Answer: With Knowledge, both Lies and Truths. Every lie has some element of truth. Every truth has some bias of lie. Great lies appear more true than obvious lies. Great truths appear more false than some lies.
A computer hack is a lie to a computer, disguised as a truthful command. All lies, great or small, told to human beings, are designed to hack their brain in essence.
By that logic, we are all hackers. We hack each other’s brains, sometimes with lies that others spread to us, to influence each other, for power, for personal gains. Sometimes the truth hacks back. Thus, knowledge and information simultaneously enlighten us and threaten us.
But in this philosophical turn of rhymes, it doesn’t matter whether one is told a truth or a lie. One realizes that one is being hacked by information delivered by someone else. It’s someone else’s truth or lie, designed to influence us.
If one allows the information to hack one’s brain, then one becomes a victim, a slave to someone else’s influence.
One’s ONLY defense is a security feature, a filter called Reason. With Reason, we filter, decrypt, digest, break down the information into OUR own truths or lies. Then, we have some control, we can choose to be UNSWAYED or UNINFLUENCED by the information bombarding us.
The ONLY achievable means of our own security in our own reason, is to be stubbornly refused to be swayed or influenced. That is the ONLY true individuality.
***With that, I now apply my reasons on my latest refusal to be swayed or influenced.
How Many Chinese Hackers Can Dance In A Cyber Espionage Report?
Apparently, the answer is inevitably, a lot, because otherwise, who would bother to write a report about them?
If that sounds familiar, it is because you can apply that to just about any answer that’s begging for a pointless question.
That is to say, if you believe that there is a massive number of angels capable of dancing on the head of a pin, you don’t need any proofs. Every thing will confirm your beliefs.
So, the same logic serves the report recently released by Mandiant. http://intelreport.mandiant.
Granted, all governments are researching cyber warfare. And so are many private individuals. Some for noble causes, others for mercenary reasons. But by the same logic, one’s reaction ONLY demonstrates one’s own basic belief in human nature.
Critics of the Mandiant Report argue similar general points. http://www.voanews.com/content/china-russia-israel-france-iran-cyber-threat/1608419.html
I do not care to venture into what Mandiant’s report writers believes, but let us talk about some of their basic errors in their conclusions: (And this may take a few days)
(1) The Fallacy of the 2 Cluster Trend.
The general argumentative logic of the Mandiant report is based upon a rudimentary comparison of two cluster of information, 1 evidencing and characterizing a Chinese military Unit 61398 (herein “UNIT”), the other 1 evidencing and characterizing a group of hackers labeled as APT1, leading to a build up to a conclusion of a comparison chart on Pages 59-60, to draw an conclusion of correlation between the 2 entities.
The basic flaw of this comparison, lies in the “2 cluster/point trend” fallacy, common in some modern media research analyses. That is, the author(s) of such analyses, points to ONLY 2 clusters of data/evidence surrounding 2 entities, and then draws a conclusion of a trend or a correlation, based ONLY on those 2 clusters of data/evidence, while ignore (without proper discounting) of any other data clusters that might suggest alternative trends or explanations.
Jeffrey Carr, founder and CEO of Taia Group, a cybersecurity firm, have blogged his criticism of the Mandiant report as “full of holes.” I would argue that this is an under-statement, and that the Mandiant Report is actually quite lacking in the fundamental background context of the issue of hacking.
Such analysis may go into great details of specifics on the 2 clusters of data/evidence, but nevertheless confines the data set to ONLY the pre-defined 2 clusters, thus making the analysis appear that NO other possible explanations can be concluded.
Usually, such analysis are PRE-DEFINED for the 2 clusters of data. But this is NOT scientific. The scientific methodology requires that a theory be repeated challenged and tested by all possible data sets.
In the Mandiant Report, the 2 clusters were predefined, and no other clusters were discussed. Again, this is not scientific. Jumping to conclusions with merely 2 clusters of data is still Jumping to conclusions.
By the way, drawing a conclusion from 2 clusters of data is not much better than from 2 points of data.
