Outlining the geopolitical significance of this week's exposure of APT1
An emerging report...more to come
Introduction
On February 19, Mandiant released a detailed report on the
Advanced Persistent Threat group they termed APT1. This is the same group
referred to among security researchers and defense contractors as the Comment
Gang, or Comment Group, or WebC2. Their names were derived from their common
tactic of using html comment tags embedded within websites to distribute
command and control functions to victim systems. The report outlines the
activities, targets, tools, techniques, and procedures used by the group since
at least 2004. Besides TTPs, Mandiant included evidence defining the true identity
of the group as China’s Military Defense Unit 61398 as well as physical
operating locations and some of the personas used by the group. In addition to
the main report exposing the group, Mandiant released a series of related
documents containing indicators which can be used to defend against and detect
the adversary’s current infrastructure.
In summary, the report exposes a systematic program under
the direct control of China’s government leadership and operated by the People’s
Liberation Army (PLA) targeting the economic sectors of the United States and
allies in order to steal the intellectual property required to sustain economic
growth within China. This is an attack on our economy.
The report itself is largely non-technical allowing any
reader the ability to grasp the significance of what is being presented.
http://intelreport.mandiant.com/
Significance
The greatest significance can be found in this report’s overarching
message to China: we see you and we’re doing something about it. A second major
impact of this report is the fact that it shatters the notion that nation-state
espionage is isolated to government targets and their supply chain including
defense contractors. The APT1 report definitively maps PLA operations and
strategic government initiatives to economic espionage and property theft. The
adversary is no longer a vague term referring to an unknown group somewhere in
the world. We’re talking about the government of China. We’re talking about
disrupting their economy by stopping their Cyber espionage and theft. This may
well represent the catalyst for major geopolitical change.
The immediate value of this report is that it will likely
disrupt the adversary’s operational capability for some time as corporations
bolster defenses by implementing immediate controls. The infrastructure put in
place by the PLA is not easily dismantled. Their missions and targets were
conceived by the political party as essential to sustaining their government,
and likely required extensive efforts to implement operations as they stand
today. They will be forced to shut down operations, or continue while migrating
quietly. Not only were the adversary’s specific behavioral indicators exposed,
but this report shows the extent of US counter-espionage capabilities in the
commercial, UNCLASSIFIED sphere. If there was any notion by the adversary that
they were functioning in stealth, that notion should be well dissolved by now.
This report describes the ultimate cyber war; siphoning out
the tools that allow a great society to sustain, through years of silent espionage,
theft, and re-use. Hence the ripple effect this report will likely trigger will
grow as it expands. As US organizations implement mitigations, if done well, doing
so will result in significant economic downturn for China.
Readers of the Mandiant report will note the mission orders
of this group are derived from the PLA regarding those markets and industries
critical to China’s growth as defined in their “Five Year Plan.” Thus Cyber
operations are essential to continuing the sustainability of their government. For
whatever reasons, they are unable to grow organically and have decided at the strategic
political level that they must reach out and steal to survive. If they cannot
grow, they cannot sustain. If they cannot sustain, their government will collapse.
Cyber espionage is an instrument of sustainment for China’s government. US
companies are the targets. Without this program, they will not survive and this
report blows their cover.
This report also forces response from the highest levels of
our society. While bloggers, pundits, researchers, and media have long
broadcast the government of China as the original and most prolific APT,
definitive responses from those enabled to effect change have yet to
materialize. The name-and-shame pundits have been restricted and ignored, often
for political reasons or due to the lack of elicit evidence tracing a group to
a government. I have also heard executives make claims like “we don’t want to
offend because we don’t want to risk losing business,” while politicians fear
angering a major trade partner. Those near-sighted excuses will result in self-destruction
in the long-term. China is paying for or supporting our businesses now, but as
they are doing that, they are siphoning off intellectual property so they can
replicate technology, goods, and services internally so that they become the
world’s greatest provider. The damage to our own economy should China realize
their mission, is incalculable. Their actions place the sustainability of our
society at risk. If China can produce goods and services at the same quality as
US providers at cheaper costs to the consumer, then free-market principles will
result in economic collapse.
I believe this history of a lack of effective response is
due to the relatively vague connections drawn between active cyber campaigns
and the PLA in the past. This discussion has largely remained quarantined in
the vaults of information classification. While everyone has been saying this
publically, no one has been proving it. This report demands action and eliminates
the excuses used to evade this topic in the past, namely those who cite
unconfirmed reports as their shelter.
Never before have I seen evidence like this linking China’s
People’s Liberation Army (PLA) to this group, or any international espionage in
a public discussion. Private intelligence sharing groups have long kept these details
hidden, and public disclosure essentially counters the principles behind
keeping the data protected; namely that now that the adversary has been so
publically exposed, they will likely hide. However this reasoning misses the
greater impact full disclosure can have. The security world is clearly divided
about this action by Mandiant, but again, those fears are near-sighted.