Mandiant's APT1 report landed on Tuesday, three days ago, and is the most operationally substantial piece of public attribution work the security industry has produced. Seventy-six pages of evidence, three thousand indicators of compromise, names of seventeen operators, photographs of the building in Shanghai (12 Datong Road, Pudong) at which People's Liberation Army Unit 61398 is alleged to have been operating an industrial-espionage campaign against approximately a hundred and forty US, UK, and other Western organisations since 2006. The technical depth of the report is what I am still working through; the structural significance of the report is what I want to write down first.
The structural significance is that we now have an attribution framework that does not stop at "this is a state actor". Mandiant have done seven years of patient evidence-gathering — through victim engagement, through observation of operator infrastructure, through linguistic analysis of operator-written code, through correlation of operational tempo with Beijing working hours and Chinese national holidays — and have produced a body of evidence that survives the scrutiny that public attribution has historically not been able to. The honest conclusion from reading the report is that PLA Unit 61398, occupying the building Mandiant identify in Pudong with the personnel composition the report describes, is more or less certainly the operator behind the family of activity Mandiant have been tracking as APT1 for seven years. This is a claim that the security industry has, for at least a decade, gestured towards in the form of "we think this is China". Mandiant have replaced "we think" with "we have evidence".
The report is also the most aggressive piece of public attribution any commercial security firm has done. Naming the building, naming the operators (UglyGorilla, DOTA, SuperHard), publishing the YouTube videos of operator screen captures, releasing the indicator set in machine-readable form — all of this is unprecedented at this scale. The political implications are non-trivial. Mandiant are based in Alexandria, Virginia, with substantial US-government client base; the publication will have been cleared by senior people who understood it was going to produce diplomatic friction with Beijing. The Chinese Ministry of National Defence has denied involvement in the press conference yesterday; the State Department response is more measured but is, in private circles, treated as broadly accepting of the Mandiant findings. The security industry's relationship with state actors will look different from this point forward.
The operational implications for the engagement work I do are sharper than the geopolitical implications. The three thousand indicators of compromise that Mandiant published — domain names, IP addresses, file hashes, malware family signatures, command-and-control patterns — are now in every threat-intelligence feed including the Emerging Threats free feed we use at the SOC. The detection content I have been writing for the Hedgehog SOC is being updated this week to incorporate the APT1 indicators where they overlap with the categories I described in the detection-content piece from July. The indicators are useful but the more substantive contribution of the report is the methodological exposition — the report describes the APT1 operational chain at the level of detail that lets defenders build detection for the methods rather than just for the named indicators. This is what attribution-quality threat intelligence looks like when it is done well, and I have not previously seen it published at this depth by anyone outside government.
The narrower question for my own clients is whether they are in the APT1 target set. Mandiant's victim list is not fully published — they have anonymised most victims for the obvious reasons — but the industry breakdown is. Aerospace, defence, technology, telecommunications, energy, financial services, media, professional services, transportation. Approximately a hundred and forty organisations across twenty industries. Several of my secondment clients are in industries on that list. The question I am working through this week is whether to advise the affected clients of a "we are likely in scope for the kind of activity APT1 has run" framing, with all the caveats that this is not the same as "we have evidence APT1 has compromised us". The honest answer is yes; the practical conversations are in progress.
The wider point that I have been making in the privacy-and-encryption methodology piece is sharpened by the APT1 report. The threat model has to include sustained, patient, well-resourced state-grade activity against organisations that are not government, not military, not even adjacent to military. APT1's targets include law firms — Mandiant identify intellectual-property-focused law firms in particular — and that is the part of the report that I will be talking through with Browne Jacobson in the next fortnight. The legal sector in 2013 is operating on a threat model that is, on present evidence, materially behind what the threat actually looks like. The APT1 report is the public reference point that may finally make this conversation tractable.
The defensive answer is the same answer as the one I have been writing for two years. Comprehensive monitoring with detection content tuned to APT-shape methods rather than to named indicators. Encrypted communications for sensitive material. Privileged-access compartmentalisation. Off-network archives for the highest-value documents. Endpoint detection that catches the post-exploitation phase even when the entry phase has succeeded. None of this is novel. What APT1 changes is the political coverage for arguing the case at the board level — the public attribution makes the threat concrete in a way that "we think you are at risk from sophisticated actors" did not.
The next post will probably be the Spamhaus DDoS that the security-research community has been hearing rumours about for the past fortnight — there is a substantial campaign building against Spamhaus and the volumes I am hearing are unprecedented — or whatever falls out of the continuing APT1 reactions. The Mandiant report is going to dominate practitioner conversations for several weeks regardless.