Related Articles Commentary Paper SIIS Report
Jan 06 2014
Who Lied About Chinese Hackers?
By Lu Chuanying
On February 19,cyber security firm Mandiant was the front-page news around the world, a shocking report by this U.S. Company alleged Chinese military cyber espionage troops conducted hacking activities to steal commercial secrets with government support.

The most impressive part of the report was its claim that a 12-story building on Datong Road, in the Pudong New Area of Shanghai, was the headquarters of China’s most important hacker unit. The report even named it as Unit 61398 attached to the General Staff Headquarters of the Chinese people’s Liberation Army (PLA).
Yet, how reliable was the report? Did Mandiant find evidence of Chinese troops launching cyber-attacks?A careful reading reveals the so-called evidence was all unverifiable. This raises doubts was the company’s motive to maintain order in cyberspace as it claimed? Or did it have other intentions?

In fact,experts were unimpressed by the professionalism of the Mandiant report. The report had a strong political flavor and, onesuspects, it served the commercial interests of the company. The 74-page report, titled “APT (Advanced Persistent Threat): Exposing one of China’s Cyber Espionage Units”, had about 60 pages of main content. It used almost 20 pages to show how they concluded a PLA unit codenamed 61398 was stationed in the Pudong New Area, with the “evidence” they collected on the internet.

However,all the “evidences” they provided was a scanned copy of a construction document of China Telecom and some information they found on Google. Mandiant had no shame about using unverifiable evidence to reach its conclusions, rather,it wantonly played up the importance of the military unit in the PLA,drawing attention to it with a large PLA emblem.This was more like the work of an advertising company rather than a prudent cyber security company.

The second part was more redundant.The report provided a detailed introduction of the APT attack tactics.In fact,this was just fundamental cyber security knowledge.Most hacker use such methods.Then Mandiant repeatedly asserted that it was done by the PLA,deliberately misleading readers.

The third part was the key section,but the report failed to provide powerful evidence to prove that what they had been tracking for years was unit 61398.What they could confirm was that they found some IP addresses from the Pudong New Area that were linked to some cyber-attacks.This was deemed to be conclusive.

The logic of Mandiant’s report was quite simple.First,they collected some typical cyber-attack cases and,after analysis,found similar methods were used and were related to some IP addresses from Shanghai’s Pudong.Second,when tracking some cyber-attacks,they found the intruders used the operation systems in simple Chinese and keyboards with Chinese.Finally,unit 61398 attached to the General Staff Headquarters is in the area and is believed to have a strong force of experts and can get support from internet service providers under the excuse of national defense security.Given the above factors,Mandiant concluded unit 61398 was the source of the attacks.

The report relied on supposition instead of verification in two key aspects.First,it did not confirm the IP addresses were from the 12-story Pudong it claimed.The author of the report did not have basic knowledge of the area,which has a population of several million,and more than 10,000 firms in finance,trade,commerce,computing and communication.The ability in computer security of any company was at least as strong as that of the cyber espionage force that they fabricated.Second,Mandiant did not prove the IP addresses linked to the attacks were the source of attacks.In fact,the IP addresses might well be victims,too.They might have been controlled by other computers and became zombie computers.This is a very common practice in cyber-attacks.Cyber space is different to reality.Crossing a border takes a mere second in cyber space.Hackers often use a large number of zombie computers as gangways when launching attacks,making it very difficult to find the original source.Therefore,it was far-fetched to conclude that attackers were Chinese just from the operation system and keyboards with Chinese characters.

Mandiant also claimed three Chinese hackers were identified.No evidence showed the three “hackers” belonged to the PLA.They were more like three computer enthusiasts with general technical skills.

Mandiant was just a small to medium-sized cyber security company. In terms of strength, it was not comparable to Symantec or McAfee. To make a name for itself, Mandiant was not prudent in its behavior.

Even in the United States, some people gave a snort of contempt at Mandiant’s self-proclaimed exposure of Chinese military hackers. Jeffrey Carr, the founder and CEO of Taia Global, said that according to Mandiant’s logic, hackers are equal to China. If a company suffers a hacker attack, then it has fallen victim to the Chinese government.

Yet, this report, which was not very professional and drew a conclusion without strict verification, caused an international stir. In fact, the report was the latest example of media hype over a “Chinese hackers threat”. On January 30, the New York Times said the newspaper’s computers suffered continuous attacks from Chinese hackers. The second day, the Dow Jones, publisher of the Wall Street Journal, claimed it was also a victim. Three days later, the Washington Post joined the chorus, alleging a cyber-attack in 2011 was possibly launched by Chinese hackers.

In some Western media reports, Chinese hackers seem “omnipotent”, allegedly stealing information about advanced U.S. fighter jets, infiltrating the electrical computing network of the U.S. Defense Department, threatening to launch a “cyber Pearl Harbor”. In 2011, the New York Times reported it had found a Chinese hacker base in a vocational school in Shandong Province.

It is remarkable that in Mandiant’s report, unseen hands were manipulating all of this. Open data showed Mandiant had close relations with the U.S. government and the military. Several of its leaders had military backgrounds. Its business also covered government and military departments a great deal.

Prior to the release of the report, Google, the New York Times and others blamed the Chinese government for cyber-attacks against them. After the release, some people in the U.S. Congress played up the so-called China cyber security threat. Their intention was clear: to tarnish China’s international image. It also created a dangerous atmosphere to pander to political and commercial interests.

Playing up the China threat has been a common tactic of U.S. domestic interests groups to obtain government contracts and procurement. With these media reports about China, the U.S. has accelerated development of its cyber warfare program. In fact, the U.S. has been working on cyber warfare for a long time. In 2002, then President George W. Bush signed National Security Presidential Directive No.16, which called for national guidelines for using cyber warfare as a weapon. The U.S. later created its first cyber warfare military unit. According to the Washington Post, the Pentagon had approved an expansion of its cyber security force from 900 personnel to a massive 4,900 military and civilian staff over the next few years, despite cuts to the national defense budget.

Prior to the approval of the annual national defense budget by the U.S. Congress, Mandiant released its report targeting China. This just reflected common practice.

The Chinese Military Has Never Supported Any Hacker Attack

Chinese laws ban any acts that caused damage to cyber security, including hacker attacks, according to Geng Yansheng, spokesman for China’s Ministry of National Defense.

The Chinese government had been firmly cracking down on such crimes and the Chinese army had never supported any hacking activities, Geng said.

China had been a major victim of cyber-attacks, Geng said. Chinese military end users connected to the Internet frequently come under cyber-attack from abroad. Source IP addresses suggested Chinese military websites were attacked an average 144,000 times a month in 2012 by foreign hackers, with 62.9 percent of attacks coming from the United States, Geng added.

“But we do not point fingers at the United Sates based on these findings. Every country should deal with cyber security in a professional and responsible manner,” Geng said.

China had consistently attached great importance to international cooperation to jointly crack down on cybercrime. The Chinese Ministry of Public Security had assisted more than 50 countries and regions in investigating some 1,100 cases of cybercrime since 2004.

China had established bilateral law enforcement cooperation with more than 30 countries, including the United States, Britain, Germany and Russia. China had also signed judicial cooperation contracts with many countries and had relatively improved mechanisms to fight cybercrime and hacker attacks.

As to criticism from foreign leaders and media outlets, China would like to resolve issues through joint law enforcement cooperation and consultations with other countries.

Lodging one-sided media accusations would not help solve problems, but only jeopardize existing cooperation, Geng said.

Source of documents:China Armed Force