(Whether this is INTENTIONAL or incompetence on the part of Mandiant Report’s authors, I’ll leave others to judge. But as we will see below, Mandiant Report unwittingly included some data points that actually contradicted its own conclusions).
(2) Irrational Reliance on Geographical “Proximity” for some conclusions.
The Mandiant Report quickly focused on the nature and geographical locations of the UNIT as being in Pudong New Area, in Shanghai China, and pinpoints by several reports and online sources that the UNIT has several buildings along a 1/2 mile stretch of a road in Pudong. (I cannot confirm such an assertion, but 1 obvious counter-evidence is that, apparently, the entire UNIT complex was built in the middle of shopping complexes, with restaurants and hotels. It seems a bit odd for a super secretive Chinese military unit to be located in such a public locale).
The Mandiant Report then focused on the alleged locations of the APT1 hackers. This is where the evidence was hazy at best.
The Report on Page 40 listed out net blocks of IP addresses that APT1 “used to access their hop points”(other computer servers outside of China), and points to 2 blocks as “registered” by China Unicom, with an address in Pudong.
Here, the Mandiant Report draws a conclusion that the “registration information for these two net blocks suggests that they serve the Pudong New Area of Shanghai, where PLA UNIT 61398 is headquartered.” On Page 58, “combined with their close proximity and association with UNIT 61398”.
However, any one with basic IT knowledge would know that IP address registration address information usually indicates just 1 possible address of the Internet Service Provider’s Office, usually as a contact address, NOT where the actual service area is. For example, my own IP address history would show up as indicating that I’m often in New York City, even though I am not.
Thus, those listed IP addresses may not even be in Shanghai area.
Even for the sake of argument that the IP addresses are for the Pudong Shanghai area. The Mandiant Report implies, with no basis that if the IP addresses of the APT1 hackers are in Pudong, that they are somehow near or even inside the UNIT.
CONTEXT: Mandiant Report LACKS geographic proximity context.
In 1 part, Mandiant Report makes a blatant error of fact on geography: On page 10, the Mandiant Report states,
CONTEXT: The Pudong New Area has over 11,000 Square Miles and 5 million people. In particular, the Pudong New Area included, since 1993, the “Special Economic Zone”, which includes NUMEROUS facilities for foreign high tech companies, such as NEC, Intel Corporation, located less than 8 miles from the alleged headquarter of the UNIT. All of these foreign high tech companies own office buildings or factories with advanced Computer networks, ALL served by Chinese ISP’s in Pudong. Pudong also includes a Long Island American School, where many expat’s children are enrolled and network accesses are provided by Chinese ISP’s.
The Mandiant Report further suggests that the NET blocks represent APT1 hackers’ “home networks”, with NO evidence whatsoever. If Mandiant Report can suggest that APT1 hackers were using US computers as “hop points”, then Chinese computers can also be “hop points”.
Evidence to suggest the alternative is plentiful. For ONE, China is where MOST of the Proxy Servers are located in the World. “Proxy servers” are free or paid service computer servers that allow users to use them as “hop points”.
58.246.0.0 – 58.247.255.255 China Unicom Shanghai Network.
14 hours and 8 minutes 58.246.201.50 80 China
HTTPS High +KA Another: 114.80.0.0 – 114.95.255.255 China Telecom Shanghai Network
23 hours and 3 minutes 114.80.240.6 8090 HTTPS High +KA
17 hours and 41 minutes 114.80.136.112 7780 HTTP High +KA
9 hours and 35 minutes 114.82.240.29 6675 socks4/5 High +KA And another, 116.224.0.0 – 116.239.255.255 China Telecom Shanghai Network
3 hours and 26 minutes 116.236.216.116 8080 HTTPS High +KA
These were just based on a rudimentary search of 1 public listing of free proxy servers. There are 1000’s of proxy servers in the World, and hackers are known to mask their IP trails by using them.
Thus, these IP Net Blocks are neither owned by the UNIT, nor are they apparently that exclusive “home” to APT1 hackers (since they are LISTED as “free” to the public).
