Security Experts:

Chinese Whispers, Chinese Lies: Analyzing Mandiant's APT1 Report

In the weeks since the Mandiant APT1 Report was released, the conclusions presented by Mandiant have been extensively repeated and commented on by pretty much everyone. Worryingly, the narrative was accepted almost unequivocally, brushing aside many inconsistencies and disregarding any opposing interpretations. In the case of most of the commentators, it appeared they had either only briefly skipped through or not even read the original report.

What struck me and many others as most suspicious, were the glaring operational security lapses that this supposedly “highly professional” hacking group seems to have made over the course of several years. Most obvious is the continued use of the “” domain name.

China Cyber Attacks

We are meant to believe that a covert, special operations team member was allowed to bring with him a tainted domain from his civilian, cybercrime days. What that would indicate is that in this vast, huge group (Mandiant alleges several hundred or even thousands) no one knows anything about operational security procedures, such as executing regular reviews for example, that would and should have eventually made the Comment Crew themselves aware of these smoking guns. The group evidently has sufficient knowhow and is able to use OSINT to construct targeted attacks and provide them with situational awareness to operate, yet appears to be unable to cover their tracks.

We are also told that APT1 was so careless or brazen, depending on the interpretation, that they habitually entered partially correct information for domain registration data, even using email addresses that could be Google’d or traced using OSINT methods. Not consistently though – only sometimes. At other times, they made them up.

The analysis of the WHOIS records by Mandiant was hilarious. On Page 47 (PDF), we are treated to the ludicrous assumption that the spelling, of all things, of the fake registry information is of any consequence. All it shows is that whoever did it did not care about the accuracy of the contents of a fake dns registration. Because it’s fake, duh. Mandiant’s conclusion is again, comical:

Overall, the combination of a relatively high number of “Shanghai” registrations with obviously false registration examples in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present, in which some registrants tried to fabricate non-Shanghai locations but others did not.

Uncoordinated DNS registration campaign – where some registrants fabricated fake data and others did not. What is that even supposed to mean? An “uncoordinated campaign” is something of an oxymoron anyway.

The report lists many domains that were spotted by Mandiant. The only problem is that they are consolidated, and not listed or sorted in any way that allow a 3rd party to recognize in which context, constellation and grouping they were actually originally identified. This is disingenuous, because it means that it is not transparent whether the attribution of all of these to one individual group is correct, or if there were other patterns within the individual incidents. Essentially, the veracity of the claim that all of these domains belong to one group is something we have seen no actual evidence for. It is based solely on word of mouth. Of course, many of these can be verified by other 3rd parties, and has been done, but not all of them together. That can give the false impression that the Indicators of Compromise have been verified.

The indicators tying the Comment Crew to PLA Group 61398 are also tenuous, so tenuous that if you plucked them with your finger, they would probably tear. The Information on PLA Group 61398 is undisputable. There is absolutely no doubt that this group exists. What is in question however, is that the group identified (although even the evidence that the activity is solely of one group is questionable) as the Comment Crew are in fact one and the same. Mandiant provides nothing in hard evidence, instead stringing together coincidences and leaps of logic that would seem more at home on a conspiracy forum.

Most of the characteristics that match (Page 59, Table 12, Matching Characteristics) between APT1 and Unit 61398 would apply almost to any active Hacking Group. It is like identifying a murderer by saying that murderers have 2 arms, 2 legs, and kill people, hence so-and-so did it.

Even the geographical attribution is unreliable in the sense that there could be other hacking groups acting in such a vast and populated area, that has a population of over 5 million, is home to several thousand businesses and 2 universities. In the same vein, you could attribute any hack originating in London to the UK Ministry of Defense.

These are the main points that the entire synopsis of the Mandiant Report hinges on. It is also worth pointing out that many of the subsequent conclusions are based on huge leaps of faith and many assumptions. In addition, much of the report is filled with information and OSINT sources that only corroborate and strengthen the evidence for the existence of the Comment Crew, and the existence of PLA Unit 61398, but not that they are indeed one and the same.

There is one secondary indicator that has been made a great deal of. On page 52, the report cites an incident involving the actor identified as “Ugly Gorilla” in 2004, who asked a prominent Professor whether China had a “cyber army”. Whilst an interesting find, it really proves very little in the way of any association between “Ugly Gorilla” and the PLA, but keep a mental note of it, as we will revisit it later.

I am a great believer in the principle of Occam’s Razor. Whatever hypothesis makes the least assumptions is the most likely. Applying that to many of the findings in the Mandiant Report and the narrative that was provided as an explanation seems prone to relying on too many assumptions.

