Mandiant gains instant fame after Chinese hack report

Mandiant's release on Tuesday of a mother lode of information on Chinese hacking efforts could turn out to be a financial mother lode for the company itself.

Mandiant, founded in 2004, was well known in Internet security circles for cybercrime response and forensics before this week. But by the end of the day of the release of its 60-page report on what it said was proof of efforts by a Chinese military unit to hack into 141 businesses, most of them in the U.S. -- it was one of the highest-profile security companies in the world.

The report, titled "APT1: Exposing One of China's Cyber Espionage Units," led mainstream television network news broadcasts on Tuesday evening, and was featured on everything from National Public Radio to tech journals and blogs. Company founder Kevin Mandia, a retired Air Force officer, was interviewed by multiple media outlets.

The timing could be very good for Mandiant. Several security experts said they think it will go public sometime this year, although Mandiant CSO Richard Bejtlich would not comment on that. And, as Anne Flaherty of the Associated Press put it in an explainer on the company, the report "puts Mandiant front-and-center at a critical time on a national debate about cybersecurity. Its founder [Mandia] testified earlier this month to the House Intelligence Committee on hacking threats."

But it also raised questions about how the report was rolled out, and whether the information it collected could have been made public earlier, to assist companies that may have been hacked by APT1 or "Unit 61398" of the Chinese People's Liberation Army, but were not among Mandiant's clients. Mandiant has been tracking APT1 and other such groups in China since 2006.

The company suggested in its report that the targets of APT1 likely went well beyond its clientele. "The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted," the report said.

But Bejtlich told CSO Online on Wednesday that Mandiant has issued public reports consistently on advanced persistent threats (APT). He said the firm's January 2010 M-Trends report specifically addressed them.

[Also see: Chinese Army link to hack no reason for cyberwar | Hack findings highlight China, U.S. in game of spy vs. spy]

The difference in this report, he said, was that it finally felt confident enough to name a specific Chinese group, with government sponsorship, as the source of a large group of attacks. "We believed we had a really good case," he said.

Chester Wisniewski, a senior security adviser at Sophos, said that Mandiant, as a private, for-profit enterprise, doesn't really owe anyone anything. "They are entitled to share what they please," he said.

"It isn't exactly news to those of us in the business of protecting businesses from these types of attacks," he said, aside from the attribution to as specific team in China. "Most of the malware samples were already being detected by our antivirus and I presume the same to be true for others."

Bejtlich said Mandiant felt the timing of the report's release was good for two other reasons. "This is a time when there is a real push for security," he said. "The president just signed an Executive Order, our CEO had just testified on intelligence sharing and there are bills coming [in Congress on cybersecurity.]"

He added that there has been some frustration in the security community about the administration's apparent unwillingness to confront China. He said having White House Press Secretary Jay Carney talking about, "speaking to the Chinese in the most serious tones," is not enough. "We're here to play a part, and we wanted to present the evidence."

Bejtlich said Mandiant felt that this Army unit in particular would be particularly damaged by this. "We don't think they can pivot quickly to backup plan. This was an attempt to make life difficult for the adversary."

Gary McGraw, CTO of Cigital, suggested another possible reason. "I think the Chinese goaded them into it," he said, noting that Chinese officials, in denying any involvement with the hack of The New York Times, said it was "unprofessional" to make the accusation "without any conclusive evidence."

"They probably figured, 'OK, we'll show you some evidence,'" McGraw said.

There are also questions about the comingling of media strategy with Mandiant's commercial interest. The New York Times had hired Mandiant in January to trace an attack on the computers of reporters and other employees following the newspaper's stories on the financial dealings of China's Premier Wen Jerboa.

Mandiant then allowed The Times to break the story on its APT1 report by providing it with an advance copy, allowing time for reporters to "test the conclusions with other experts, both inside and outside government," and providing advance interviews with company leaders. The Times published its story Monday, a day before the official release of the report.

The newspaper acknowledged in its story that while Mandiant is not now working for the Times, "it is in discussions about a business relationship."

Bejtlich acknowledged that the relationship developed between Mandiant and The Times during the investigation of the newspaper hack led to the coordination of a story in The Times on the release of the report.

That is normal, Chester Wisniewski said. "It isn't unusual to prefer your customers when it comes to these things," he said.

"It was mutually beneficial," Bejtlich said. "We were not in a position to talk to others in the intelligence community, but The Times could." He added that Mandiant felt this was the best way to give the report as much exposure as possible.

He acknowledged that some other media outlets scooped by The Times, were upset. "And I'm totally sympathetic to that," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwareChinalegalsoftwareMandiantdata protectioncybercrime

More about APTCSOJerboaSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place