Attribution Meh. Indicators YEAH!

By Mike Rothman

In addition to all the cycles we spent in our weekly research meeting trying to come up with cool t-shirt ideas featuring APT1, we also spent a bunch of time talking about the real impact of the Mandiant report, and how hacking for the Chinese is just different than what the US (and most other governments) do.

I’m pretty sure Rich will do a much more detailed post on this, following up on his great House of Cybercards ideas. But suffice it to say you probably wouldn’t get much of a hearing if you asked the US military apparatus to help figure out what price a Chinese competitor was planning to bid on a big power plant in South America. But the Chinese have no issue with hacking into all sorts of places to assist their commercial entities, many of which are still at least partially owned by the government. But that’s another discussion for another day – one with a lot of beer.

I want to follow up on this week’s Incite snippet, Attribution. Meh. Indicators. WIN! on what I see as the real value of Mandiant’s report. It’s not like most of us in the industry didn’t know that the Chinese military was behind a lot of the so-called APT activity. Now we have a building to go visit. Whoopee! I was far more interested to see the malware indicators they found published, if only to see how some smart folks will use that information to help the industry.

First send some kudos over to the folks at Tenable, who quickly posted checks you can load directly into Nessus to look for the malware. Part of the reason to do malware analysis in the first place is to be able to search for those indicators within your environment, using tools you already have.

This audit file determines possible infections by several of the malware items identified in the Mandiant Intelligence Center Report – APT1: Exposing One of China’s Cyber Espionage Units. It includes checks for 34 of the malware variants identified in Appendix C The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected.

Wesley McGrew’s students at Mississippi State also got a little gift, in terms of a bunch of new samples to analyze, as described by TechWorld. It’s great to see students able to learn on real world ammo.

“Oh, it’s fantastic,” said McGrew, who will defend his doctoral thesis on the security of SCADA (supervisory control and data acquisition) systems next month. “The importance of having malware that has an impact on the economic advantage of one company over another or the security of a nation is priceless. This is exactly what they should be learning to look at.”

Not to get all New School now, but access to the malware and associated indicators used in many of these advanced attacks can be instructive for tons of reasons. We can only hope this is the first of many instances where the industry works together to improve the practice of security, as opposed to competing against each other for purely economic gain. Yeah, not sure what I was thinking with that last statement.

No Related Posts

The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. This may well represent the catalyst for major geopolitical change.

The value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their economy by stopping their Cyber espionage and theft. The infrastructure put in place by the PLA is not easily dismantled. Their missions and targets were conceived by the political party as essential to sustaining their government. They will be forced to shut down operations, or continue while migrating quietly. Not only were the adversary’s specific behavioral indicators exposed, but this report shows the extent of US counter-espionage capabilities in the commercial, UNCLASSIFIED sphere. If there was any notion by the adversary that they were functioning in stealth, that notion should be well dissolved by now.

This report describes the ultimate cyber war; siphoning out the tools that make a great society sustain through silent espionage, theft, and reuse.

This report also demands response from the highest levels of our society. While bloggers, pundits, researchers, and media have long broadcast China as the original and most prolific APT, definitive responses from those enabled to effect change have yet to materialize. The name-and-shame pundits have been restricted and ignored, often for political reasons or due to the lack of elicit evidence tracing a group to a government. I have also heard executives make claims like “we don’t want to offend because we don’t want to risk losing business,” while politicians fear angering a major trade partner. Those near-sighted excuses will result in self-destruction in the long-term. China is paying for or supporting our businesses now, but as they are doing that, they are siphoning off intellectual property so they can replicate technology, goods, and services internally so that they become the world’s greatest provider. The damage to our own economy should China realizes their mission, is incalculable. Their actions place the sustainability of our society at risk. If China can produce goods and services at the same quality as US providers at cheaper costs to the consumer, then free-market principles will result in economic collapse.

In the same vein, their actions are essential to continuing the sustainability of their current society. It is for the very reason that they cannot under their current governmental structure produce as free societies do, that they must reach out and steal to survive. Readers of the Mandiant report will note the mission orders of this group are derived from the PLA regarding those markets and industries critical to China’s growth. If they cannot grow, they cannot sustain. If they cannot sustain, their government will collapse like the Soviet Union. Cyber espionage is an instrument of sustainment for China’s government. Without it, they will not survive and this report blows their cover.

I believe this history of a lack of effective response is due to the relatively vague connections drawn between active campaigns and the PLA in the past. This discussion has largely remained quarantined by the vaults of information classification. While everyone has been saying this publically, no one has been proving it. This report demands action and eliminates the excuses used to evade this topic in the past, namely those who cite unconfirmed reports as their shelter.

Never before have I seen evidence like this linking China’s People’s Liberation Army (PLA) to this group, or any international espionage in a public discussion. Private intelligence sharing groups have long kept these details hidden, and public disclosure essentially counters the principles behind keeping the data protected; namely that now that the adversary has been so publically exposed, they will likely hide. The security blog world is clearly divided about this action by Mandiant, but again, those fears are near-sighted.

If you expose your adversary, you can effectively counter their capabilities and mitigate the threat they pose.

By Matt

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.