Mandiant APT1 report reveals too much information

News by Dan Raywood

The Mandiant report on the alleged Chinese state-sponsored hacking group APT1 has revealed too much information about its tactics, according to industry experts.

The Mandiant report on the alleged Chinese state-sponsored hacking group APT1 has revealed too much information about its tactics, according to industry experts.

Speaking to SC Magazine, SANS Institute instructor and cyber security expert at Secure Anchor Consulting Dr Eric Cole said that in the Second World War, if the US had acted on all of the intelligence it had on the Nazis, then they would have known what they were doing – instead only some of it was acted upon.

Cole said: “I have mixed feelings on the report as on the one hand, it is an impressive piece of work. It is intellectual on the level of detail and what they went through and the analysis I thought it was very impressive and especially on information sharing.

“However, the other side of my brain as a realist kicks in and says ‘is this going to help us or hurt us?' Because for every organisation that now knows some additional indicators of compromise, they have in essence told the Chinese everything we know so if you are Chinese what are you going to do – change?

“So the concern I have is you don't ever want to come out and tell an adversary everything you know about them, as while a lot of people did not know what was in the report and they found it valuable, and [there are] a lot of people working in this space – the report has taken six years of research – and [the level of detail has] almost invalidated it as you know the adversary is going to change and work differently. So I read it and have flip flopped back and forth as I have the two different views where on the one hand, it is very impressive but on the other, I wonder if it is too much information?”

Also speaking to SC Magazine, Joe Stewart, director of malware research at the Dell SecureWorks counter threat unit, said that despite the report's findings, there is still no hard evidence to prove the connection, and called it ‘circumstantial evidence'.

“I would like to see more of a connection in what China is doing as I like to deal in facts, and it is not enough without that,” he said.

“Maybe if there was another report from another company you'll get a better pattern, now the Chinese government has an easy way out as they can ignore all the evidence on it as they will say that there is nothing coming from us. Hackers use proxies and any internet protocol-based evidence may not be enough, as we may need more perspective.”

Cole said that with an advanced adversary if you focus on one indicator, you will miss the others. “I am just concerned that some entities and organisations may not use it in the correct fashion. Now organisations may focus on the one and miss the other four,” he said.

When the report was released, China dismissed the allegations as ‘groundless', with Foreign Ministry spokesman Hong Lei telling the Associated Press that he doubted that the evidence would withstand scrutiny.

US-based security blogger Jeffrey Carr said in a blog post that he felt that the report refused to consider what everyone knows and that those in the intelligence community acknowledges - that there are multiple states engaging in this activity; not just China.

Mandiant CEO Kevin Mandia said in a presentation at last week's RSA Conference that it was "time to stop saying it could be China and show it is China, and guys in uniform".

Mandiant's director of consulting Marshall Heilman said that rather than picking on China, it had been tracking groups from different counties and organisations, as the community wants to know what is going on and the following day after the report was released, it saw changes in the actions of the group.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews