Tuesday, February 19, 2013

Mandiant APT1 Report Has Critical Analytic Flaws

Mandiant's APT1 report is the latest infosec company document to accuse the Chinese government of running cyber espionage operations. In fact, according to Mandiant, if a company experiences an APT attack, then it is a victim of the Chinese government because in Mandiant-speak, APT equals China.

"We tend to perceive what we expect to perceive" 
- Richard J. Heuer, "The Psychology of Intelligence Analysis

The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an "expectation bias", but it's much worse than that.

Mandiant's alleged proof is summarized in Table 12 (pp. 59-60): "Matching characteristics between APT1 and Unit 61398". Mandiant's entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:
"Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398." (APT1, p. 60)
If this report were written by a professional intelligence analyst at CIA, it would most likely undergo a vetting process known as ACH (Analysis of Competing Hypotheses):
"Analysis of competing hypotheses, sometimes abbreviated ACH, is a tool to aid judgment on important issues requiring careful weighing of alternative explanations or conclusions. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve."
In other words, ACH forces the intelligence analyst to look for all alternative hypotheses and assess them one at a time to see which best fits the data collected. This is rarely if ever done by information security companies, and it's the single biggest objection that I have when it comes to individuals making claims of attribution to nation states. Heuer's iconic "Psychology of Intelligence Analysis" explains why ACH is so important:

"The way most analysts go about their business is to pick out what they suspect intuitively is the most likely answer, then look at the available information from the point of view of whether or not it supports this answer. If the evidence seems to support the favorite hypothesis, analysts pat themselves on the back ("See, I knew it all along!") and look no further. If it does not, they either reject the evidence as misleading or develop another hypothesis and go through the same procedure again. Decision analysts call this a satisficing strategy. (See Chapter 4, Strategies for Analytical Judgment.) Satisficing means picking the first solution that seems satisfactory, rather than going through all the possibilities to identify the very best solution. There may be several seemingly satisfactory solutions, but there is only one best solution." 
"Chapter 4 discussed the weaknesses in this approach. The principal concern is that if analysts focus mainly on trying to confirm one hypothesis they think is probably true, they can easily be led astray by the fact that there is so much evidence to support their point of view. They fail to recognize that most of this evidence is also consistent with other explanations or conclusions, and that these other alternatives have not been refuted."

If Mandiant or another organization were to use ACH on this evidence, here's how Heuer recommends it be done. It's an 8-step process:

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspectives to brainstorm the possibilities.
2. Make a list of significant evidence and arguments for and against each hypothesis.
3. Prepare a matrix with hypotheses across the top and evidence down the side. Analyze the "diagnosticity" of the evidence and arguments--that is, identify which items are most helpful in judging the relative likelihood of the hypotheses.
4. Refine the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.
7. Report conclusions. Discuss the relative likelihood of all the hypotheses, not just the most likely one.
8. Identify milestones for future observation that may indicate events are taking a different course than expected.

I don't have the time to run Mandiant's evidence through an ACH process but I'd like to propose that a volunteer group of intelligence students at Mercyhurst Institute of Intelligence Studies do that very thing. My friend Professor Kris Wheaton who teaches there and writes the outstanding Sources and Methods blog is an expert in this area and I'm hopeful that he'll pick up the challenge.

In the meantime, the following table has four columns. The first three are from Mandiant's table 12. The "Other" column contains a partial group of alternatives that I've provided for each of Mandiant's "characteristics". These alternatives need to be analyzed and ruled out using a rigorous analytic process like ACH before Mandiant or anyone else can claim that APT1 is a part of China's Peoples Liberation Army.




In summary, my problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

UPDATE (22 FEB 2013): I've published a follow up to this article: "More on Mandiant's APT1 Report: Guilt by Proximity and Wright-Patterson AFB"

43 comments:

  1. Good challenge to the findings - when i looked at the table it looked like it would be something one would find in an analysis of "China's APT Focus" or the like. In 2008, I wrote an article articulating that world's intelligence efforts - in that piece it supports your articulation there be a whole lot of intelligence collection going on - here's the link to "Nation States' Espionage and Counterespionage - An overview of the 2007 Economic Espionage Landscape - http://www.csoonline.com/article/337713/nation-states-espionage-and-counterespionage - a quote supporting you hypothesis:
    "The playing field is crowded with actors both new and old. Amazingly, the combined level of activity exceeds any level previously encountered, including the apex of the Cold War, when geopolitical and ideological battle lines truly existed. It is the enhancement of the global communications infrastructure that has in essence leveled this playing field of industrial espionage, for all the nation states."

