Scrutinizing The Mandiant Report: Taking A Hard Look At What It Proves And, More Importantly, What It Doesn’t

China hacking bogeyman Mandiant

Groupthink is an amazing thing. The publicity surrounding attacks on the New York Times, Wall Street Journal, Washington Post, Facebook, Apple, et al. proves nothing except the saw about propaganda: if you say something often enough, it becomes truth.

A quick scan through English-language China news reveals that on the basis of one report, it is now indisputable fact that a Chinese military organization was responsible for the above-mentioned attacks. So far, the only substantive criticism of Mandiant’s report has come from Jeffrey Carr, CEO of the cybersecurity firm Taia Global, who says the report has “critical analytic flaws.”

In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage. I know that they do – especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges – that there are multiple states engaging in this activity; not just China. And that if you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

And that about sums it up. With so many other actors out there, any attribution that does not conclusively exclude them (Russia, Israel, France, and others) should be taken with many grains of salt. Mandiant has made minimal effort to rule out other possibilities, demonstrating the type of confirmation bias that a wary and responsible press would do well to question.

On top of that, the New York Times even admits that while the email accounts of David Barboza (Shanghai bureau chief) and Jim Yardley (former Beijing bureau chief, now South Asia bureau chief) were compromised, no documents pertaining to the Wen Jiabao story “were accessed, downloaded, or copied,” in the words of Jill Abramson, executive editor at the NYT.

“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.”

And the holes proliferate. Carr touches on several reasons why the NY Times’s claims — bolstered by Mandiant, which sees China as a “go-to culprit” (Carr’s words) — don’t stand up to critical analysis. Examples:

The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn – all of whom have active hacker populations.

The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the “same universities used by the Chinese military to attack U.S. military contractors in the past.” If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.

Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn’t use its military for that. It would use its Ministry of State Security (China’s equivalent of the CIA). And they wouldn’t be stupid enough to run the attack from their own offices, which if you’re interested in checking IP addresses, is in Beijing – 274 miles from Jinan.

Again, this doesn’t mean that China is definitely not hacking. Rather, our perspective is skewed. Perhaps the question we should be asking isn’t “Who did it?” but rather “Who benefits?” So far, it appears to be US policymakers bent on beefing up cyber-security legislation using China as the go-to bogeyman. Naturally, lots of media have fallen in step, regurgitating a tired, not-at-all subtle narrative that we should know better than to accept at face value.

John Artman has been China-watching and covering tech since 2010. Follow him @KnowsNothing.

    19 Responses to “Scrutinizing The Mandiant Report: Taking A Hard Look At What It Proves And, More Importantly, What It Doesn’t”

    1. Jess

      Even if the report overstepped in its conclusion, people want to believe that the Chinese military is hacking away at America, anyway. (And it must be the military because people aren’t familiar enough with any of China’s intelligence agencies for any other organisation to fulfill the fantasy). It’s like Big Foot, or aliens. Or Nazi occultism. Or Soviet psychic research. It plays into a story that everybody secretly wishes were real because, you know, it actually sounds kind of cool.

      Reply
    2. KopyKatKiller

      I think it’s OK to pounce on China as a cyber threat, after-all, they are the enemy of the free West, at least where the internet is concerned.

      Also, though one report is making its rounds in the western press, there are is better proof out there, like this: “A Chinese Hacker’s Identity Unmasked.”
      http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked#p1

      Lo and behold, not only is this idiot hacker Chinese, he’s a teacher at the PLA’s cyber warfare school. Coincidence? Anyway, if you have a VPN, check it out. It shows his pic and gives his home location. I think paying that guy a visit with a half dozen men with baseball bats is in order…

      Reply
    3. Boris

      It’s good that people are pointing out that the report oversteps it’s claim that 4 ip address blocks in shanghai must mean the offenders are Unit 61398. However, Carr makes himself look like an idiot…

      The hackers were using remote desktop. That’s not something you bounce through a proxy server from Korea or Singapore, because that would too annoying and slow for the graphical user interface. China has to be the worst country in the world to use for proxies because traffic is so heavily controlled. And does he really think a Thai hacking group is so sneaky as to set their operating systems to simplified Chinese characters, then route through Shanghai, just to frame the Chinese?

      My favorite part is when he’s like “the PLA would never do that! That would only be the MSS!” I really want to know what basis he has for saying this. Does he have high-level friends in Chinese intelligence or the military? The Chinese hackers are state-sanctioned; they don’t care if their IP addresses are discovered, because China Unicom is never going to say who was using that IP address. Who’s to say they aren’t careless or stupid ? (or again, why would they care?)

      Carr is the guy who, contrary to almost all expert opinion and US government leaks, believes that the Stuxnet worm is actually Chinese, not Israeli-American. I think he’s just pissed because a rival IT security firm is hogging all the limelight. I would avoid using him to highlight issues with critical analysis.

      Reply
    4. taz

      Oh, get this one in Mandiant report Page 10:

      “Hebei is a borough in Shanghai”. (Borough meaning a district or a part of).

      Hebei is actually a province, and there is approximately 600 miles (2 other provinces) separating Hebei and Shanghai.

      Reply
    5. ChasL

      Some of us talked about it, there are more holes in the APT1 report. Carr has a follow-up with more stuff, like the Unit 61398 address Mandiant cited, 208 Datong Road, is the Unit 61398 Kindergarten.

      Google “site:starbaby.cn 61398″.

      Reply
    6. junk cars

      For example, when you want cash for junk cars Phoenix, you can get in touch with Sell – Us – Your – Car –
      Online. All you need to do is find the right dealer and your
      car is as good as sold. Given the demand of the metal weight industry, your old car will always have a fallback.

      Reply

    Leave a Reply to Jess

    • (will not be published)

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


    × five = 5