Friday, February 22, 2013

More on Mandiant's APT1 Report: Guilt by Proximity and Wright Patterson AFB

The blog post that I wrote earlier in the week "Mandiant Report APT1 Has Some Critical Analytic Flaws" was based upon my history of interacting with some Mandiant folks online and in person as well as my interpretation of the facts as they were presented in the report. Thanks to some feedback that I received from readers as well as a teleconference that I had with three Mandiant executives yesterday, I've learned some new things that color my earlier article.

1. Mandiant has expanded their original definition of APT

Yesterday, I spoke with three Mandiant executives and learned that their meaning of the term has evolved with the times and it no longer represents a Who, but a What; or more precisely, a well-documented multi-staged process that attackers from multiple nation states have adopted. Mandiant has not formally announced this change (although they probably will later this year) so when I wrote my article on their APT1 report, I was referencing their former definition which I know now is no longer in use. While Mandiant often sees Chinese hackers at work stealing trade secrets and intellectual property, they also acknowledge that other countries may be doing the same thing. I'm happy to report this change because it's been a point of contention between myself and some folks at Mandiant ever since 2010. I'm glad that we're closer to being on the same page.

2. Mandiant did some negative analysis before publishing their report

Another thing I learned from that phone meeting was that there was an effort made to look at alternative  scenarios that might explain the facts that Mandiant had before them. Mandiant isn't a part of the Intelligence Community (even though they have some ex-IC folks working there) and they don't have the time, resources, or manpower to do the same type of analysis that is performed at Langley. It's also not their mission to do nation state attribution so I want to give them at least some credit for the counter-analysis that they did do, even though the significance of their conclusion demanded a more rigorous methodology in my opinion.

Thanks to input from my readers, I've also learned some additional negatives about the report.

1. Mandiant's reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:
  • p.10 of Mandiant's report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
  • NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
  • There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report. 
  • An IP registration for UglyGorilla was described by Mandiant as being "across the river" from Unit 61398. In fact, it was 33 kilometers away.
2. Speaking of guilt by proximity, one of the "obviously false" IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled "Yellow Springs". However, a cursory check shows that the address is real except for that one missing "s". Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force's "boot camp for cyber warriors".

Directions via Google Maps
Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH - the address that Mandiant assumed was fake.

3. (UPDATED 23 FEB 13)  On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:

English translation via Google Translate

And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved. 

At the end of the day it's important to remember that Mandiant isn't a U.S. government agency nor are they trained to do intelligence collection and analysis at the same level that it's done at Langley. They're a group of highly skilled professionals who serve their customers as incident responders and have a well-deserved reputation for excellence. 

15 comments:

  1. If people at Mandiant have worked in the IC, which they have, then shockingly they are actually trained to do intelligence collection, and analysis at the same level that it's done at Langley. So if you are going to complain about personal attacks maybe you should not be the first to make one?

    ReplyDelete
  2. Oh, and actually its looks like Habei or Zhabei is actually a district or borough in Shanghai http://en.wikipedia.org/wiki/Zhabei_District

    ReplyDelete
  3. Not true. 1. Analysis is done differently in different agencies. 2. Cognitive bias is a fact, not my opinion. 3. I quoted from a classic text by a well-regarded intelligence expert to explain what Mandiant didn't do. 4. While Mandiant performed some type of negative analysis, they couldn't tell me specifically what type which means that it wasn't ACH. 5. My criticism was never personal.

    ReplyDelete
  4. "Zhabei" - yes. "Hebei" - no. There is no "Habei". http://english.hebei.gov.cn/

    ReplyDelete
  5. Lastly, why would a college professor in Ohio register two domains used by APT1? Obviously he didn't and though it is a real address it is fake registration information. If you look at the domains you will see that both are very close to actually company websites. Att was involved with a group called npower, and uszzcs.com is close to www.szzcs.com. Try some OSINT.

    ReplyDelete
    Replies
    1. He obviously didn't. I joked about it being funny that they'd pick a location close to Wright-Patterson AFB. But the writers picked on the missing "s" instead of pointing out that APT1 used a real name and address. Maybe they need to try some OSINT (to use your advice).