The Mandiant Report, in a rather stretch of logic, attributes a correlation between 3 separate online personna to each other and to the UNIT, NOT by citing repeated use of single IP addresses, but rather NET blocks. Considering under the additional context of presence of so many proxy servers in China (even in Shanghai alone), it would be difficult to justify Mandiant Report’s conclusion, under the “TOTALITY” of evidence as Mandiant Report itself suggested.
(3) Irrational Cherry picking of Telephone Numbers and Registration Information for some conclusions.
For the identities of 3 sampled APT1 hackers, UglyGorilla, d0ta, SuperHard, the Mandiant Report relied entirely far too much on cherry picking information from “registration information” from the hackers themselves, even though the Mandiant Report itself frequently referred to MOST of the “registration information” as “obviously false”.
If that’s not picking data that suits the conclusion, I don’t know what is.
Particularly, Page 46 discusses the registration information from hacker UglyGorilla, the Mandiant Report discusses the registered Phone # “86.21000021”, which is obviously a fake number, but decides to focus on the first 4 numbers of the fake phone number “86.21” as evidence that UglyGorilla must be from the Shanghai Area (which translates to implication that he’s also in the Pudong area, and must also be close the UNIT buildings).
Subsequently, the Mandiant Report supports this assertion by pointing, but not listing, that Shanghai was also listed in 22% of the domain registrations for APT1 hackers.
On Page 47 however, the Mandiant Report shows another registration information from UglyGorilla that listed yet another fake phone # “86.8005439436”, but this time, focusing on ONLY the first 2 numbers “86” as evidence that UglyGorilla is from China.
CONTEXT: On the same page, Mandiant Report dismisses the registered US address “795 Livermore St. Yellow Spring, Ohio, United States 45387” as fake, because apparently, no one could possibly misspell their own city of “Yellow Springs Ohio” as “Yellow Spring” with a missing “s”. (A supposition that’s not well supported, GIVEN Mandiant Report’s own rather liberal use of geographical information).
CONTEXT: the town of Yellow Springs Ohio is named after the “Yellow Spring” (singular), discovered in the 1800, and is a major local attraction. A local would know that quite well. http://www.yellowspringsohio.org/visitors
CONTEXT: except for the “s” missing in the town’s name, the ADDRESS is actually REAL, with the correct Zip code, which is the correct address for Antioch College Office of Admissions and Financial Aid, https://www.applyweb.com/apply/antioch/finance.pdf
Which is about just 10 miles away from Wright-Patterson Air Force Base, where the US military hosts an Air Force Cyber Unit, and a “Boot Camp for Cyber Warriors”, described as US’s “only cyber security program for ROTC cadets that combines cyber warfare education, hands-on training, and research internships with Air Force scientist and engineers, along with leadership development activities,” http://www.wpafb.af.mil/news/story.asp?id=123262849
Additionally, Wright State University, adjacent to the Air Force Base, is funded with an Advance Education Program for Cyber Security, which includes course for “Encryption” and “Ethical Hacking.” http://www.wright.edu/cpe/Cyber_Security_Description.html
Also additionally, the registration name “Michael Murphy” belonged to a REAL person, Michael T. Murphy, who served as Dean of Admissions and Financial Aid from 1999 to 2003, and who then moved to Dublin Ireland to serve as Deputy CEO of Dublin City University Educational Trust.
http://www.dcu.ie/~edutrust/html/murphystaff.htm
Staff of the Educational Trust
 |
Mr Michael Murphy
Telephone (353 1) 700 8687 |
| Michael T. Murphy, Deputy CEO. Michael works with the CEO to manage and oversee the overall operations of the Educational Trust. His responsibilities include financial oversight, fund management and the creation of a comprehensive alumnus giving programme. Michael will also be working with individual, corporate and foundation donors. He joined the DCU Educational Trust in April 2003 with more than 15 years experience in marketing and fundraising in education, health care and the arts. Michael came to DCU from Antioch University in Ohio. From 1999 to 2003, Michael served as Antioch’s Dean of Admissions and Financial Aid, responsible for nearly $10 million in annual revenue. As a member of College Senior Management, Michael directed a nationwide student recruitment programme. From 1994 to 1999, as Annual Fund Director and major gifts officer, Michael directed an annual giving program, responsible for $1.3 million in annual donations. Michael’s professional career began in 1988 at the Chicago Symphony Orchestra. Prior to this, he worked as a volunteer, as General Manager and Program Manager for WLFM Public Radio (Wisconsin). His other volunteer activities include serving on the Board of Directors of the Yellow Springs Community Children’s Centre. Michael received his BA in East Asian Studies from Lawrence University in Wisconsin with studies at the Beijing Foreign Language Institute and the Chinese University of Hong Kong. In 1999 he completed an MA in Management from the McGregor School of Antioch University. | |
Linkedin Profile: http://www.linkedin.com/pub/michael-murphy/57/75a/461
Michael Murphy has over 20 years of international non-profit management, marketing, fundraising and enrollment management experience in higher education, scientific, environmental, cultural and health care organisations.
