’s still a caveat: The possibility that the PLA or another party wanted someone like Mandiant to find the information.


    2013/02/26 at 03:52

  6. […] aka Scot Terban, also chimed in. His blog is a must-read, […]

  7. Michael,
    Yes the report is from a qualified source and they had plenty of evidence to show. So too is it that the fact of the matter is that the APT is not so “A” as it is “P” that kept them in the networks. I mean phishing after all is nothing new nor is spear phishing but you and I know that this is not something the masses know of, its more the MIL set and those in the know who understand this. I personally think China got cockey because they had done this all along and we collectively hadn’t a clue for a long time. Perhaps saying we hadn’t a clue is too harsh maybe it was a half a clue.

    Anyway yes there is the possibility of disinformation as well. Occams Razor though says that the data is valid and they were just doing this rather blatantly.


    2013/02/26 at 14:11

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: