Cyberwar Bureaucracies

Mr. President, we must not allow... a mine shaft gap!  (Dr. Strangelove)


Is there a security professional who hasn't seen the Mandiant "APT1" paper?  If you haven't, I'm glad you recovered from your coma.  I recommend that you look it over, or at least read a good summary. It seems a bit long at 76 pages, but it's a quick and relatively easy read.

It's all available (the report, the video, lists of domains, MD5s of malware, ...) at: http://intelreport.mandiant.com/

Yeah, there's even  a video.  It's a video capture of some of the hacker's screens while they're doing mundane hacker stuff (copying files, setting up proxies ...)  It's  actually pretty boring, kinda like watching an axe-murderer take out the garbage.

I thought it was a fascinating paper. It provides yet another example of how far the security industry has come in the last 5 years.  Especially in terms of scale.  The industry has matured to the point that some companies can see the big picture in a way that those of us in the trenches can never hope to.  Mandiant was able to sift through tons of data, at hundreds of compromised customers, to draw the comprehensive picture they did in their report.  That's fairly new and it's not something I can do at my job or in my little lab, no matter how smart I am.

The most interesting parts of the report (to me) were the conclusions Mandiant draws regarding the size and organization of PLA Unit 61398 (the Peoples Liberation Army organization responsible for the attacks).  They suggest that Unit 61398 has a staff that numbers in the hundreds, perhaps even in the thousands.  Allegedly, Unit 61398 is so big they need their own 12 story building. Mandiant goes on to claim that in order to support the scale of effort that they have observed,  Unit 61398 needs a staff of  programmers, system administrators, linguists, etc. ... not to mention the always requisite managers and financial personnel. :-)

Much as Stuxnet gave us a glimpse into just how technically sophisticated state-sponsored hackers are, this report highlights how hacking is becoming part of the bureaucratic landscape in some countries - with big budgets and big head-counts.  I think that's a new perspective, and a new way to think about  the adversaries we face as security professionals.

So if you buy into this story (more on that below), what are the implications?  Well, for me, the primary implication is that China is certainly not alone.  If they have an organization of hundreds of folks dedicated to attacking just English speaking targets, certainly other countries have similar organizations.  Which countries have both the capabilities and the need to conduct such an effort?  I'll leave it to you to draw up your own list, but I would suggest that any list start with the US and Russia.  

Having waxed eloquent about how interesting this report is, it's important to keep in mind that Mandiant is making a bunch of assumptions when they come to their conclusions.  I think they're pretty up-front about what is fact and what is a deduction, but still.  For example, I didn't see anything which proves that Unit 61398 is using all 12 floors of "their" building, but Mandiant certainly seems to think they need the whole thing.

Here's a good posting by Jeffrey Carr, which raises some questions about this report:
http://jeffreycarr.blogspot.co.uk/2013/02/mandiant-apt1-report-has-critical.html

I'm not qualified to address his posting in detail (I'm not a trained intelligence analyst), but I certainly agree that what Mandiant has presented is not as rigorous as it could be.  BTW, I thought some of the comments to his posting were useful and worth reading as well.