With a long held interest in China, Murphy’s undergraduate degree in East Asian Studies is from Lawrence University with periods of study at the Beijing Foreign Language Institute and the Chinese University of Hong Kong.
Interestingly, Michael T. Murphy had a background in Asian studies and studied in Beijing China.
Michael received his BA in East Asian Studies from Lawrence University in Wisconsin with studies at the Beijing Foreign Language Institute and the Chinese University of Hong Kong.
Antioch College, being an ACTUAL registered address from the hackers, being only 10 miles from an Air Force Base within the US Cyber Command, and an university with an advanced program that teaches “hacking”, would actually have better “proximity” correlation than the “Pudong” area proximity to the UNIT. (However, It’s just another possible trend, and NOT the only other one).
CONTEXT: In the Mandiant Report, the Ohio address appears to be the ONLY one showing an actual street address and zip code.
While the Mandian Report cites that “Shanghai” showed up most among a dozen different registration cities, there was no specific street addresses when Shanghai was registered numerously. Yet, the Ohio address showed up as a correct street name and zip code. That would seem to suggest that the hackers did not know street names of Shanghai well enough to try to pass off even a fake address in Shanghai.
That is most likely due to the fact that Chinese city addresses are difficult to cipher and organize. A typical Shanghai street address may contain Street number, alley number, building number, floor number, and/or unit number and room numbers. A fake Shanghai address could not be easily manufactured through online maps, and would be relatively easy to spot as fake.
In contrast, the Ohio address in Mandiant Report appears to suggest that the hackers were somewhat familiar with the area of Yellow Springs, particularly Antioch College.
AGAIN, the Mandiant Report discounted this ONLY detailed address registered as “fake”, due to a spelling error on the city name, even though the street address itself and zip code are actually quite REAL, and at the same time, picking vague city registrations of Shanghai among a dozen cities, as the REAL one. (Stretchy jumpy logic, perhaps? But, I would personally say that NEITHER evidence are that convincing of the actual location of the hackers.)
CONTEXT: Additional Geographical errors in Mandiant Report.
Page 47 of the Mandiant Report further discusses another registration information, which was based on a real Chinese company. The Mandiant Report implies that UglyGorilla knows the information for the company, because it was “located in a part of Shanghai that is across the river from” the UNIT. That is perhaps a very large understatement to say “across the river from” the UNIT, because the company address “No. 1878 Zhongshan West Road” is actually located about 30 Kilometers away from the UNIT’s supposed location. It would be more accurate to say that the company was actually clear “across town” from the UNIT.
This is becoming a pattern in the Mandiant Report to make exaggerations on geographical descriptions, while completely disregarding the counter evidence in context.
(4) LACKING of TIME line correlation
3 sampled APT1 hackers, UglyGorilla, d0ta, SuperHard, the Mandiant Report generally concluded that they shared IP “home range”, “close proximity”, FQDNs, while ignoring some glaring differences.
Foremost is, UglyGorilla appeared to have predated d0ta and SuperHard by about 6 years. The Mandiant Report does not bother to correlate the Activity times of the 3 hacker personna. The Mandiant Report characterized UglyGorilla’s activities as started around 2004, and additional profiles of UglyGorilla suggests that his activities had largely waned by 2008.
