In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In his book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” Sanger describes how he was allowed to watch Mandiant hack into the hackers’ systems. An excerpt of Sanger’s book shared on Twitter by Thomas Rid, a Professor of Strategic Studies at Johns Hopkins University, reads:
“Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies – Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks.
The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.
One day I sat next to some of Mandia’s team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts […].”
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
FireEye claims that what Sanger described as hacking back were actually video recordings of the attackers interacting with their malware command and control (C&C) servers. The firm has published one of the videos it presumably showed the reporter.
“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye explained.
While some industry professionals have accepted FireEye’s explanation for obtaining data on the hackers’ personal online activities, Sanger’s claims that he saw APT1 members wearing leather jackets raises a lot of questions. FireEye has not specifically addressed this issue in its statement, but SecurityWeek is trying to obtain some clarifications from the company. In the meantime, experts have provided some more or less plausible explanations on how the reporter may have seen what he believed were the hackers.
Richard Bejtlich, who worked for Mandiant and then FireEye between 2011 and 2017, including as Chief Security Strategist, has corroborated FireEye’s statement.
‘At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” Bejtlich wrote in a blog post. “During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”
Related: Chinese Whispers, Chinese Lies – Analyzing Mandiant’s APT1 Report
Related: Considering The Complexities of Hack Back Laws
