Is the term APT overused?
Is the term APT overused?

Speaking to a group of journalists this morning in London's Ritz Hotel, Kevin Mandia, CEO of FireEye, said he doesn't see the point of naming APT groups thing like “fuzzy cuddly huggy bear.”

He said it's not very practical to go into meetings saying those names as it creates confusion. Instead his company simply refers to them as APT group 28, 29 successively.

Mandia and his team called the press briefing to share FireEye's thoughts on what the current landscape of cross-nation hacking and cyber-intelligence looks like, and where it is going next.

He wastes no time, and kicks off the meeting by discussing Russia. Mandia said: “Back in 1996 when the internet was first used for selling is when we first saw Russian cyber-crime.”

Mandia described a situation where if they were conducting an investigation, and the Russian cyber-criminals who knew they were on the other end of an investigation, they would cease all activity so their trade-craft couldn't be learnt.

This apparently changed in 2014 when the conflict between Russia and Ukraine began. He said, “Despite Russians knowing we were watching, they stopped going away.” Adding that some of the first instances of hacking observed were stealing emails of university professors who were anti-Putin. According to Mandia this is somewhat of an East v West chest-beating exercise.

“Their counter-forensics became sloppy, and didn't appear to have as much time to cover things up,” said Mandia.

Pivoting to the US election and the hacks carried out on the Democratic National Convention (DNC), Mandia wasted no time in attributing these hacks to ‘Russia'. And he didn't sound surprised about it happening either saying that something like happens “every election year”.

Overall, Mandia said FireEye has spent 185,000 man-hours analysing information APT group 28 and 29 respectively, and half of it can be attributed back to ‘Russia'. He said there was a distinct move to an economies of scale kind of operation, where a lot of the hacks are automated, eg searching for the words “classified” within an email cache.

Mandia touched briefly on the supposed over-use of the term APT by the media, and whether or not it was appropriate to call them so. “The problem is if you look at the case of TalkTalk, for example, where we see a 15 year old being arrested for causing millions in damage, companies could easily end up being described as irresponsible and no CEO wants that,” he said.

“However, attribution is hard and is largely political. No one would assign the term APT lightly. If you look the case of the Sony hack, where President Obama himself accused North Korea of carrying it out, public opinion immediately shifted and got the public onside.”

Comparing this to China, Mandia opined that at some point the Chinese conducted a “risk versus reward” assessment which meant that most hacking of China against US-based companies largely abated. He said, “we're not seeing China in the west.”

Mandia said the Chinese are currently busy in geopolitical wars with other countries in APAC, such as the dispute over the South China Sea.

The issue is a dispute between the Philippines, China and others over territory and sovereignty over ocean areas, and the Paracels and the Spratlys - two island chains claimed in whole or in part by several countries.

When asked his thoughts on North Korea, Mandia described the situation as “baffling”, saying that the country has no clear aim when it comes to their hacking activities. As a result there simply isn't enough data to extract patterns from their behaviour.

“Do they want IP? Do they want to destroy machines? No one is quite sure”, he said. Adding, “All we know is, South Korea and North Korea tend to blame each other hacking attacks.”

Finally, touching briefly on the Middle-East, Mandia said it is a hotbed of activity. But said countries like Israel don't tend to do much information sharing. However he added, “the Iranians look as though they just came out of a classroom, which is obviously good for us.”