In comparison, d0ta’s activities appear to start around 2009-2010, with registration profiles and email signup’s. Mandiant’s video of d0ta’s hack (http://www.washingtonpost.com/blogs/worldviews/wp/2013/02/19/fascinating-video-tracks-a-real-chinese-hacker-in-action/) showed that the bulk of the email registrations occurred around 2011.
The IP “net block” commonality is already shown above as rather flimsy, given so many proxy servers in Shanghai area. The Activity Time line thus further show a large obvious disconnect between UglyGorilla and d0ta.
SuperHard appears to have some overlaps with UglyGorilla and d0ta, separately, but SuperHard is not an actual “hacker”, in the sense that Mandiant Report described him as merely an author of malware.
CONTEXT: While Mandiant report attributes SuperHard as part of the “research and development”, SuperHard also did not appear to be always in Shanghai area. http://cyb3rsleuth.blogspot.com/search/label/Chinese%20Threats reported some of SuperHard’s profile as indicating that he was in Henan province from 2005 to 2007. Also, it is unclear whether “SuperHard” and “SuperHard_M” are entirely the same personna online, noticing that there are separate profiles in some reports.
CONTEXT: Personal connection and relationship that Mandiant Report sought to demonstrate is simply too difficult to demonstrate in any case. Given 3 separate individuals online, what do “net blocks” and a few comments and emails demonstrate? In 1 part of Mandiant’s online video, d0ta personna used a hacked computer to access Gmail, wherein there was seen that he had sent an email to “Mei_Qiang_82”. However, the email appears to be an actual Spear Phishing email, with an identical subject line as another email sent to a known victim (email name blacked out in video). Mandiant’s video quickly discounted it as a “test message”. However, it is also very possible that Mei_Qiang_82 itself was an account that was hacked by d0ta.
Another prominent absence of TIME line analysis is in Mandiant Report’s attribution of the UNIT’s capabilities (to imply correlation to the activities of the Hackers from 2006 to present). Here, we discuss some glaring oversights and errors in conclusion:
Mandiant Report states on Page 11, that a Chinese construction company completed the UNIT’s central building of 12 stories by early 2007.
CONTEXT: Mandiant’s linked document actually showed that the company merely completed the “FRAME” of the 12 story building in March 2007, which apparently did NOT include even the brick laying (listed as a different item in another line).
Mandiant Report shows a memo from China Telecom discussing pricing for laying high speed optical cable for networks.
CONTEXT: The Memo was discussing prices in March 2009, with no actual completion date. That means, that project itself may not have been completed until later.
Mandiant Report does not bother to correlate the ACTIVITY times of the Hacks, the 3 hacker personna, with the implied capabilities and infrastructures of the UNIT from 2006 to present. However, from those 2 above facts about the build up of the UNIT central building, it is clearly evident that the UNIT’s facility in Pudong was not near full operation from 2006 – 2009. The UNIT was in fact trying to build up the facilities during that time.
At the same time (in the span of about 4 years), Mandiant Report alleges that the Hack attacks were already under way. And by the Phishing attack, apparently, most of the infiltrations and programs were done in the early part, leading to the hackers to spread out their attacks to other targets later on via “hops”. Given also that Mandiant Report implied that the “net blocks” were remaining the same thus common to the APT1 group. (Mandiant even suggests that APT1 has been crafting back doors since 2004, when UglyGorilla appeared).
Assuming the time line of the hack attacks is true, then the UNIT’s facilities in those 4 years was hardly capable of conducting such operations, while its building was still merely FRAMES and the high speed network was not even installed.
CONTEXT: Also even BEFORE 2006, (starting since 1993), Pudong area already had existing high speed networks in other facilities, such as those of the foreign high tech companies, like NEC and Intel Corporation, each employed about 2000 highly skilled workers, as well as a very huge Expat community from the West, capable of accessing available public high speed networks in hotels and long term residences in Pudong.
Mandiant in its conclusion on Pages 59-60 states that the UNIT “has hundreds, perhaps thousands of people, as suggested by the size for their facilities and position within the PLA”.
