In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In his book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” Sanger describes how he was allowed to watch Mandiant hack into the hackers’ systems. An excerpt of Sanger’s book shared on Twitter by Thomas Rid, a Professor of Strategic Studies at Johns Hopkins University, reads:
“Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies – Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks.
The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.
One day I sat next to some of Mandia’s team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts […].”
Advertisement. Scroll to continue reading.
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
FireEye claims that what Sanger described as hacking back were actually video recordings of the attackers interacting with their malware command and control (C&C) servers. The firm has published one of the videos it presumably showed the reporter.
“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye explained.
While some industry professionals have accepted FireEye’s explanation for obtaining data on the hackers’ personal online activities, Sanger’s claims that he saw APT1 members wearing leather jackets raises a lot of questions. FireEye has not specifically addressed this issue in its statement, but SecurityWeek is trying to obtain some clarifications from the company. In the meantime, experts have provided some more or less plausible explanations on how the reporter may have seen what he believed were the hackers.
Richard Bejtlich, who worked for Mandiant and then FireEye between 2011 and 2017, including as Chief Security Strategist, has corroborated FireEye’s statement.
‘At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” Bejtlich wrote in a blog post. “During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”
Related: Chinese Whispers, Chinese Lies – Analyzing Mandiant’s APT1 Report
Related: Considering The Complexities of Hack Back Laws

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
