By: Andy Greenberg, Forbes Staff
Covering the worlds of data security, privacy and hacker culture.
In just the last week, the abbreviation APT1 has come to represent the bogeyman of digital espionage nightmares. On Monday, security response firm Mandiant released a report profiling a hacker group of that name–referring to it as Advanced Persistent Threat One–and providing detailed evidence that it represented the most active hacking unit within China’s People’s Liberation Army, one that’s compromised more than 141 private sector and government targets in seven years, 115 of which were American.
But if APT1 is the most prolific team of hackers in the Chinese military, it’s not necessarily the best. In fact, when I spoke with Richard Bejtlich, chief security officer at Mandiant and a well-known author and blogger on network security, he argued that APT1 is actually a relatively sloppy group of hackers, and that its mistakes were what part of what allowed Mandiant to profile the unit in such detail. More than a dozen more elite groups of hackers likely operate within China’s military, says Bejtlich, groups that are both harder to track and harder to defend against.
I talked with Bejtlich about how APT1 measures up against other units in China’s military, how groups like it can be stopped, and about the “special forces” within China’s hacker corps that he says make APT1 look like amateurs. Here’s an edited transcript of our conversation.
Andy Greenberg: Reading your report, I was struck by the way that several of the hackers in the military unit you describe acted as if they were freelance or non-professional hackers, leaving their pseudonyms as signatures in the code of malware they wrote, for instance, and using personal email accounts. Does this show something about how China’s military is organized to give their best hackers lots of autonomy, or was this just organizational carelessness on the part of this group?
Richard Bejtlich: Lots of people have asked us how it’s possible these guys were logging into their personal email accounts, using their own social media accounts, and how were we able to trace them back to this building, all of these things. I think it just points to the feeling of invulnerability that they had [rather than an organizational principle.]
There are actors who we didn’t identify, who aren’t in APT1, who we do consider their rockstar hackers. They operate differently. They have a handler, just as in a spy operation. Those operators are more free to act independently, but have to report back to their handler. But that wasn’t the model for APT1.
So APT1 was actually more regimented rather than some sort of team of freelance hackers?
Well, they are a unit. But we were able to penetrate their practices with a decent amount of effort. Other units are more regimented and have better opsec [or operational security,] and that’s why we didn’t talk about them.
So you’re saying that you actually chose to highlight APT1 among the Chinese hacking teams you’ve seen not because they were the best, but because they were the most active and maybe the least careful, the easiest to track.
Yes. That’s sort of the conundrum here. They’re very active and very effective, and they can compromise many different sorts of victims, but if you become a harder target over the course of developing your security program, after a while APT1 is not going to have that much effect on you.
For example, they tend to have very sloppy phishing emails. We offered an example where they targeted us at Mandiant at one point and it didn’t work against us. There are indications that when they really need to get into a target, APT1 is not the group that’s going to be sent after you. They’re going to send another group.
So APT1 sounds like a high quantity attacker but not a high quality attacker.
I think that’s a fair assessment. They’re prolific, and sophisticated enough to get into many targets. But there are other incidents we’ve tracked where, if they needed the A-Team, they sent in other groups. If you need to get into [security firm] RSA for example, you send these other guys. You don’t send APT1.
No disrepect to our own Army, but I feel like APT1 is like the Army, and some of the other groups we track are more like special forces. The Army can get certain jobs done, but if you need something special you’re going to send in a special forces unit. And then there are groups that if you really need something and you need it fast, then you send in Hannibal, B.A. Baracus, the A-Team, the elite of the elite.
We don’t consider APT1 to be elite. We consider them to be successful and prolific. They got the job done against a lot of targets.
What can you say about those “A-Teams,” then?
We don’t have any other reports at this time. We decided to publish this one because we thought APT1 was at a maturity level that if we drop a ton of data on them and people acted on it, they’d have a hard time recovering. It could deliver a message and impact their capability. There are other groups where if we took a similar approach, not only would we sacrifice our ability to keep tabs on them, but we felt like they would be flexible and skilled enough to recover a lot more quickly. So at this point, we don’t have plans to release something similar for any other groups we track.