CONTEXT: At least from Mandiant’s own evidence, the UNIT’s facilities was not available for “hack” operations until at earliest 2009. Thus, there is a large gap in correlation of Activity Time line and the UNIT’s actual time line of capabilities and infrastructure.
Thus, it would be far more likely that the hacks were conducted by individuals accessing existing networks around 2006 (for example, the large number of computer literate Expats in China at the time).
(5) Other NON-Correlation, or Alternative Correlations.
1 connection Mandiant showed boiled down to pseudo numerology: that a hard coded password for hacker d0ta “2j3c1k” represented the PLA sub-organization associated with the UNIT.
CONTEXT: For one, the same exact type of designation of organization used in this case, is also used across the entire Chinese government hierarchy, and NOT exclusive to the Chinese military branches.
3 Hacker personna profiled by Mandiant in the report actually appear to have drastically different types of activities:
UglyGorilla seems to be focused on sending initial infiltration attacks, registering domains, and hijacking domains, from which additional domains were hijacked.
d0ta seemed to be focused on using existing domains and IP addresses to conduct additional phishing attacks, and social engineering attacks, and remotely collect data.
SuperHard appears to be authoring malware only.
CONTEXT: 1 interesting connection between MANY of the hackers is that they all registered with US-based Rootkit.com, a website set up by Michael Gregory “Greg” Hoglund, founder of Sacramento California based Cyber Security company HBGary.
Greg Hoglund is actually published for his dissection of hacking techniques using Windows kernel. And Rootkit.com was set up as a website to discuss hacking techniques (allegedly for security purposes).
NOT surprisingly, hackers flocked to Rootkit.com by the 1,000’s, among them UglyGorilla and SuperHard. But there were also users from Russia, France, UK, etc. https://dazzlepod.com/rootkit/?page=162
HBGary was hacked by US-based Anonymous hacker group, along with Rootkit.com in 2011. Anonymous released over 81,000 user names from Rootkit.com.
That is 1 massive pool of potential hackers, all looking at or sharing techniques for online hacking.
Mandiant mentioned that it had obtained information about SuperHard from the 2011 Anonymous leak of Rootkit.com information, and yet place no connection of any kind of association of SuperHard to potentially 81,000 other hackers from all over the world.
Mandiant may be constrained by its geographic imagination. But reasonable people can hardly expect 81,000 obviously MOBILE online present potential hackers to be limited in their association to particular locations. They learn, share, and attack across borders and continents.
That is the only TRUE reality and correlation of Cyber Espionage today.
(6) State ACTOR Logic
The Mandiant Report states other hackers, like “Shady Rat”, may be linked to APT1 and thus to the UNIT, self-implying that China is now conducting not merely political hacks but also economic hacks.
If one recall, “Shady Rat” was attributed to a “state actor” (implying China), because at the time, “no money” was involved in its hacks.
However, now it seems, that logic is reverse and turned full circle, that now China the “state actor” is expanding to hacking for “money” as well, completely opposite of what proved that it was the “state actor” in the 1st place.
Frankly, the logic cannot cut both ways. One or BOTH are probably wrong. In extending the logic leap, Mandiant Report effective disproved the Shady Rat “State Actor” theory in the 1st place, and crumble its own case in the process.
That is, if a “State Actor” is indeed out to hack for every known purpose, then there is NO specific indicator that any hacking is done by a government or by private individuals, since both are equally motivated.
UPDATED (7) Exaggerated Sophistication of Profiled Hacker Skills
One central argument to the Mandiant Report’s linking of the 3 profiled hackers to the UNIT, was that their hacking skills were “sophisticated”.
Mandiant Report characterized them as sophisticated,
Organized, funded, disciplined operators with specific targeting objectives and a code of ethics (e.g., we have not witnessed APT1 destroy property or steal money which contrasts most “hackers” and even the most sophisticated organize crime syndicates).
Continuously stealing hundreds of terabytes from 141 organizations since at least 2006; simultaneously targeting victims across at least 20 major industries.
CONTEXT: Stealing vast amounts of data would actually suggest that the APT1 hackers did not know what they were looking for, contrary to “specific targeting objectives”.
