Chinese Government Hacking, One Year Later

A year after first issuing his landmark report titled, ‘APT1: Exposing One of China’s Cyber Espionage Units’, Kevin Mandia gave an update on the report’s aftermath.

Mandia is now the senior vice-president and chief operating officer at FireEye, a position he has held since FireEye acquired his company Mandiant for $1 billion earlier this year. In the original report, his firm identified 141 victims of the Chinese Army hacking group known as Unit 61398. After examining all the attacks, Mandia came to a simple conclusion.

“There is no silver bullet, no technology we could buy, no pill we could swallow to make this problem go away,” Mandia said, addressing attendees at last week’s RSA Security conference.

Part of Mandia’s motivation in making the APT1 report public was to help start a conversation and possibly encourage some kind of diplomatic effort between the U.S. and China.

Looking beyond what was in the original report, Mandia said there was a lot more anecdotal evidence about the efforts of Unit 61398 than he first released. For example, Mandia said he found resumes online from those that had participated in Unit 61398’s efforts and included them as career highlights.

Mandia said his firm tried to elevate the information sharing dialogue by sharing 3,000 indicators of compromise that were actionable, including IP addresses and domain names. When Unit 61398 came back to work after Mandia released the APT1 report, attacks began to originate from different domains and IP addresses.

“We did alter their behavior; Unit 61398 never used the same infrastructure again,” Mandia said. “What we did is create a whole bunch of new victims.”

Unit 61398 built out new infrastructure, Mandia noted, and found new victims and domains from which to launch attacks. Additionally as the Unit 61398 efforts moved, there was also a potential loss of visibility into their efforts.

“The end of the story is that they (Unit 61398) are still doing it today, and it’s not going away,” Mandia said. “Now we have nation states sponsoring intrusions into the private sector.”

In Mandia’s view, all future conflict will have a cyber component.

While infrastructure is a target, the biggest vulnerability is often the human element. “Attackers target people; the people surface is a large surface to attack,” he said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles