The Mandiant Report: explanation and implications

Mar 01 2013
VERTIC Blog >> Verification and Monitoring
Katherine Tajer, London
The Mandiant Report, released last week, has given celebrity status to a previously unknown computer security firm. Detailing the tactics and organisation of the supposed Chinese military cyber defence wing—entitled Unit 61398 or referred to by Mandiant as APT 1 (standing for Advanced Persistent Threat 1)—Mandiant’s in-depth report grew to prominence due to its reporting on the recent major attacks on the New York Times, Washington Post, Bloomberg News, and the Wall Street Journal.
What makes Mandiant’s report so salient—and controversial—is the assertion that the Chinese military is behind a wide range of targeted hacking efforts. Although the Chinese government has already been accused in some press outlets and other forums of being the source of specific cyber attacks, never before has such a large number been attributed to the Chinese People’s Liberation Army (PLA). Specifically, Mandiant claims that one military unit of the PLA was responsible for 141 planned security breaches, lasting an average of 365 days. Mandiant believes the purpose of these attacks is to harm “English-speaking” commercial rivals and advance Chinese dominance in five fields identified by China’s 12th Five Year Plan Accordingly, the main industries affected in the 141 attacks were: Information Technology, Aerospace, Satellites and Telecommunications, Scientific Research and Consulting, and Energy.
The attacks reported by Mandiant seem to target sectors of growing concern amongst the cybersecurity community, namely critical infrastructure, government, and large corporations. The New York Times was therefore perhaps an atypical victim and suggests that the perpetrator may have had non-commercial motivations for such an attack. The newspaper itself reported on the issue in attempt to expose the growing risk of these kinds of attacks. The Times traced the attacks back to September 2012, when staff were completing a major story involving the Chinese Prime Minister, Wen Jiabao. With the help of Mandiant, the Times was able to uncover a complex and extensive cyber-espionage effort, originating from China. The paper reported that no customer information or any information outside of the Wen Jiabao story had been infiltrated.
How this genre of attacks will be used going forward presents some interesting questions about government power and cyber-warfare. China’s tight governmental control over civilian internet use has been in and out of the press: for example, China’s move to block Twitter in 2009 made headlines. Some suspicious activity targeting political groups within China has raised questions about the possibility of internal attacks. In February of this year, an attack targeting the Uighur minority in China—a group of Turkic Muslims living predominantly in Xinjiang province—was discovered by Infosecurity. In 2012, an attack with similar results against Tibetan activists was located: both attacks targeted politically motivated organizations with an initial spear-phishing attack – an attack that masquerades as a legitimate form of communication with a relevant attachment. The reports describe how these attachments then went on to steal documents and activate computer microphones. Notably, spear-phishing is the same method of infiltration indentified by Mandiant as the primary tactic of APT 1.

If, as asserted by Mandiant, the New York Times hack was condoned or authorized by the Chinese government, which its officials deny it would indicate a move towards extending censorship beyond state borders. Whether these particular accusations are accurate or not, to think that China might be alone in conducting militarized hacking efforts would be naïve. Last year, the US Army Joint Staff released a publication stating that all efforts will be used to establish US information superiority and cyber activities will have an offensive angle as well as a defensive component. While there is no conclusive evidence that the US is planning attacks similar to those Mandiant has attributed to the PLA, attacks like Stuxnet, in 2011may be a better indication of what kind of attacks we can expect from US sources.
Currently, the United States is attempting to provide both strong cybersecurity measures to protect its main commercial and infrastructure assets against major hacks, while maintaining the internet as an open and innovative personal and commercial environment. Two recent bills have raised concern regarding the internal aims of the US government’s cyber-security strategy. Earlier this month, President Obama signed an executive order facilitating greater government knowledge regarding cybersecurity breaches within critical infrastructure. Currently, the Cyber Information Sharing and Protection Act, more popularly known as CISPA, is once again under consideration by congress. If passed, this bill would encourage the private sector to share information with government, which could include personal details about their customers. Right now, policymakers are negotiating the space between secure internet and a free one. As we see a growing capability for and a higher frequency of cyber-based attacks, policy makers and citizens will have to decide the price paid for secure web-based infrastructure.

Last changed: Mar 01 2013 at 12:53 PM