Mandiant’s APT1 report from February 19, 2013 made headlines around the world for claiming to uncover that a unit of China’s military has been engaging in cyber espionage operations against an estimated 141 companies in 20 industry verticals. Here’s a condensed version of their key findings:

  • APT1 (aka Comment Crew) is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
  • APT1 maintains an extensive infrastructure of computer systems around the world.
  • In over 97% of the 1,905 times Mandiant observed ATP1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
  • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundres of human operators.

Mandiant’s alleged proof is summarized in Table 12 (pp. 59-60): “Matching characteristics between APT1 and Unit 61398.” Mandiant’s entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:

“Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.” (APT1, p. 60)

I’ve publicly taken issue with this conclusion because while Mandiant has done a good job of describing what Unit 61398 is and what APT1 does, they haven’t proved that 61398 is APT1. Here are two tables which demonstrate what I mean. The first three columns are from Mandiant’s table 12 on p. 59-60 of their report. The “Other” column contains a partial group of alternatives that I’ve provided for each of Mandiant’s “characteristics.” Until these and other alternatives have been analyzed and ruled out using structured analysis like the Analysis of Competing Hypotheses, Mandiant has failed to prove that APT1 is a part of China’s Peoples Liberation Army.