Security Experts Are Not Convinced That Chinese Military Is Source Of Hacking In New Report

Business Insider

Last night security firm Mandiant published what appeared to be the most definitive report linking attacks on US firms and institutions with Chinese hackers based with the military.

It's a remarkable report, laying bare what most people had long assumed — the Chinese government is directly linked to cyber-espionage attacks.

However, not everyone in the cyber-security world is convinced by the report, nor the New York Times articles and Businessweek cover story that have accompanied it. These experts hit back at any claims of a "smoking gun" in the report, instead arguing that more investigation is needed.

In a blog post today, Jeffrey Carr, founder and CEO of cyber security firm Taia Global inc, wrote that the Mandiant report had "critical analytic flaws" and that other theories had not been fully investigated as they did not fit in with the report's anti-China bias.

We e-mailed Carr some follow up questions, which appear below:

What specific problems have you found with the Mandiant report?

The biggest problem, as I wrote in my blog, is that Mandiant's conclusions do not exclude other threat actors besides China. Nor do they eliminate the possibility that other foreign intelligence services are using China as a false flag to disguise their own cyber espionage operations. All they need to do is set up a business in Shanghai.

Were earlier reports from the New York Times and Bloomberg any more convincing?

Yes, the Bloomberg report clearly identified a person who works for the PLA however that doesn't mean that he was acting on behalf of the Chinese gov't. We have some individuals here in the U.S. with military and/or intelligence agency employment or past employment that have engaged in hacking attacks on their own. The U.S. gov't had nothing to do with it.

In the case of the New York Times hack, China should certainly be considered a suspect but the evidence doesn't rule out other less likely suspects. My argument in that case is that estimative language should be used rather than claiming beyond a doubt that it was China - unless of course you have hard evidence that you can take to the international criminal court which proves your case.

Here's my article on the NY Times hack and the problems that I had with it.

Mandiant say they have tracked the hacking to a PLA building in Shanghai, which sounds pretty incriminating for the Chinese military. Are you not convinced by this?

No, because they didn't do that. They traced IP addresses to a section of Shanghai which is the center of China's economic and financial growth and which has over 5 million people. They never traced it to that building.

Is there a bias towards blaming the Chinese government/military in hacking cases?

Absolutely - especially with Mandiant. They've written often that when the use the term APT (Advanced Persistent Threat) they are talking about China. See p. 2 of their most recent report as an example.

If so, what would you attribute this to?

It's become a self-fulfilling prophecy over the years. We look for China to be the villan through government-funded work such as the U.S.-China Security and Economic Review Commission and China makes matters worse by engaging in lots of intellectual property theft. There's no question that China is guilty of lots of cyber espionage, however so do many other countries. The latest NIE (National Intelligence Estimate) on cyber espionage blamed China along with Russia, Israel, and France according to the Washington Post. And I'm sure that the list is longer than that.

What other actors (state or non-state) would you suspect of beingb ehind attacks like those described in the Mandiant report?

Russia does a lot of cyber espionage. So does France, Israel, Germany, Taiwan, and other nations. So do U.S. companies for that matter.

How would you rate the likelihood that the Chinese government/military was involved in the attacks detailed by Mandiant?

To the APT1 group that Mandiant reported on? I would say little likelihood the the PLA was involved.

It's worth noting that Carr is hardly pro-China — he has written that he believes the STUXNET virus was in fact a Chinese creation.

He also isn't alone in this new evaluation either. Writing on Naked Security, the blog of security firm Sophos, senior technology consultant Graham Cluley says he has doubts the hacking can be linked to the Chinese military too.

We asked Cluley to expand upon his doubts, and he responded:

I'm not specifically criticizing the Mandiant report. 

What I'm saying is that it's *very* difficult (if not near impossible without the assistance of the Chinese authorities) to *prove* that a particular organization was behind a hack, or that it was government backed. 

The easiest way to explain the problem is to describe something that we all see every day... spam. 

Spam is sent to your email account, probably every hour of every day. 

But it isn't sent from the spammers own computers. 

Instead, spammers use botnets of compromised computers around the world to relay their spam messages. 

These hijacked computers are unaware that they are sending junk emails on behalf of the spammers and that (in fact) the spammers could be doing much worse and stealing information from the compromised computers or installing malware.  

So, imagine you were a cybercriminal interested in hacking into a foreign government system. 

Would you connect directly from your own computer to the government PC you want to hack? 

Of course not.  You'd leapfrog your attack from hijacked computer to hijacked computer around the globe, covering your tracks, before finally hopping to your victim's PC. 

So, what's to say that the computers in a particular area of China haven't *themselves* been hacked and aren't being exploited by a hacker in - say - Belgium to make it look as though the attack originated in China? 

If investigators can't access the Chinese computers, they can't *prove* that those computers aren't under the control of someone  else. 

Now, having said that. 

We shouldn't be naïve. 

I am sure that China is using the internet to spy and hack. And in all likelihood these attacks *did* originate in China. 

But then I'm also sure that the Americans, the British, the French etc are doing the same.  Hey, didn't the Greeks come up with the idea of Trojan horses? :) 

(Separately, even if the attacks *did* originate in China, it's a whole different thing to prove that they were backed by the Chinese government.  There's also the scenario of patriotic hackers doing it without approval from the powers that be.  But again, lets not be naïve...)

It's tempting to blame China for the majority of hacks on the US on China — it provides a simple, easy narrative. Unfortunately, the takeaway from both Cluley and Carr is that we still don't know anything definitive and, more importantly, demanding a response from the US government is premature. Given how strongly China has responded to the accusations, it may also be problematic for US-China relations.



More From Business Insider
View Comments