Friday, February 22, 2013

Mandiant APT1 Report Response


Outlining the geopolitical significance of this week's exposure of APT1

An emerging report...more to come

Introduction

On February 19, Mandiant released a detailed report on the Advanced Persistent Threat group they termed APT1. This is the same group referred to among security researchers and defense contractors as the Comment Gang, or Comment Group, or WebC2. Their names were derived from their common tactic of using html comment tags embedded within websites to distribute command and control functions to victim systems. The report outlines the activities, targets, tools, techniques, and procedures used by the group since at least 2004. Besides TTPs, Mandiant included evidence defining the true identity of the group as China’s Military Defense Unit 61398 as well as physical operating locations and some of the personas used by the group. In addition to the main report exposing the group, Mandiant released a series of related documents containing indicators which can be used to defend against and detect the adversary’s current infrastructure.

In summary, the report exposes a systematic program under the direct control of China’s government leadership and operated by the People’s Liberation Army (PLA) targeting the economic sectors of the United States and allies in order to steal the intellectual property required to sustain economic growth within China. This is an attack on our economy.

The report itself is largely non-technical allowing any reader the ability to grasp the significance of what is being presented.

http://intelreport.mandiant.com/

Significance

The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. A second major impact of this report is the fact that it shatters the notion that nation-state espionage is isolated to government targets and their supply chain including defense contractors. The APT1 report definitively maps PLA operations and strategic government initiatives to economic espionage and property theft. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their economy by stopping their Cyber espionage and theft. This may well represent the catalyst for major geopolitical change.

The immediate value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses by implementing immediate controls. The infrastructure put in place by the PLA is not easily dismantled. Their missions and targets were conceived by the political party as essential to sustaining their government, and likely required extensive efforts to implement operations as they stand today. They will be forced to shut down operations, or continue while migrating quietly. Not only were the adversary’s specific behavioral indicators exposed, but this report shows the extent of US counter-espionage capabilities in the commercial, UNCLASSIFIED sphere. If there was any notion by the adversary that they were functioning in stealth, that notion should be well dissolved by now.

This report describes the ultimate cyber war; siphoning out the tools that allow a great society to sustain, through years of silent espionage, theft, and re-use. Hence the ripple effect this report will likely trigger will grow as it expands. As US organizations implement mitigations, if done well, doing so will result in significant economic downturn for China.

Readers of the Mandiant report will note the mission orders of this group are derived from the PLA regarding those markets and industries critical to China’s growth as defined in their “Five Year Plan.” Thus Cyber operations are essential to continuing the sustainability of their government. For whatever reasons, they are unable to grow organically and have decided at the strategic political level that they must reach out and steal to survive. If they cannot grow, they cannot sustain. If they cannot sustain, their government will collapse. Cyber espionage is an instrument of sustainment for China’s government. US companies are the targets. Without this program, they will not survive and this report blows their cover.

This report also forces response from the highest levels of our society. While bloggers, pundits, researchers, and media have long broadcast the government of China as the original and most prolific APT, definitive responses from those enabled to effect change have yet to materialize. The name-and-shame pundits have been restricted and ignored, often for political reasons or due to the lack of elicit evidence tracing a group to a government. I have also heard executives make claims like “we don’t want to offend because we don’t want to risk losing business,” while politicians fear angering a major trade partner. Those near-sighted excuses will result in self-destruction in the long-term. China is paying for or supporting our businesses now, but as they are doing that, they are siphoning off intellectual property so they can replicate technology, goods, and services internally so that they become the world’s greatest provider. The damage to our own economy should China realize their mission, is incalculable. Their actions place the sustainability of our society at risk. If China can produce goods and services at the same quality as US providers at cheaper costs to the consumer, then free-market principles will result in economic collapse.

I believe this history of a lack of effective response is due to the relatively vague connections drawn between active cyber campaigns and the PLA in the past. This discussion has largely remained quarantined in the vaults of information classification. While everyone has been saying this publically, no one has been proving it. This report demands action and eliminates the excuses used to evade this topic in the past, namely those who cite unconfirmed reports as their shelter.

Never before have I seen evidence like this linking China’s People’s Liberation Army (PLA) to this group, or any international espionage in a public discussion. Private intelligence sharing groups have long kept these details hidden, and public disclosure essentially counters the principles behind keeping the data protected; namely that now that the adversary has been so publically exposed, they will likely hide. However this reasoning misses the greater impact full disclosure can have. The security world is clearly divided about this action by Mandiant, but again, those fears are near-sighted.

If you expose your adversary, you can effectively counter their capabilities and mitigate the threat they represent.