    ReplyDelete
    Replies
    1. Thanks for adding that link to your article. I particularly appreciate your input considering your past career in the IC.

      Delete
  2. I would suggest that the group's presence in Shanghai raises an important point--left unmentioned in your analysis--that supports the Unit 61938 hypothesis.

    It is well known that China directs a substantial "cyber control" effort against its own population (e.g. extensive monitoring, the Great Firewall, et cetera). The notion that a significant attttack could originate in the PRC WITHOUT the knowledge (or, at least, tacit approval) of the PRC government seems an unlikely possibility.

    Put simply, accepting your "not proven" argument against the Mandiant report would require us to believe that a large-scale, long-term cyber attack was conducted from within the PRC without the PRC's knowledge. That rises near the level of suspension of disbelief, doesn't it?

    ReplyDelete
    Replies
    1. As I wrote above, that specific section of Shanghai (Pudong) has over 5 million people. It's not surprising that the PLA has a presence there nor that an information warfare unit is there. And while Mandiant said that it must be one or the other, that's not really true. China is the perfect target for every other nation to run false flag operations against. Just set up a business in Pudong or Beijing and you've got plausible deniability.

      Delete
    2. There are different levels of "knowing." I know that murderers exist in New York City, but knowing that doesn't mean that I know who they are, or that I am committing murder myself.

      The Chinese government pretty clearly does not put a high priority on stopping hacking of US computers from China. One reason that a third party would want to use Mainland China as a base of operations is that if they tried hacking the US from Taiwan, South Korea, or Japan, they local authorities would instantly stop it. By the same token, if the Canadians or the Israelis were conducting an intelligence operation against China from US territory, and I suspect the reaction from the US government would be to try to avoid seeing it.

      There are several countries that could use China as a base of operations. Iran and Russia are the big ones. Maybe Pakistan. Maybe on a good day, North Korea, but I think China is really annoyed at NK right now.

      One other thing is that if you are a computer security firm, and in fact Chinese local firms are responsible for 99.9% of the hacks from China, you declare victory if you stop that. On the other hand, if you are the CIA and 99.9% of the hacks are from China, but 0.1% are from an Al Qaeda cell in Pakistan, then you really care about that 0.1%.

      Delete
    3. This might be an old idea but can't hacker just bounce the data off servers to throw the tracers off their trail. If so then there is a chance that Mandiant stopped tracing the bounces when it reached Shanghai, and declared it as the origin of the attack; this is likely to be caused by the possibility that tracing that attack beyond that server might have significant consequences.

      There is a considerable chance that AP1 could be hiding behind a breach in the server there. There are probably numerous other ways to physically and digitally to transfer the blame to some other party.

      If that is the intent of Mandiant, it would be like tossing a log into the fire. The log being Mandiant, and the fire being the tension between China and USA.

      Delete
  3. I noticed the Bloomberg and NYT released stories this morning on the same topic. Additionally, the FBI just released a report via Infraguard. Is it possible that there's more to this story?

    ReplyDelete
  4. It's always possible. I can only go on what's available to me via open sources and my own experience.

    ReplyDelete
  5. Pity, Mandiant's paper is big on 'shock' poor on 'facts' - good for government sales & PR?

    Do not get me wrong, no supporter of Chinese cyber activities, they do spy & play games... so do we... But some of the limited facts and generalized conclusions from Mandiant do not add up.

    If Unit 61398 / Blue Army....... are so good, which they are - would they use their own IP space? Just as a practical demonstration this comment is via a PC operating a fast-flux & proxied special VPN. One of the hops is from the very China net space described.

    One could assume even Chinese government hackers have figured out how to use: VPN, IP spoofing, proxies, socks, hops, compromised servers / websites, Skype, Jabber.... etc.?

    We also have to remember one fact, China has the most compromised servers and attacked networks in the world, e.g. 437 measurable attacks on Chinese networks in last 24 hours compared to about 80 on US networks.

    ReplyDelete
    Replies
    1. You might want to read the actual report and watch the video. They have more compelling evidence than IP addresses....

      Delete
    2. Yes, it's good video work and excellent PR work by Kevin Mandia. The problem is its based on a 'house of cards' for example the Google attack (2010) demonstrated the problem here.

