Monday, March 18, 2013

Mandiant's APT1 "Mission" problem

Mandiant's APT1 report's table of proof listed six categories that Mandiant deduced tied APT1 to PLA Unit 61398. The first, which Mandiant called the Mission area, made the claim that PLA Unit 61398 "targets strategic emerging industries in China's 12th Five year Plan" (see table 12 on p.59). Earlier in the report the authors claimed that "APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan" (p.24).

The Mission evidence is particularly of interest to me because I've been mining adversary state R&D since 2009 and while knowing what a potential adversary state is after is important, it cannot be done at the 50,000 foot view which is what China's Five Year Plans do. Taia Global published a white paper almost a year ago (a copy of which was requested by one of Mandiant's executives) which provided a similar high level look at 13 nation state R&D priorities and it too was not sufficiently granular to be of much use in an attribution effort however it does make clear that certain technologies are of value to at least a half dozen threat actors (see below). And frankly, this is a very valid approach, if done properly, to help a company understand which files may be at risk. In fact, that's precisely what Taia Global's new product Chimera is being developed to do. However, it's not enough to just say that because "energy" is part of China's FYP, then it must be China whenever an energy company is attacked. France, Germany, and Russia are also spending money on Energy related research and all three of those states have engaged in industrial espionage. But even that's not sufficient evidence to blame a state actor. What's more likely in my opinion is that a professional hacker group is making money by stealing valuable IP and selling it to competitors, state-run companies, and/or the states themselves.

Here are the seven new strategic industries identified in China's 12th FYP. The report didn't disclose which 4 of 7 were targeted:
  • Energy conservation and environmental protection industries
  • New-generation IT industry
  • Biological industry
  • High-end equipment manufacturing industry
  • New energy industry
  • New material industry
  • New-energy automobile industry
Below are some of the R&D priorities for six other nation states who have engaged in industrial and cyber espionage. It's not exhaustive but it illustrates how little deviation there is at the broadest level of international R&D. We can safely say that companies in these industry segments are being targeted for their IP. We can't say that only China is doing the targeting.

  • Energy
  • Biotechnology
  • IT (Information Technology)
  • Space
  • Transportation
  • Energy
  • IT and Telecommunications
  • Manufacturing
  • Biotechnology
  • Medicine
  • Climate research
  • Telecommunications
  • Medicine
  • Chemistry
  • Information Technology
  • Biotechnology
  • Nanotechnology
  • Telecommunications
  • Agriculture
  • Medicine
  • Education
  • Energy
  • Robotics
  • Information and Telecommunications
  • Nanotechnology
  • Life sciences
  • Environment
South Korea
  • Manufacturing
  • Nanotechnology
  • Semiconductors
  • Transportation
  • Chemicals


  1. Nice piece of analysis - one other group of countries worthy of approbation - are the one trick ponies. The countries whose entire GDP relies on remaining competitive in one industrial sector. Those countries will, and who can blame them, pull out all the stops to help their *home team* companies, which just may be to the detriment of companies in the US or elsewhere in that same sector.

  2. This is spot on. Strategic plans are just that - strategic - and most countries have the same concerns or goals. If Mandiant is going to rely on China's 5 Year Plans as justification, then they need to look at other countries as well. If they are going to say that China's IP addresses bolster their argument, then they need to address how insecure China's cyber security is, and how many compromised machines are in country.

  3. Thanks, gents! I appreciate your comments.

  4. Hi Jeff

    Can I ask what the evidence basis is for saying those countries have engaged in cyber espionage? (I'm not saying they haven't I'm just wondering what you're basing it on). The case against China is reasonably compelling (although I agree the point about strategic objectives is not convincing on it's own) whereas I have seen little evidence to suggest any of the other countries engage in industrial/cyber espionage on a large scale (accepting again that absence of evidence is not evidence of absence).


  5. Rob, there are numerous open source examples of cyber espionage and/or traditional industrial espionage activities by all of these countries if you search online for them. Alternatively, you can read my ebook "The Traveler's Guide to Cyber Security" and check the appendix for links to various nations' espionage activities.

    In addition to open sources, I've had private discussions with retired intelligence officers from 5 or 6 different countries who confirmed these states and others.

  6. The problem with this is that cyberspying is not an effective way of getting new technology.

    For example, support the PLA gets the complete blueprints for the Boeing 787. It would be useless because China doesn't have the technology infrastructure to build civilian airliners. Technology isn't about plans, it's about people. If you have the people that can build 787's then you don't need the plans, because the people can design things from their heads.

    One thing about industrial spying is that outside of defense related fields, people are not that worried about technical information leaking. The reason for this is that people move from company to company so that the technology information is pretty highly distributed. Another thing is that IP rules make certain information useless. For example, if you move from company A to company B, if you have any source code from company A, it will be useless to company B because they can't use it without getting sued, and if company B wants you to copy company A, you'll be asked to write everything from scratch. Finally, outside of the military there are just easier ways of getting information. If China wants to figure out how Toyota's hybrid technology works, they can just buy a Prius. If they want to know whats in Toyota's patents, they can go to the Patent office web site and download all of their patents. (People forget the patents are public and the whole point of the patent system is to *prevent* people from keeping secrets. You make your patents public in exchange for a legal monopoly.)