The problems identified with the report have not been entirely overlooked. Considering the obvious lapses in operational security that the alleged Comment Crew displayed even Mandiant has conceded in the meantime that the Crew is not China’s “A-Team”. No kidding, Sherlock! It is in fact well known that China has some operational offensive cyber-teams of a high caliber. In this of course, they are not alone. According to Mandiant:

The main way I’d characterize them is speed. The best guys we see move fast. They operate on a time scale of minutes as opposed to hours, days or months. They do have more ability to write zero day exploits. Their custom tools are better coded. They have better discipline and better execution. You see them making far fewer mistakes as they carry out their mission, and they seem to have better reconnaissance. Once they’re in, they know what they need and they go after it quickly.

Applying Occam’s razor here again: Why would the Chinese have these elite groups that appear to work without leaving anywhere near as many traces, and then instead let the B-List go on a rampage doing most of the work? Even if it is argued that it is a matter of resources, it seems unlikely that these teams would not, over time, train the others, or that Operational Security Procedures, Tools and Knowhow would be shared.

When pressed if the Comment Crew were more “regimented” than a group of freelancers, Richard Bejtlich, the CEO of Mandiant retorts, “Other units are more regimented and have better opsec [or operational security,] and that’s why we didn’t talk about them.”

It seems just a little bit as though Mandiant caught a Minnow, and back at the pub with each telling the arms go wider apart taking on the size of a pike. Not to trivialize the damage done, but one needs to keep in mind that the Comment Crew in particular used a lot of off-the-shelf tools and relied far less on 0days than the more sophisticated groups, not to mention the less than stellar OpSec, leaving a trail like bull in a China shop (obligatory pun intended).

Even latest finding, of old blog entries from an individual purported to be a member of PLA Group 61398 and the Comment Crew, whilst sounding plausible at first glance makes you scratch your head in wonderment once you think about it. How was it possible that this individual was able to post this information on a public blog for so many years, without arousing the attention of his colleagues, superiors, or any of the other various organs of the Peoples Party that otherwise monitor and censor all else. Even project details are disclosed. There are examples of information being censored for far less.

This is the problem when you are trying to match the evidence against a foregone conclusion. We like to compare this to solving a jigsaw puzzle, which is a bad analogy. You always know what a jigsaw puzzle looks like before, and just try to fit the pieces to make that picture. This is more like a riddle, where you are given clues that are meant to lead to the answer. I am not in any way saying that the good folks at Mandiant are up to anything sinister or are colluding with anyone , far from that. The release of the Indicators of Compromise were a boon to the entire community, and their technical ability is undoubtedly of the highest quality and caliber. But we are all human and cannot overcome our personal and innate preconceptions and preconceived notions. The technical work was excellent-- the drawing of conclusions less so.

There are far too many assumptions there for it to be the most likely explanation. Occam’s razor states that these guys are not military grade. That is the only possible conclusion based on all the evidence there currently is.

The foremost problem with the Mandiant report is that it relies on a view of China and the Chinese Cyber-Operations that has very little to do with situational conditions on the ground. It clings on to the stereotype of a regimented, centralized China with total top down control. If that China ever existed, that is certainly not the case now.

If you have followed the news and reports coming out from China the past years, and especially the last months, you will have heard of widespread governmental and industrial and economic corruption. This corruption is endemic and the main driver behind the prolific hacking. The majority of the hackers are indeed freelancers, paid bonuses and fees for valuable information. There is evidence to support this, with instances of alleged Chinese government operations being found hosted side by side with criminal activities. Once again, a surefire sign that military or intelligence services operational security are not being followed by these kinds of threat actors. The risk of losing operational integrity is too high.

Even the prevailing and popular theory that these freelancers are in the employ of the Chinese government is often incorrect and ignores the scale and specific Chinese character of the corruption. A recent report in the China Digital Times provides a behind the scenes look into how espionage and surveillance are used in internecine infighting in local, regional and possibly even national government, politics, and economics. It is a definite recommended must read. Espionage has become a tool of choice in China when doing business and a common weapon to get ahead in your career.

Essentially, there are many, many parties who will make use of these types of services, the majority of them without any Peoples Party or PLA authority, or even their knowledge. Businesses competing in this environment will also use any means possible to get or stay ahead.

In this environment, hackers can take on contracts from many of the parties participating in this activity, going either after specific targets or information, selling opportunistic pay data to multiple customers, or if the data is valuable enough, to the highest bidder.

What this really means though, is that when the Chinese government states that it is not behind most of these attacks – it is possibly telling the truth. That the Chinese government has offensive cyber capabilities are not disputed – most governments now have these, or are planning on adding them. What is not a given is that all of this activity has been officially prompted or sanctioned.