      Admittedly after the fact, we saw 25 zombies within the trade school that the NYT stated was the cause. Although latent traffic it was quite clear the control of these zombies was from outside of China!

      Best guess? Try Odessa.

      Delete
  6. I agree with you on all counts, Jart. As usual. :-)

    ReplyDelete
  7. In the time it took you to write your post you could have done ACH. I'm pretty sure that quite a few people at Mandiant have worked in intel.

    ReplyDelete
  8. I also agree with you and Jart's.

    ReplyDelete
  9. One problem is that it's only significant if there is a PLA sigint HQ nearby, if that's a rare thing. However if you look at the original document that describes PLA intelligence, one thing that stands out is that there is some sort of PLA intelligence outpost in just about ever major city in China.

    http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf

    So if you just pick a random part of China and say "hackers are here" you are going to find a PLA garrision nearby. There is a historical and military reason for this. The PLA came to power as a result of a civil war, and unlike the US, there was a very real chance of a land invasion of China through most of its history. So as a result every major Chinese city has some sort of PLA presence.

    ReplyDelete
    Replies
    1. Thanks very much for providing that link. I was wondering the same thing (i.e., where are PLA garrisons located) and how unusual is it. Excellent point.

      Delete
  10. 1) Mission Area:

    APT1 - The main hacks that have been reported have been against dissident groups that the Chinese government would have interest in monitoring or people that may have information on such groups. The NY Times and the Washington Post and major newspapers are unlikely to have any technological information that is of interest to the Chinese military, but they are likely to have information about dissidents and information about information that may be embarrassing against the top Party leadership.

    Unit 61398 - The Chinese military does not do domestic security or domestic surveillance. The Party does not want the military to do domestic security because they are worried that they military will take over the Party. For it's part, the military is one of the most respected institutions in China because they stay in their barracks and *don't* do the dirty work. The last time the military was seriously involved in domestic security was in 1989, and it was a horrible experience that no one wants to repeat. So the job of domestic security falls onto the Public Security Bureau, the People's Armed Police, and the Ministry of State Security.

    Other - Other Chinese agencies. PSB. PAP. MSS. It's worth noting here that as Premier, Wen Jiabao does not have any authority over the military. He however has authority over the PSB and MSS, and joint authority with the military over the PAP.

    ReplyDelete
  11. We should chat. I've been trying to research whether or not the PLA would be involved in these areas. My contact information is on the TaiaGlobal.com website under "Contact Us".

    ReplyDelete
  12. 2) Tools tactics, and procedures.

    APT1 - The operators are manifestly not disciplined. Two were caught because they were careless about posting on Twitter, and the APT1 group have "hacker" names, and seemed to want to tell everyone involved about what they did. It's also worth noting that most of the targets were against "soft targets" like newspapers and software companies. There haven't been reports of attacks against "hard targets" like banks.

    Unit 61398 - The problem here is that the Chinese military likely has capabilities well beyond what APT1 has demonstrated. The Chinese government runs the internet infrastructure of China and they have the ability to generate forged certificates, reroute IP packets, and undertake DNS spoofing. The attacks by APT1 have not involved anything that would suggest that they have control over the core internet infrastructure.

    In addition Chinese military and intelligence services also have the ability to monitor phone conversations, plant microphones, keyloggers, and break into people's houses in China. The
    Ministry of State Security and PSB have the power detain and arrest people in China, and force them to turn over passwords, as well as the ability to plant agents on the inside of pretty much any company in China. One thing that's significant is that no one has reported that they got broken into as a result of their operations in China. If the PLA or MSS wanted to break into the NYT, one would expect them to break into the NYT's offices in Shanghai, and there hasn't been any suggestion that there was an inside job in which someone just handed the PLA or MSS the information that they wanted.

    It's worth pointing out there that any US soldier that were as careless about information as these Chinese hackers have been would likely be instantly dismissed from the military as a security risk and barred from any military operation. Unless we have evidence that military discipline in China is very different than the US military, I think it's highly unlikely that the people involved are professional soldiers.

    ReplyDelete
  13. 3) Expertise of personnel

    Unit 61398 - The Chinese military and police *do not* recruit mainly from high technology universities, although there have been some efforts to improve this. There's a common (and in some ways accurate) perception that university students are "spoiled rich kids" that are terrible material for soldiers. On the other side, most university students have better things to do with their lives than being soldiers. The people that meet the ideal for the PLA are tough "salt of the earth" peasants from poor parts of China that see the military as a way of getting away from the farm.