APT1 has sometimes been described by other Cyber Security Experts as “NOISY” hackers, meaning they are persistent but also tend to leave too much trails that raise alarms, because of the large frequency and amount of their hacks.
(PERSISTENCE often hints amateurism).
Cyber Security Experts have argued that “NOISY” hackers tend to be amateaurs who stumble around as they learn. Experienced hackers tend to disciplined enough to find what they are looking for quickly and leave.
CONTEXT: Consider a recent (not so famous) hacking that occurred in 2012, when a hacker or hacker group penetrated South Carolina Department of Revenue and stole 3.8 million SS#’s and 387,000 credit or debit card #’s in a span of about 2 months. It was one of the worst breaches of a state government system in history. (it was suggested that the hack originated from Russia).
http://www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html?_r=0
Mandiant, in fact, provided an investigation report on the hack attack.
Subsequently, and so far, at least 1 private citizen has reported that the stolen information was used to transfer money to hackers’ accounts (probably outside of US).
In this attack, Mandiant described that the hackers as having used “33 unique pieces of malicious software and utilities” to perform the hack, and Mandiant has still not been able to determine how the initial penetration occurred, but Mandiant testified in a South Carolina State Government hearing that “the breach didn’t take much skill to pull off”, “On a scale of one to ten on difficulty, a member of Mandiant said it took a four to execute.”
In comparison, the APT1 hackers used about 40 families of malwares in their attacks over a span of almost 8 years. Yet, Mandiant characterized APT1 hackers as sophisticated. It seems a bit of stretch to characterize 1 rather focused quick hack as a 4/10 in skill, but 1 rather prolonged scattered hack as sophisticated. And there are more.
CONTEXT: The Security firm of HBGary happened to have analyzed the attacks from hacker “d0ta” and issued a report on that subject, which was later released by the hacker group Anonymous after they hacked HBGary (now part of McAfee).
http://hbgary.par-anoia.net/
This variant appears to have many of the same indicators of compromise (IOCs) as the previously described iprinp.dll variant, but contains a different command and control mechanism. This variant also contains a serious software defect that causes it to crash while parsing the command and control protocol.The defect relates to the fact that the malware authors failed to check the return value of a strstr method before using the pointer.
In essence, “d0ta” was testing the malwares as he/she hacked, hoping they would work.
Additionally, HBGary’s report noted for 1 malware used by “d0ta”:
searching for the “SvcHost.DLL.log” (a common string found in most variants of “iprinp.dll” code) will return results of numerous Chinese sites and forums where the source code has been previously discussed and publically shared.
“d0ta”‘s malware was actually based on publicly available codes! Another point of fact that Mandiant Report did not mention.
This would indicate that “d0ta” was more an amateur hacker trying to learn to hack by modifying available codes in public forums, and had no practical way of testing his modifications until he/she actually used the malware.
Given these context, it seems less likely that APT1 hackers were “sophisticated” or well supported by any government entity.
CONTEXT: Even the means of interpersonal communications of the APT1 hackers were suspiciously weak.
Hackers who work for a Secret Government Entity sending each other messages via comments on public boards and Gmail accounts about their hacking??! That’s equivalent to CIA Agents sending each other CIA internal memos on drone strike targets via their respective street mailboxes. (Or the rookie mistake of “loose lips” on internet).
How sophisticated or “disciplined” can the APT1 hackers be? Not very apparently. If they are linked to a secretive military unit, that UNIT cannot be all that secretive or sophisticated or even competent. Apparently, the UNIT doesn’t even have internal secured emails for the hackers to use among themselves, that they have to Gmail.
All of these would continue to suggest that the profiled 3 hackers are NOT sponsored by some secret well funded well equipped Military UNIT. If they were, they would be able to communicate using non-traceable internal secured emails, test out all of the bugs in their malware before using them, and would require much less frequencies of hack attacks to obtain what they wanted.
(8) The d0ta Verification Phone # in Shanghai.
Mandiant Report and video showed hacker “d0ta” entering a Shanghai mobile phone # to receive a Gmail verification code, and then quickly entering the verification code on Gmail.