As well as commercial freelancers plying their trade to anyone willing to pay, there are dedicated groups financed and set up by unsanctioned individuals and interest groups, working specifically to further private interests. The line between government and private interests, due to the innate nature of the power structures in China, are often blurry to the point of being unrecognizable.

One thing to note is that the hacking is also indiscriminate; they target each other as much as international targets.

Chinese HackingAdd to this the fact that other actors, and other nation states amongst them, use china as a jumping –off point, and the result is pandemonium and chaos. It’s the wild, wild east.

Coming back to the incident with “Ugly Gorilla” and his public query that some have interpreted as the possible first contact between the PLA and UG, it is just as likely that a private entity could have reached out and made contact. Amongst the many OSINT sources dug up so far in regards to the identified members of the Comment Crew, attempts at finding employment seem to figure prominently. That too indicates a burgeoning market for hackers for hire. If it was only the government employing hackers, publicly seeking work would seem moot.

The reason then, why the Comment Crew, and such groups in general, are so successful; have perfected and evolved their infrastructure, techniques and toolsets; have been able to obtain the resources and longevity and maintain their focus in such a way that many observers think they are nation-state sponsored is because they have an economic environment that makes this possible. They are able to convert much of the data they exploit into hard cash and other income, and in a location like the industrial hub Pudong they have quick and easy access to office space, infrastructure, human resources, and as an added bonus occasionally get to rub shoulders with the national intelligence community at lunch. The same environmental factors that make Pudong attractive to the actual PLO Group 61398 would more than likely make it suited for similar operations, be they military and private.

Ron Gula, the CEO of Tenable Network Security, remarked to me recently that it sounded reminiscent of the KGB Hackers, whose story is recounted in Clifford Stoll’s wonderful account of how he traced this group and singlehandedly invented the discipline of computer forensics, “The Cuckoo’s Egg”. The KGB Hackers were primarily a group of German hackers led by Karl Koch acting under the alias Hagbard. They spied for the KGB in the late 1980’s, targeting European and US defense installations and contractors. Supplied with Cash payments and drugs amongst other things by their Russian handlers, they were able to carry out hacks with all of their attention full time. Of course, the people supplying the money need not necessarily be from the government. Anyone with deep pockets and a need for the information available via these means will suffice.

One may argue that my narrative has little evidence – to which I would counter that I have just as much as Mandiant. For that though, mine at least is based on situational awareness and a more realistic set of assumptions. Other commentators have come to similar conclusions as well.

For the Chinese government the problem is that it cannot acknowledge this state of affairs publicly or officially – not just because they may lose face – but also because corruption is such a touchy subject and has become a major problem and social issue in the Peoples Republic. In addition, many of the interest groups that are benefitting from these activities have a stake in the government and judging by other behavior will work against any attempt to limit them.

It remains to be seen if this activity will – or even can – be reined in by the Chinese government. It is questionable how much influence the leadership has on this behavior, or if it can do anything that will be effective at all, when it is so widespread, against intent and without official sanction anyway.

The announced crackdown on corruption by the new leadership may be the best hope and may have more of an impact than targeting the hacking market by itself, should it prove to be a heartfelt attempt and be in any way effective. The danger in the meantime though, is that the incessant offensive activity originating out of Chinese cyberspace, whether state-sponsored or the result of criminals and corruption, will lead to an escalation and a cyber-arms race. Calling for international agreement on offensive operations in cyberspace will do little to curb the shadow activity emanating from China. The government will have to take serious and effective action or the economic repercussions will outweigh any benefits deriving from engaging in espionage, as well as the cost required to control it. It would also have the benefit of reducing the noise that currently allows other actors to use Chinese IP-Space as a decoy to hide their own tracks.

So does this alternative interpretation change anything? Probably not for past, present and future victims. The Modus Operandi remains the same, and the primary concern for them is still damage limitation and the loss of data and competitiveness. But, it is relevant to policy makers and businesses intending on operating in China. It impacts how we have to interact with the Chinese government on this, and should also redefine our expectations.

Related Reading: A Convenient Scapegoat - Why All Cyber Attacks Originate in China

view counter
Oliver Rochford is the Vice President of Security Evangelism at DFLabs. Oliver is a recognized expert on threat and vulnerability management as well as cyber security monitoring and operations management. He previously worked as research director at Gartner. He has worked as a security practitioner and white hat hacker for Tenable Network Security®, HP Enterprise Security Services, Verizon Business, Secunia® (now Flexera Software), Qualys®, and Integralis (now part of NTT Com Security).