    One other thing about the Chinese military is that they have their own schools. One thing that makes a military career attractive for your average peasant is that the military has it's own schools and can (and would prefer) to mold you from scratch.





    The military (and for that matter the
    police) have been upward mobile careers for people with relatively
    little education from poorer parts of China. One consequence of this
    is that a new PLA recruit is unlikely to be a hacker, and will need
    training to do this work.

    Alternatives - The Ministry of State Security recruits heavily from
    campuses and recruits tend to be better educated than most PLA or
    ordinary police recruits. Also, intelligence agencies prize clever
    and original thinking and tolerant eccentric behavior, militaries
    don't.

    ReplyDelete
  14. 4) Location

    APT1 - If APT1 says that they are in Shanghai either they are lying or they are telling the truth. If they are telling the truth, they are subject to court martial if they are military, and civilian arrest if they are an intelligence agent. If they are lying, then they are lying.

    Also, if Chinese soldiers are in the habit of telling you where they are located if you ask them, that sort of makes the CIA's job pretty easy.

    Finally, how good is geolocation anyway? Are we sure we can trace things down
    to that one neighborhood.

    Other - The Pudong New Area also happens to be location of the main undersea cable between China and the United States. It's the last point on the Eurasian continent in which someone can disguise their location. If you look at the 2049, you'll notice heavy military presence in all three of the main landing points for undersea cables, and it's interesting that the new building came up, just around the time the new TPE undersea cable went into service.

    I'm rather certain that the PLA is in fact monitoring all traffic that goes through those choke points, they would be idiots not to, and one reason the Chinese Great Firewall is so effective is that all international internet traffic that goes to and from China has to pass through one of less than a dozen spots, where the MII does packet filtering. The actual Firewall as far as we can tell is run by the MII with instructions from the MSS and PSB. As with most things in China, civilian agencies are *very* reluctant to take orders from the military and vice versa, so it's likely that the PLA has a separate monitoring system.

    However, this makes it unlikely to me that the PLA *would* install spyware on a massive scale. All the PLA has to do to monitor the NY Times or the Washington Post is to get the VPN passwords (which they can get from a laptop that is left unattended for a few minutes), and then they can passively monitor whatever they want to. If you are an intelligence agency and you are trying to hack someone, the last thing that you want to do is to let them know that they've been hacked, and using spyware to monitor someone lets them know that they've been hacked.

    This suggests that whoever is listening in doesn't have access to the raw cable traffic.

    One other point is that if you are somewhere on the Eurasian continent and you want to hack the United States, that Pudong neighborhood is exactly where you would put a botnet. You have millions of unsecure Windows machines which is something that you can't find in North Korea.

    If you are say North Korea, Iran, or Russia, there isn't the traffic from those areas to the US to hide your tracks, and if Iran tries to hack the US out of Iran, its likely to be trivial to block the packets. By contrast, you can't shutdown the two cables between Pudong and the US without cutting off the internet between Asia and the US.

    ReplyDelete
  15. Just a few competing hypothesis:

    1) Unit 61398 is running a signals monitoring operation off the main
    cable between China and the United States, and the hacking operations
    are done by some other part of the Chinese government (i.e. Ministry
    of State Security) which may or may not be in Pudong.

    2) The Chinese government is responsible for 10%, 20%, 30%, 40%, 50%,
    60%, 70%, 80%, 90%, 100% of the hacking traffic going through Pudong.

    3) The geolocation is wrong and it's not in Pudong.

    4) Some agency of the Chinese government has successfully put together
    a "cyber-militia". Said agency gives patriotic hackers information
    about what data they are looking for, and then collects said data
    without asking questions.

    5) Unit 61398 is responsible for cyber-hacking, but they are obviously
    incompetent.

    6) This is all a clever (but possibly unintentional) disinformation
    campaign by the Chinese government. It attacks sites incompetently
    with amateurs, gets people to tighten up security, and once everyone
    is safe, it pulls in the real professionals.

    7) It's a clever (and perhaps intentional) disinformation campaign by
    the Chinese government. The Chinese military and intelligence
    services have planted deep moles into US industry, and if there is now
    a massive data leak, then the hackers did it, and no one thinks about
    normal theft.

    8) Some fraction (0-100%) of the packets going through China are
    actually from Russia, Iran, or North Korea, because China has much
    better internet access to the United States, and it's impossible to
    set up a botnet in North Korea.

