Last week, Mandiant, a security consulting company in the US, chose to publish a report on alleged Chinese government sponsored hacking against the US. The report is a fascinating mix of technology analytics and far-fetched conclusions.
I have no issues with Mandiant, I trust them to be serious in their work and analysis. And I do not mind much that they point a finger at the Chinese government as the originator of such attacks. It is quite likely that the Chinese government is involved in cyber intelligence, just like most other modern country is.
What I am concerned about is the fact that the proof Mandiant offer in the report, at best can be called anecdotal. In my opinion, a report with such accusations, must be provable and scientific. As some critics say, there are a number of possible explanations for the timing of the report, including creating a new bogeyman in order to get acceptance for more laws and regulations.
Let me take a look at the report and some of it’s shortcomings.
No connection to the building
The report has one full chapter describing a building in Shanghai, a city with some 9 million inhabitants, adding proof that this building is owned by the Chinese military.
Fine, I can accept that the building may be owned by the Chinese government. The fact that the Chinese military have buildings in Shanghai, does not prove that the attacks are state-sponsored. There is no proof in the report that clearly and without a doubt show that the attacks come from this very building.
It may very well be a coincidence.
Just like the fact that I live in Oslo, and so does the Norwegian government. It does not mean I work for them, nor does it imply that what I write here is on their behalf.
The fact that Mandiant’s research suggest that the attacks origin from Shanghai may also be a mistake. Hiding your location using proxies is not exactly a secret receipt, especially not amongst infosec people. The fact that Mandiant could not find any further locations does not mean such locations does not exist.
My point is that the location in Shanghai may very well have been planted. Either by the hackers in control of the APT1. Or by someone who want to place blame. Most likely, we will never know for sure.
The report goes into details about three of the alleged hackers behind APT1: Ugly Gorilla, DOTA and SuperHard. They show that someone using the handle Ugly Gorilla registered at a state-sponsored forum in 2004, and asked a question containing the words «cyber troops» (page 52). From there, they go on to claim that all subsequent use of UG in domains, subdomains and code found from then on, means that the handle Ugly Gorilla is
a. The same person;
b. Someone within the Chinese government;
Let me discuss both points:
A: I used to use the handle SirChief back in the day. In the start, I was probably the only one using the nick but over the years many other people decided it was a cool handle. I am no longer associated with the handle, yet using the same logic Mandiant apply, any instances of SirChief would be tributed to me. This kind of logic does not hold, and thus exhibit A must be dismissed.
B: The only connection the report is showing that Ugly Gorilla (and therefore the other hackers mentioned) is even connected to the Chinese government, is the registration form in the aforementioned forum in January 2004. It would be the same as if I, at any point in my history, had joined a forum hosted by the government (which I have) and then draw the conclusion that I must be working for the same government. This is not a valid argument and there can be many possible explanations as to why my name and handle show up in a registration form at any given forum (including someone else using it). Hence, it should not be used as proof.
A nice try
I will commend Mandiant on writing up a report where they take complex technology and explain it in a way (advanced) lay-mans may understand.
Their use of graphics is nice, and is sure to sway people to think the report holds water, even if they do not read it (or understand). And when it comes to media, and media consumption, we know that very few actually read the background materials (i.e. the report), they just cut and paste the press release. Then they call some security expert who will say anything to get his face on TV. No-one (or very few) care to check the facts.
And as we seen in this report, even if a company like Mandiant actually do check the facts, they can draw the wrong conclusion.
China not alone
There is no secret that the Chinese are not alone in their cyber intelligence efforts. They didn’t even start it, and I am quite certain that they are not even in the fore-front of this game. Consider the following: who designed and deployed Stuxnet; who controls drones; and who is having a very hard time coping with the fact that there is a global power-shift going on; who will benefit from creating such an image of a biting dragon? Is it coincidence that the report is published in the US, by a US security company?
Me thinks not.
Seriously, neither Iran nor Afghanistan make believable digital villains, so it has to be someone else. China is a given.
Spelling as proof
Back to the report. Another so-called proof is found on page 47, where a domain name registrant have miss-spelled the name of a US city, and also used a chinese phone number. I can accept that using a chinese phone-number may point to China.
But put 100 Americans in a room, how many do you really expect to be able to spell Yellow Springs correctly? This is not proof, it is just a poor example of how to fit data to your hypothesis, which is not an accepted method of science.
It is, however, an error non-scientists fall victims to time and time again.
I do not believe Mandiant decided to make a poor report with make-up proof just to point fingers. I believe they are victims of faulty logic and time constraints, the same things that makes us all vulnerable to jump to conclusions, a dangerous habit.
My advices are simple:
- Never stop digging – there is always another layer
- Seek data to dismiss your hypothesis, not to support it
The next time you read a report and decide to join the screamers, do yourself and the world a favor. Take time to understand before you spread possibly erroneous information. Be brave enough to ask questions. Nothing is ever only black and white, especially not in the infosec world.
Image credit: http://www.flickr.com/photos/vkreay/