Mandiant’s APT1 report from February 19, 2013 made headlines around the world for claiming to uncover that a unit of China’s military has been engaging in cyber espionage operations against an estimated 141 companies in 20 industry verticals. Here’s a condensed version of their key findings:
- APT1 (aka Comment Crew) is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
- APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
- APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
- APT1 maintains an extensive infrastructure of computer systems around the world.
- In over 97% of the 1,905 times Mandiant observed ATP1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
- The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundres of human operators.
Mandiant’s alleged proof is summarized in Table 12 (pp. 59-60): “Matching characteristics between APT1 and Unit 61398.” Mandiant’s entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:
“Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.” (APT1, p. 60)
I’ve publicly taken issue with this conclusion because while Mandiant has done a good job of describing what Unit 61398 is and what APT1 does, they haven’t proved that 61398 is APT1. Here are two tables which demonstrate what I mean. The first three columns are from Mandiant’s table 12 on p. 59-60 of their report. The “Other” column contains a partial group of alternatives that I’ve provided for each of Mandiant’s “characteristics.” Until these and other alternatives have been analyzed and ruled out using structured analysis like the Analysis of Competing Hypotheses, Mandiant has failed to prove that APT1 is a part of China’s Peoples Liberation Army.
Besides my alternative explanations disclosed in column 4, Mandiant’s report has numerous flaws including the following:
1. Mandiant’s reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:
- p.10 of Mandiant’s report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
- NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
- There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report.
- An IP registration for UglyGorilla was described by Mandiant as being “across the river” from Unit 61398. In fact, it was 33 kilometers away.
2. Speaking of guilt by proximity, one of the “obviously false” IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled “Yellow Springs.” However, a cursory check shows that the address is real except for that one missing “s.” Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force’s “boot camp for cyber warriors.”
Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH – the address that Mandiant assumed was fake.
3. On page 11 of the report, under “Size and Location of Unit 61398’s Personnel and Facilities,” Mandiant wrote “public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people.” In reality, it’s the Unit’s pre-school.
And this isn’t all of the errors. It’s just a fraction. While each may seem minor, collectively they call into question Mandiant’s final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There’s plenty of evidence that China engages in cyber espionage, however, making claims of attribution using such weak connections may create a host of negative effects, such as:
- Giving policymakers an inaccurate picture of the cyber espionage threat landscape by putting too much emphasis on China and not enough on other serious threat actors, like Russia, Israel, France, and other nation states.
- Un-necessarily raising further diplomatic tensions between the U.S. and China, with whom the U.S. government and U.S. corporations have complex, critical relationships.