    9) The Chinese military is undertaking cyber-hacking without the
    knowledge of the Party leadership, and the amount of civilian control
    over the military or the role of military in domestic spying and been
    greatly misinterpreted.

    10) The Chinese government is trying to send a message. Now what that
    message is, I can't imagine.

    11) This is a military operation and the goal of the operation is
    (pick one or more):
    11a) to collect information for domestic poltical purposes
    11b) to gather technical intelligence for military use
    11c) to gether technical intelligence for commercial use
    11d) as part of a plan to credibly retaliate in case of a military attach
    11e) to develop a first strike ability against the United States

    and the operation is
    a) formally known and approved by the top leadership
    b) known but deniable by the Chinese leadership
    c) not know but sanctioned by the leadership
    d) a rogue operation that is sanctioned by some part of the Chinese government
    e) a private operation

    Here's my conspiracy theory......

    12) In addition to the Ministry of State Security, someone (say Iran or Pakistani intelligence) is trying to hack the US through the New Pudong area. It's not the PLA but the Chinese know exactly who it is, but they aren't interested in stopping it, because 1) it's not targeting China 2) China, Iran and Pakistan have rather close relations and 3) the last thing that the PLA wants to tell the US is how much it knows.

    So this goes on for years. Then the NYT gets hacked which was done by the MSS, and the NYT goes ballistic and publishes this report accusing China of all of the hacking that goes through New Pudong. At this point there are a series of meetings between the US and China, China privately tells the US what's been going on, and publicly issues a statement saying that "that cyber attacks are often carried out internationally and are typically done so anonymously." At that point someone from the State Department calls up the NYT and tells them off the record to calm down, and they write a surprisingly moderate editorial this morning.

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. I'm looking in the report, and I don't see "The fact that Mandiant refuses to acknowledge..." anywhere. I don't see the authors refusing to acknowledge anything along those lines at all.

    Can you elaborate on that? I read your entire post several times, and I'm just not seeing your central thesis.

    ReplyDelete
  18. That's not the central thesis. That's a well-known Mandiant position; that APT is a Who and not a What, and that Who is China and no one else. See p. 2 of their report but feel free to ask Mandiant directly about their definition of APT.

    ReplyDelete
  19. I don't see what your critical flaws are? They didn't use ACH? How about this statement which is essentially ACH:

    "The overwhelming concentration of Shanghai IP addresses and Simplified Chinese language settings clearly indicate that APT1 intruders are mainland Chinese speakers with ready access to large networks in Shanghai. The only alternative is that APT1 has intentionally been conducting a years-long deception campaign to impersonate Chinese speakers from Shanghai in places where victims are not reasonably expected to have any visibility – and without making a single mistake that might indicate their “true” identity."

    I think they used observed evidence...

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. If you read the "other" column in the table that I created as well as some of the comments here, you'll see that Mandiant was wrong to claim that there was only one other alternative. There are many other alternative explanations.

      Delete
  20. A year ago I had pointed out in my blog that APT is not only coming from China. Even though the APT1 report provided higher number of findings to support the similar circumstantial evidence, but their position seems a bit aggressive. By correlating their findings, China seem should be the one to be blame for these attacks. However, they did not clearly provide proof and solid links between the attacks and the PLA Unit 61398.

    ReplyDelete
    Replies
    1. Correct. Nor did they rule out or even mention the alternative of other nation states using Chinese IPs as cover for their own activities.

      Delete
    2. Agreed. I've read the report several times and only see circumstantial evidence having to do with the location of 61398 - I don't see any activities that they Mandiant highlights in the report actually linked to that unit. If Mandiant has former intelligence analysts as someone says, they should know how to apply proper tradecraft and analytic rigor. The fact that they didn't or refuse to acknowledge another possibility other than their "either/or" conclusions, says to me they are looking to further their name and get more contracts.

      Delete
    3. Thanks, Arthur. We're definitely on the same page.

      Delete
    4. I have done some forensics analysis on the digital evidence provided in APT1 Appendix. I actually find some alternatives that can produce the same evidence.
      http://espionageware.blogspot.com

      Delete
    5. Nice job on your counter-analysis. Too bad Mandiant didn't provide full forensics data for you and other researchers to vet what they did.

      Delete
    6. Be frank, there's a bias and incomplete picture :-)

      Delete
  21. Follow the money. If Mandiant is proven wrong on this, they are disgraced and have to file for bankruptcy .

    Whether they are right or wrong, they will on now never be allowed to work in the world's biggest internet market .