What characterizes those more skilled hackers? Do they have more zero-day exploits at their disposal, for instance, or better social engineering skills?
The main way I’d characterize them is speed. The best guys we see move fast. They operate on a time scale of minutes as opposed to hours, days or months. They do have more ability to write zero day exploits. Their custom tools are better coded. They have better discipline and better execution. You see them making far fewer mistakes as they carry out their mission, and they seem to have better reconnaissance. Once they’re in, they know what they need and they go after it quickly.
APT1 also writes custom tools, but they would go through a kind of rapid development model with custom stuff instead of coding these very elegant custom tools that would last longer.
If APT1 can compromise 115 American targets and not qualify as elite, that implies that higher-level groups would be very, very difficult to stop.
Oh, yeah. I would say that any of the world’s elite hackers are unstoppable. It’s just a question of how fast you are versus how fast they are. That’s what it comes down to.
Within certain targets, if someone in the organization clicks a [malicious] link, there’s a CIRT [computer incident response team] who’s watching. As soon as they click the link and you see the C2 [command-and-control] go active, the CIRT shuts down the system, shuts down the port, or shuts off the C2, and you can frustrate the attack. That’s what makes a hard target, someone who quickly sees something and responds. I know organizations that do that on the order of minutes up to an hour, and that’s considered world class.
That’s a different security model, and not something many people recognize and are driving towards. Most organizations still use much more of a compliance model–put up enough walls and you’ll be ok–as opposed to a fast reaction model.
If APT1 is considered less than elite, how do they compare to the American hacker forces in the NSA or the U.S. Cyber Command?
Our best guys are better than APT1 for sure. But our best guys are probably the same as their best guys, who are the same as the Russian’s or the Israeli’s best guys.
How would you quantify the number of teams and hackers above APT1 in the hierarchy of the Chinese military?
As a rough guide of our characterization, we figure there are three different classes of groups we track out of a total number in the low twenties. About a third of the groups we consider low threat, a third are mid-grade, and a third, when we see these guys involved, it’s serious.
We have APT1 classified as “low” in our internal tracking, based on the tools they write, the efficiency of their operations, the size of their infrastructure, how effective they are, those sorts of things.
Do those higher level hacking teams have fewer targets?
My impression from our intel studies is that they’re used more sparingly and specifically. When you need X, you call this group, and they get X, and that’s all.
APT1 does have a shopping list. It’s not like Anonymous or something where they target whatever they can. They work their way down a list.
But unlike APT1, these other groups aren’t taking terabytes of information. It’s more like they just target a specific file or something like that. But we haven’t quantified how often that happens.
At the highest level units, how many hackers compose each unit?
I can’t really say. Some are units with significant numbers of people, hundreds. Others are small teams of agents who have handlers, as I said earlier. Smaller groups of double digits, or even a little less. Those guys have better opsec, though, so it makes it much harder to make those attributions.
So part of the reason you exposed APT1 was because you could, because they had bad operational security.
Yeah. We felt like we had a really good case to make against APT1, so we thought, let’s go ahead and do it.
With the publication of our report, I expect there to be some large changes to the way these guys operate. I think they’re going to tighten up their opsec. I think they’re going to say ok, you guys who blurred the line beween the way you work at home and the way you work when you’re at work, you need to change that.
If APT1 will improve its operational security based on this report, do you really believe it was worthwhile to release it? Mandiant’s critics might say that the company is sacrificing a strategic advantage over these hackers in return for a marketing win.
We spent a lot of time debating the merits of releasing this report. It is true we feared there would be some loss of the ability to track this group. But overall we figured we could make a bigger impact by releasing these indicators [of APT1], putting them in the hands of defenders, and possibly degrade their activities. We felt that was more beneficial than simply sitting back and watching the fireworks.
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.