Mandiant gains instant fame after Chinese hack report
But report also raised questions about how the report was rolled out, and whether information could have been made public earlier
February 21, 2013 — CSO — Mandiant's release on Tuesday of a mother lode of information on Chinese hacking efforts could turn out to be a financial mother lode for the company itself.
Mandiant, founded in 2004, was well known in Internet security circles for cybercrime response and forensics before this week. But by the end of the day of the release of its 60-page report on what it said was proof of efforts by a Chinese military unit to hack into 141 businesses, most of them in the U.S. -- it was one of the highest-profile security companies in the world.
The report, titled "APT1: Exposing One of China's Cyber Espionage Units," led mainstream television network news broadcasts on Tuesday evening, and was featured on everything from National Public Radio to tech journals and blogs. Company founder Kevin Mandia, a retired Air Force officer, was interviewed by multiple media outlets.
The timing could be very good for Mandiant. Several security experts said they think it will go public sometime this year, although Mandiant CSO Richard Bejtlich would not comment on that. And, as Anne Flaherty of the Associated Press put it in an explainer on the company, the report "puts Mandiant front-and-center at a critical time on a national debate about cybersecurity. Its founder [Mandia] testified earlier this month to the House Intelligence Committee on hacking threats."
But it also raised questions about how the report was rolled out, and whether the information it collected could have been made public earlier, to assist companies that may have been hacked by APT1 or "Unit 61398" of the Chinese People's Liberation Army, but were not among Mandiant's clients. Mandiant has been tracking APT1 and other such groups in China since 2006.
The company suggested in its report that the targets of APT1 likely went well beyond its clientele. "The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted," the report said.
But Bejtlich told CSO Online on Wednesday that Mandiant has issued public reports consistently on advanced persistent threats (APT). He said the firm's January 2010 M-Trends report specifically addressed them.
The difference in this report, he said, was that it finally felt confident enough to name a specific Chinese group, with government sponsorship, as the source of a large group of attacks. "We believed we had a really good case," he said.
Chester Wisniewski, a senior security adviser at Sophos, said that Mandiant, as a private, for-profit enterprise, doesn't really owe anyone anything. "They are entitled to share what they please," he said.
"It isn't exactly news to those of us in the business of protecting businesses from these types of attacks," he said, aside from the attribution to as specific team in China. "Most of the malware samples were already being detected by our antivirus and I presume the same to be true for others."
Bejtlich said Mandiant felt the timing of the report's release was good for two other reasons. "This is a time when there is a real push for security," he said. "The president just signed an Executive Order, our CEO had just testified on intelligence sharing and there are bills coming [in Congress on cybersecurity.]"
He added that there has been some frustration in the security community about the administration's apparent unwillingness to confront China. He said having White House Press Secretary Jay Carney talking about, "speaking to the Chinese in the most serious tones," is not enough. "We're here to play a part, and we wanted to present the evidence."
Bejtlich said Mandiant felt that this Army unit in particular would be particularly damaged by this. "We don't think they can pivot quickly to backup plan. This was an attempt to make life difficult for the adversary."
Gary McGraw, CTO of Cigital, suggested another possible reason. "I think the Chinese goaded them into it," he said, noting that Chinese officials, in denying any involvement with the hack of The New York Times, said it was "unprofessional" to make the accusation "without any conclusive evidence."
"They probably figured, 'OK, we'll show you some evidence,'" McGraw said.
There are also questions about the comingling of media strategy with Mandiant's commercial interest. The New York Times had hired Mandiant in January to trace an attack on the computers of reporters and other employees following the newspaper's stories on the financial dealings of China's Premier Wen Jerboa.
Mandiant then allowed The Times to break the story on its APT1 report by providing it with an advance copy, allowing time for reporters to "test the conclusions with other experts, both inside and outside government," and providing advance interviews with company leaders. The Times published its story Monday, a day before the official release of the report.
The newspaper acknowledged in its story that while Mandiant is not now working for the Times, "it is in discussions about a business relationship."
Bejtlich acknowledged that the relationship developed between Mandiant and The Times during the investigation of the newspaper hack led to the coordination of a story in The Times on the release of the report.
That is normal, Chester Wisniewski said. "It isn't unusual to prefer your customers when it comes to these things," he said.
"It was mutually beneficial," Bejtlich said. "We were not in a position to talk to others in the intelligence community, but The Times could." He added that Mandiant felt this was the best way to give the report as much exposure as possible.
He acknowledged that some other media outlets scooped by The Times, were upset. "And I'm totally sympathetic to that," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding