Mandiant’s APT1 report from February 19, 2013 made headlines around the world for claiming to uncover that a unit of China’s military has been engaging in cyber espionage operations against an estimated 141 companies in 20 industry verticals. Here’s a condensed version of their key findings:
Mandiant’s alleged proof is summarized in Table 12 (pp. 59-60): “Matching characteristics between APT1 and Unit 61398.” Mandiant’s entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:
“Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.” (APT1, p. 60)
You've reached your daily free article limit.
Subscribe and support our veteran writing staff to continue reading.
Mandiant’s APT1 report from February 19, 2013 made headlines around the world for claiming to uncover that a unit of China’s military has been engaging in cyber espionage operations against an estimated 141 companies in 20 industry verticals. Here’s a condensed version of their key findings:
Mandiant’s alleged proof is summarized in Table 12 (pp. 59-60): “Matching characteristics between APT1 and Unit 61398.” Mandiant’s entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:
“Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.” (APT1, p. 60)
I’ve publicly taken issue with this conclusion because while Mandiant has done a good job of describing what Unit 61398 is and what APT1 does, they haven’t proved that 61398 is APT1. Here are two tables which demonstrate what I mean. The first three columns are from Mandiant’s table 12 on p. 59-60 of their report. The “Other” column contains a partial group of alternatives that I’ve provided for each of Mandiant’s “characteristics.” Until these and other alternatives have been analyzed and ruled out using structured analysis like the Analysis of Competing Hypotheses, Mandiant has failed to prove that APT1 is a part of China’s Peoples Liberation Army.
Besides my alternative explanations disclosed in column 4, Mandiant’s report has numerous flaws including the following:
1. Mandiant’s reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:
2. Speaking of guilt by proximity, one of the “obviously false” IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled “Yellow Springs.” However, a cursory check shows that the address is real except for that one missing “s.” Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force’s “boot camp for cyber warriors.”
Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH – the address that Mandiant assumed was fake.
3. On page 11 of the report, under “Size and Location of Unit 61398’s Personnel and Facilities,” Mandiant wrote “public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people.” In reality, it’s the Unit’s pre-school.
And this isn’t all of the errors. It’s just a fraction. While each may seem minor, collectively they call into question Mandiant’s final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There’s plenty of evidence that China engages in cyber espionage, however, making claims of attribution using such weak connections may create a host of negative effects, such as:
Join SOFREP for insider access and analysis.
TRY 14 DAYS FREEAlready a subscriber? Log In
COMMENTS
You must become a subscriber or login to view or post comments on this article.