      Delete
  6. Opps, sorry. I'm wrong. But if you go to google maps and type zhabei then search nearby you get a to the Hebei stuff just to the south. Also look at Hebei Chamber of commerces address on their website http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.hbsh.org/&prev=/search%3Fq%3Dhttp://www.hbsh.org/%26hl%3Den%26safe%3Doff%26client%3Dfirefox-a%26hs%3DpHP%26rls%3Dorg.mozilla:en-US:official&sa=X&ei=BhEoUeeTF7Ks0AH4u4GAAQ&ved=0CDgQ7gEwAA

    It is: Shanghai, Hebei Chamber of Commerce All Rights Reserved Shanghai ICP 09059492 No. Chamber of Commerce Address: Shanghai Pudong New Area, Central Long Road 57 Tel 021 -58210260

    ReplyDelete
    Replies
    1. OK, but that's not what the report authors said. They said "Hebei is a borough of Shanghai" which is obviously not true. Now you can say that the mistake is understandable, and maybe it is, but they were still wrong which begs the question - how many other mistakes did the report authors make?

      Delete
    2. http://www.hbsh.org/ is an association of Hebei business people that do business in Shanghai. There are also many things in Shanghai that are named after Hebei, like hotels and streets. Some of them actually have some connection with Hebei (i.e. a restaurant with authentic Hebei food).

      And this is not an "understandable" or minor mistake. Calling Hebei a district of Shanghai is like finding a store called Texas Fried Chicken in New York City and then stating that Texas is a borough of New York City. Anyone with minimal knowledge of China (which includes most Chinese) are not going to take you seriously if you make a mistake that big.

      Delete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. I'm not very much upset at Mandiant. Their report did include some useful information, and they are in the business of computer security and not political or economic analysis. I do have a lot of ire at the New York Times for uncritically giving the article so much prominence. I don't expect that Mandiant would know the difference between the PLA and MSS, but I would have expected the NYTimes to do so.

    A press release from Mandiant is not going to get us into an unnecessary war, but we've already seen one example of sloppy, uncritical journalism with respect to Iraqi WMD's do a lot of national security damage, and I would have thought the the NYTimes would have learned something from this. I don't see anything bad happening if the NYTimes relies on Mandiant for computer security, but I see plenty of dangers if the NYTimes outsources political and military analysis to them.

    ReplyDelete
    Replies
    1. I suspect that part of the problem with the New York Times is that they reflect the view of the U.S. government regarding China, and that some elements of the DOD and IC are in agreement with the Mandiant report. Therefore, it doesn't get as much critical scrutiny.

      Delete
    2. Mandiant's help with the NYT hack and their attribution of the hack to China probably plays a part as well. Since the news broke the NYT (along with the WaPo and a few others) has hardened its line against China considerably. It is one thing for hackers to break into gas or infrastructure companies - but into the NYT itself (Gasp)!?! It means war. Or as much of a war as a publisher can wage.

      Delete
    3. I don't mean to pick on Mandiant either. It's just if a company is going to triumph an analytic piece with the full knowledge of the stir it's going to create, then it should be prepared to take any warranted or justified criticism. The information they provided was very compelling; their "analysis" or whatever it is they are calling it, was not. My criticism is with the analysis, not the legwork that was done.

      Delete
    4. The US government is pretty large, and you have both "panda huggers" and "dragon slayers" in it. The Department of Commerce is made up of "panda huggers" and the Navy tends to have more "dragon slayers."

      One interesting thing that I've found is that the "usual suspects" are pretty quiet. There is a cluster of "dragon slayers" that are centered on conservative House Republicans (Dan Rorbacher, Ileana Ros-Lehtinen) with the Washington Times (Bill Gertz) and conservative think tanks (the AEI and the PNAC) that I would have expected to be all over this news, but they've been very quiet. My guess is that China-bashing really backfired for Romney in the last election, and that's keeping them quiet. Also, two years ago, you would have had people using this issue to paint Obama as "soft on America's enemies." My guess is that given that there are delicate budget negotiations going on, that the House Republican leadership is keeping members on a very short leash.

      The other thing is that the Obama administration is responding to this by "loudly doing nothing." "Bringing up the issue" is code for "do nothing real." One issue here is because the Mandiant report is basically marketing literature, the people involved having done very much to think about what should be done other than hire Mandiant.

      Delete