New York Times’ reporter David Sanger’s new book contains an explosive claim. In The Perfect Weapon, Sanger alleges that staff from American cybersecurity firm Mandiant, a private company, broke into the laptops of individual, Chinese military hackers. This campaign was apparently part of Mandiant’s exposure of the Chinese hacking group dubbed APT1, which had targeted a slew of American companies for years.
Now FireEye, which has since acquired Mandiant, has vehemently denied the claims, saying Sanger did not accurately report how the company identified the Chinese hackers.
"Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts," the company said in a blog post published Monday.
"To state this unequivocally, Mandiant did not employ 'hack back' techniques as part of investigation of APT1, does not 'hack back' in our incident response practice, and does not endorse the practice of 'hacking back'," the blog post adds.
“As soon as they detected Chinese hackers breaking into the private networks of some of their clients—mostly Fortune 500 companies—Mandia’s [Kevin Mandia, CEO of Mandiant] investigators reached back through the network to activate the cameras on the hackers’ own laptops,” Sanger’s book reads. “They could see their keystrokes while actually watching them at their desks.”
This sort of literal visibility showed Mandiant that the hackers were male, mostly in their mid-twenties, and would show up for work at around 8:30am Shanghai time, before checking sports scores, emailing their girlfriends, and sometimes watching porn, the book continues.
One tactic Mandiant did use in the APT1 report and disclosed in a 2013 video was intercepting some of the hackers’ Remote Desktop (RDP) sessions, which allowed Mandiant to see the attackers creating email accounts, testing their malware, and ultimately deploying their tools.
Indeed, FireEye suggests this is what Sanger misunderstood.
"To someone observing this video 'over the shoulder' of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through 'hacking back' or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised," the company's blog post says.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Mandiant’s APT1 work is often seen as a turning point among private cybersecurity reports. The company attributed over a hundred hacking attacks to a specific Chinese military unit, and publicly called that unit out for its operations.
“The APT1 report was a landmark attribution report, the most significant of them all in terms of changing the public debate,” Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
"Six years ago politicians and reporters would be overly skeptical of all forensic evidence, and many saw attribution as impossible—today the opposite is the case: often people are not skeptical enough of the forensics, and see attribution as easy,” he added.
Dan McWhorter, managing director of threat intelligence, wrote at the time of the APT1 report, “We recognize that no one entity can understand the entire complex picture that many years of intense cyber espionage by a single group creates. We look forward to seeing the surge of data and conversations a report like this will likely generate."