RSA 2013: China not the only cyber espionage country, says Mandiant

China is not the only country carrying out large-scale cyber espionage, says US cyber security firm Mandiant.

China is not the only country carrying out large-scale cyber espionage, says US cyber security firm Mandiant.

“We are seeing other countries carrying out similar activities,” the company’s chief Kevin Mandia told attendees of RSA Conference 2013 in San Francisco.

On 18 February, the firm published a report that identified a secretive branch of China's military based in Shanghai as one of the world's "most prolific cyber espionage groups". 

The report, based on seven years of surveillance, said Chinese military Unit 61398 has "systematically stolen hundreds of terabytes of data" from at least 141 organisations around the world.

“We have been criticised for picking on China, for focusing on a single country, for ruining intelligence operations and publishing the report just before the RSA conference as a publicity stunt,” said Mandia.

But, he said, although the company had decided to go public with the report because private companies were becoming intolerant of Unit 61398’s activities, the exact timing was not determined by Mandiant.

“We are working with law enforcement authorities and there are a lot of considerations that determine the timing of such things that are out of our hands,” said Mandia.

He denied that his company was picking on China. “We do not focus on anyone, we just go where the intrusions are,” he said.

Mandia rejected the assertion that the country of origin is irrelevant. “It does matter to business; they want to know who is attacking them, why, and what is being targeted,” he said.

Mandia said there was little danger that the report compromised other intelligence activities as the group is well known in the intelligence community.

Within a week of the report’s publication, Unit 61398 began using alternative infrastructure, said Marshall Heilman, an incident responder at Mandiant.

“Their immediate response was to ‘park’ [decommission] some of the domains they were using, which would effectively render some of their malware useless,” he said.

As might be expected from a military operation, Mandia said there was no panic. “They simply moved infrastructure, but we were pushing and forcing some cost, which means we are starting to gain some control rather than just getting hit,” he said.

Read more about critical infrastructure

Is UK critical national infrastructure properly protected?

Government to monitor companies supporting critical national infrastructure

Critical infrastructure security: Electric industry shows the path

C Management and Critical Infrastructure Protection

NetWars CyberCity missions to improve critical infrastructure protection

Steve Lipner on the Microsoft SDL, critical infrastructure protection

The group quickly changed its registration details on the Whois database, replaced backdoors, and cleared their working and staging directories.

Mandia said the group had masqueraded as him in the past in an attempt to send exploits to employees and he believed that Unit 61398 may attempt to destroy the evidence Mandiant has gathered.

“If we get compromised, I will go public about it and with whatever we learn from that,” he said.

Mandia said the report was the most comprehensive sharing of threat intelligence with the private sector to date.

“I won’t say that the way we did it was perfect, but it was a start and in future we will use standard threat intelligence formats to expedite distribution of actionable information,” he said.

The Mandiant report was published within days of US president Barack Obama’s State of the Union address, in which he highlighted concerns about cyber threats against critical infrastructure.

The address came on the same day that Obama signed a long-awaited executive order requiring federal agencies to share cyber threat information with private companies.

The order also requires the creation of a cyber security framework aimed at reducing risks to companies providing critical infrastructure.

The concern is that once attackers gain access to key networks, they could cause physical damage to the infrastructure that the computers control before any intrusion is detected.


Read more on Hackers and cybercrime prevention