    The type of spying that a company is worried more about has to do with strategic and operational plans. If someone has information on your latest technology, that's not going to be useful. If they have e-mails on how low or high you are willing to bid, that's a big deal. One thing that is interesting is that some information which is public for intelligence services turns out to be highly top secret in the commercial world. Without too much trouble you can find the org charts for the NSA and CIA and a lot of budget information and salaries are public. However, org charts, internal budgets, and salaries in the commercial world tend to be extremely top secret information.

    The other thing is that people miss the main point which is that the actual impact of the industrial plans is to get it so that Chinese companies can get preferential funding and government sponsorship. The US has tried to copy the Chinese approach to science and technology funding but that's gone up in flames. For example, the Chinese government has put a ton of money into solar power. As with any new technology, most solar power companies in China have gone under, but that's "acceptable outcome." When the US government tried to fund solar companies and some of them went under, the program was stopped.

  7. There are examples in the wiki page for industrial espionage.

    If you work for a major US corporation then you do have to always be worried about operational security while travelling, but China isn't particularly bad when it comes to this. It's impossible to prove anything sometimes, but you sometimes wonder when a French competitor consistently comes in with bids that are just slightly better than yours.

    Ironically, software companies have found that Chinese state owned enterprises tend to be companies that are easiest to do business with and in which have to worry the least about technology leakage. SOE's have a ton of cash and lots of government connections. This means that if they want your technology, someone just writes you a check. If they want to put you out of business in China, they just get the government to pass a regulation making it impossible for you do operate. A lot of high technology operations in China are joint ventures, with the specific goal of having you give them all your technology in exchange for cash.

    Also, SOE's make excellent customers for software vendors. The Chinese government has a strict "no internal piracy" policy which means that the software that Chinese SOE's buy are properly licensed. The big software companies do not care about street vendors. The big money is in corporate sales.

    One thing about doing business in China is that Western companies are extremely low on the pecking order. They Chinese government lets you do business in China because they want your stuff, and there are a ton of restrictions and conditions. However, the flip side is that because all of this is "on the table" there isn't much "under the table" stuff. If the Chinese government wants your technology, they they'll just explicitly force you to turn it over with the right combinations of carrots and sticks.

  8. Thanks,Twofish. I certainly agree that cyber espionage can be hugely inefficient compared to other, more effective methods. Which contributes to the theory that non-state actors are behind these APT attacks rather than state actors, who all have better means to get the technology that they're interested in. Non-state actors, by engaging in a wide-spread "vacuuming" of data, can always find buyers for some of it - State or corporate.

  9. The Chinese economy and political system doesn't divide easily into "state" and "non-state."

    There's also different levels of "state actors." Just because something "works for the government" doesn't mean that they have the ability to order a nuclear missile strike. This is particularly the case within China, because you have smaller companies that are sponsored by local governments, and those often don't have much or any power.

    In fact one reason that the Chinese economy didn't fall apart like the Soviet economy is because large part of the "state owned" economy is controlled by local governments that don't have a lot of power. The trouble with big state enterprises is that if they lose money, they know that they can get more cash from the central government. Small companies that are run by local governments know that they can't get "special favors" so that they actually try to run the companies in ways that make a profit.

    Also this idea about "selling valuable IP" just doesn't make any sense to me. The thing about most IP (copyrights, patents, and trademarks) is that they don't involve secrets. If I want to find about about the most valuable IP that a company has regarding solar cells, then I just go to the USPTO, download the latest patents, and I've got all of their latest IP. Of course, without getting the proper licenses, if I use it, I'll get sued to death, but there is no way you can run a black market on this information, and ironically most high tech companies will tell their engineers *not* to look up patents or copyrights or trademarks so that they can more easily defend against a lawsuit. (And yes I know that independent invention is not a defense against patent infringement but the penalties for knowingly infringing on a patent are much less than an accidental infringement which gives you more leverage if someone tries to shake you down for money.)

    The only type of IP you can sell is trade secret information, and that's extremely limited. Part of the problem is that any hacker that can even recognize what is a real trade secret, can likely get more money doing something else.

    1. Information outside of patent data always has value to the right person, company or official; not just in China but in most developed and developing countries. And there is an un-official "document market" in China specifically that's fueled in part by vendors who run "shredding" services off-site. The customer is given a receipt indicating that his docs have been successfully shredded but instead they're mined for anything that might be sellable and the rest is dumped.

  10. I think that part of the problem is that people are thinking in terms of "macguffins." In every Alfred Hitchhock movie there is a "macguffin" some secret with extremely high value and during the movie people run around trying to get the "macguffin." It can be some briefcase or some code word, or something.

    Having people chase a macguffin gives you high drama and is great for movie scripts, but it's not how the high technology world really works. There are very few macguffins in high technology industries in the civilian world. IP makes terrible macguffins. For example, recording studios have a terrible problem with IP protection, but none of their stuff is "secret."