    They really bet the whole farm on their report at least being mostly accurate.Sure, it's happened before where companies have made such a gamble and failed miserably , but it's worth thinking about. They threw away all chance of doing future business in China . Either they're hopelessly overconfident, or their unreleased material is very compelling

    ReplyDelete
    Replies
    1. Mandiant makes money from computer security. They aren't political or intelligence analysts. If they get hired by a company to block APT-1, and it later turns out that APT-1 were the Iranians or the Martians, I doubt any of their clients will care.

      I don't fault Mandiant for doing bad political analysis because that's not their business. I do fault the New York Times for publishing the story uncritically, because the NYT *is* in the business of political analysis, but I suppose after you've found that you've been burglarized, you get emotional about it.

      One funny thing is how this is "non-news" to most people in Washington. Anyone that does anything remotely related to China, has gotten "phished" and getting a message which probably came from someone affiliated with the Chinese intelligence services is like getting Nigerian spam. Knowing that China has an active cyberspy network is like knowing that NYC has pickpockets. It's not news. Now tracking down who is responsible for the pickpockets is news, but Mandiant just got it wrong.

      I think for most companies the security that Mandiant provides are adequate, but don't kid yourself into thinking that that Mandiant has the skills to protect you if you have any information that the PLA is really interested in. They can protect you from pickpockets, but there is no way they can save you from a professional jewel thief. Fortunately, professional jewel thieves likely don't care what small change you have in your pockets.


      Delete
    2. The other thing is that Mandiant has no business prospects in China anyway. There is no way that any Chinese company would hire security consultants whose offices are in Northern Virginia pretty close to the Pentagon and Langley, just like there is no chance that an American company would hire security consultants from Beijing.

      Computer security just works this way. Curiously the opposite is true in most other industries. Given a choice between an American accountant or food inspector, and a Chinese one, most Chinese companies would choose the American one.

      Delete
  22. Apologies for being long winded here, but I think it's more interesting and weirder than what the Mandiant is talking about....

    The main spy Chinese spy agency is the Ministry of State Security, and strangely enough, it has no website. Now the term "state security" should be familar to people . It's the "GB" in KGB, and the East Germans called it Stasi, and the Romanians called it the Securitate.

    One big reason I don't think the PLA is involved is that soldiers make terrible spies. If you take an active duty soldier and mix them with people that have never been in the military, you can usually very quickly spot who he is just from the way that they walk, and imagine having a member of Delta Force pretend that they are a drug dealer, a school teacher, priest, hacker, a 70 year old grandmother or 15 year old girl, and it's just not going to work well. Also if you are a paranoid and ruthless dictator, you want the people with guns wearing uniforms so that you can keep track of them.

    So if you are running a dictatorship and you want spies, you don't try to turn a soldier into a housewife. You find a willing housewife and turn them into an informant. This is what
    "state security" did in Eastern Europe and what they still do in China. One thing that we found out when the Berlin Wall fell, is that Soviet Union and Eastern European governments had this vast network of spies and informants. Once the archives of Stasi were opened up, people were shocked at who were the spies.

    Now in a ruthlessly totalitarian system, the regimes needs lots of informants because people are to afraid to say what they really think. However, China has removed some of the repression so that people have limited ability to say what they think without free of arrest. Once people can complain online, then you can just read Weibo to know what people think, and there is less need for a massive informant network to find out that everyone hates you.

    But you can use that network for something else....

    In 2007, the MSS got a new minister (Geng Huichang) and this person is unique because his background is international relations and not internal security. Interesting enough, 2007 is
    when all of this cyberspying started.

    So what I think happened was that the Geng turned its East German style informant network into a mechanism to recruit hackers and to crowd source international spying.

    Now suppose you are a patriotic young hacker and you want to do something for the motherland. You can show up at the local MSS headquarters (and these are not secret). The nice people at the MSS tell you what they are interested in, and you go off and
    hack. If you find something, you show up back at the police station, turn over what you see, and then maybe they'll pay you if its interesting enough.

    All this works through exactly the same machinery that people used to recruit
    informants. The East Germans were able to get lots of people to spy on other East Germans. The MSS is using that network to get hackers to spy against the United States and Western nations.

    ReplyDelete
  23. Very interesting article and the comments made as well. Accepting the merits of the ACH process one wonders how much upper managment has used it to base its decisions. Suspect there are many frustrated/disapointed ACH analysts out there.

    ReplyDelete