CONTEXT: There are software that can even fake/spoof a phone #. For example,
http://www.complex.com/tech/2012/08/burner-iphone-app-lets-you-create-temporary-phone-numbers
The Burner app allows you to create temporary phone numbers that you could later dispose of. Each number created acts as a seperate line on your iPhone that can be used for both voice calls and text messaging. When you make a call or send a text using one of the numbers, the fake number will show up on the recipients caller ID. When one of the lines recieves a call, you can answer it or send it to voicemail.
When you’re done with one of the numbers you created, you can hit the “Burn” button and permenately erase it.
*************
Conclusions:
We present additional context and alternative views in light of Mandiant and other reports. Mandiant Report’s simple premise is to prove 1 point, that 3 hacker entities were a group, and linked to a branch of the Chinese government.
However, we showed that Mandiant left out significant amount of context, and presented a rather illogical conclusion.
Of course, China like most countries would have hackers, as in US, Russia, Israel, etc. But MOST governments spend most of their allotted Cyber security budgets on DEFENSE, rather than OFFENSE. This is for practical reasons. If a large nation has significant cyber infrastructures, its government must first try to defend its cyber assets.
It would be foolish for China to spend large amount of energy and resources on hacking others, while its own cyber networks are full of holes. The return simply cannot justify the cost.
On a related logic, most hackers thus tend to be private individuals, hacking for political or increasingly economic reasons, because the cyber infrastructure around the world has become such that sufficient weaknesses have given plenty opportunities for hackers to practice, VIRTUALLY EVERY DAY, from stealing ID, privacy invasion, check fraud, credit card fraud, IP piracy online, etc.
All of those are “hacks” that are giving young hackers introduction and practice in increasingly bold cyber attacks.
There are forums and discussion boards on the NET for hackers, where the distinction line between a “good hacker” and a “bad hacker” is blurred. Anonymous hacked HBGary and Rootkit.com, because HBGary claimed to have infiltrated Anonymous community of hackers through a discussion board used by Anonymous, “4chan”, and HBGary threatened to expose Anonymous members.
China, Russia, France, Israel, Japan, Taiwan, Philippines, all have their own equivalent of “4chan”, where hackers hang out, away from the eyes of virtually all governments, who perhaps consciously avoid knowledge of such hacker communities.
In sum, the NET is ripe for mercenary hackers. It doesn’t need governments to sponsor any of them to make it worse. Indeed, governments tend to constrain hired hackers for their own political reasons, MOSTLY to avoid international incidents.
China is no exception.
Mandiant, unfortunately, is stuck in the mindset of the OLD internet, when it was still owned by governments, and when hackers could only train under the confines of government campuses.
This kind of mentality is simply out of touch.
Charles Liu says
Great research.
And those of us from Taiwan can tell you Mandiant missed the “Mei” reference; the plum flower is a national symbol for ROC(Taiwan), not PRC.
Also, the address Mandiant cited, 208 Datong Rd, is the address of the “shadowy” Unit 61398 Kindergarden:
http://www.starbaby.cn/jigou/1368
It is a well reviewed preschool and welcoms expat families according to online enrollment information.
Black Pheonix says
Good find Charles,
Apparently, the Kindergarten is a business open to the surrounding “office park” area.
YinYang says
Jeffrey Carr debunks Mandiant’s report on Link TV
http://admin.news.linktv.org/videos/security-expert-hacks-china-espionage-report-to-pieces-linkasia-22213
pug_ster says
If you haven’t know by now, it was Mandiant who disclosed the so called ‘attacks’ in NY times early this year also. Another coincidence is that the Mandiant founder and CEO Kevin Mandia is a big proponent of CISPA. Mandiant’s scaremongering in Western Propaganda about these so called Chinese hackers in order to try to shove CISPA thru the senate so companies like Mandiant could reap the rewards immensely.
Mister Unknown says
That’s pretty damn comprehensive, thanks Black Phoenix for thoroughly debunking the Mediant report. The most convincing argument I found was their use of publicly available code, & their communications through open internet forums.