<div dir="ltr"><font face="verdana, sans-serif">From Saturday's NYT article on the NSA owning Huawei:</font><div><font face="verdana, sans-serif"><br></font><div><font face="verdana, sans-serif">"<span style="color:rgb(51,51,51);line-height:23px">The N.S.A., for example, is tracking more than 20 Chinese hacking groups — more than half of them Chinese Army and Navy units — as they break into the networks of the United States government, companies including Google, and drone and nuclear-weapon part makers, according to a half-dozen current and former American officials."</span></font></div>
<div><font face="verdana, sans-serif"><font color="#333333"><span style="line-height:23px"><a href="http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html?_r=0">http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html?_r=0</a> </span></font><br>
</font></div></div><div><font color="#333333" face="verdana, sans-serif"><span style="line-height:23px"><br></span></font></div><div><font color="#333333" face="verdana, sans-serif"><span style="line-height:23px">Is anyone on this list really shocked by this? If we can so readily accept this, why is so hard to accept the APT1 attribution? Being younger, I'm not nearly as experienced in all of these domains, but it seems to a be salient question. In my eyes, APT1 is just that, one out of MANY. And yes, lets not forget it works both ways, as evidenced by the NSA's sheer ownage of the Chinese non-mil/gov targets.</span></font></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 25, 2014 at 9:00 AM, Haroon Meer <span dir="ltr"><<a href="mailto:haroon@thinkst.com" target="_blank">haroon@thinkst.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hiya(s)<br>
<div class=""><br>
On Tue, Mar 25, 2014 at 4:27 AM, Dan Guido <<a href="mailto:dguido@gmail.com">dguido@gmail.com</a>> wrote:<br>
> This argument by Bejtlich really makes me angry and it's representative of<br>
> the way that we seem to deal with cyber attribution out in the open. There<br>
> are a lot of gaps in the APT1 report that make those not "in the know"<br>
> question the results. In my opinion, that kind of questioning is deserved.<br>
<br>
</div>Fwiw.. Marco Slaviero (<a href="mailto:marco@thinkst.com">marco@thinkst.com</a>) wrote up a snippet on our<br>
blog (and for our ThinkstScapes service) at the time highlighting some<br>
of those gaps and listed data that could have been used to help<br>
support the argument<br>
<br>
<a href="http://blog.thinkst.com/2013/02/thinkstscapes-2013-ah1-on-china-report.html" target="_blank">http://blog.thinkst.com/2013/02/thinkstscapes-2013-ah1-on-china-report.html</a><br>
<br>
-snip-<br>
The Mandiant APT1 report that was released a week ago has been causing<br>
some consternation, which makes it a ripe topic for our ThinkstScapes<br>
service. This morning, we issued an ad-hoc update to our customers<br>
containing our views of the APT1 report. In short, the data is<br>
interesting, but does not conclusively point to Unit 61938. There are<br>
too many open questions to justify the finger pointing.<br>
<br>
Take, for example, the markers released for the APT1 group. The report<br>
does not contain sufficient data to replicate the grouping of<br>
attackers bearing those markers into a single cohesive unit. By<br>
Mandiant's own admission the presence of a single marker is<br>
insufficient to tag an attacker as APT1, but thresholds are not<br>
provided for the number of markers required. In the end, it appears as<br>
if the classification boils down to an analyst's opinion, metrics are<br>
absent the public report. The entire report is founded on the notion<br>
that APT1 exists and is definable; should this not be the case, the<br>
report's raison d'être evaporates. Corroboration is needed in the form<br>
of convincing evidence.<br>
<br>
In addition, the conclusion that blames hacks supposedly originating<br>
from an area the size of Los Angeles on a military unit's building in<br>
same area is weak. In this regard, the press' use of the word<br>
"neighbourhood" to describe Pudong is misleading. Today's ad-hoc<br>
update examines these and other issues in greater detail, and extracts<br>
the bits we believe matter for corporates.<br>
<br>
To be clear, we do not defend China or absolve it from hacking or<br>
espionage; we have little doubt that it conducts such operations as,<br>
presumably, do the US and other sufficiently resourced nations. Permit<br>
me to repeat this: we are not saying the Chinese government does not<br>
hack the US. Our concern is with this specific report; it is the first<br>
concrete public attribution of ongoing espionage against the US, and,<br>
if the report sets the standard for attribution, future events will be<br>
highly muddled as competing hypotheses all meet the low standard set<br>
out in Mandiant’s APT1 report. Unfortunately it seems that contrary<br>
opinions are being subjected to a level of diatribe usually reserved<br>
for arguments of faith, not facts.<br>
<br>
Part of the problem is that there is appears to be an information<br>
differential, in which a number of folks with apparent non-public<br>
information are saying "it's totally legitimate", while those without<br>
the information are saying "this does not follow". Mandiant can help<br>
the APT1 debate by releasing more data to reduce this differential,<br>
specifically:<br>
<br>
- Is there further evidence that ties the subset of observed IP ranges<br>
to the Unit 61398 Pudong building apart from a WHOIS record? (Note<br>
that the fibre infrastructure was provided by a different company than<br>
the listed owner of the IP ranges.)<br>
- The number of attacks that would be classified as APT1, except for<br>
the fact that their sink address (e.g. HTRAN receiver) was NOT in<br>
Shanghai. What is the method for arriving at this conclusion? Phrased<br>
differently, how much weighting does a Shanghai IP address have in the<br>
APT1 cluster?<br>
- A timestamped listing of known APT1 connections with their<br>
associated IP addresses, which would show us the activity levels of<br>
APT1.<br>
- Metrics showing how many of the APT1 markers are shared with other<br>
groups under observation, and to what degree? (i.e. what is the<br>
overlap of domains, address blocks and malware hashes across the<br>
various groups?)<br>
- How many more profiles of APT1 members were discovered, and what<br>
confidence does Mandiant hold in them? It seems strange that such a<br>
large group with such poor opsec has not leaked many more profiles.<br>
- What is the mapping between APT1-associated domain names and IP<br>
addresses at the time of observation?<br>
- What confidence level is assigned to the APT1⇿Unit 61938 link claim?<br>
- By what reasoning does Mandiant eliminate an explanation for the<br>
attack pattern that argues for small non-government teams operating in<br>
a loosely connected fashion rather than a cohesive and directed group<br>
of operators with a common approach?<br>
<br>
These debates are important going forward. Putting aside patriotism<br>
and pride, there are important questions which remain to be asked<br>
about the attribution of online attacks, and the danger in jumping to<br>
conclusions is that, when the shoe is on the other foot, equally weak<br>
claims are possible by an opponent. Hopefully any forthcoming<br>
additional data will settle these questions and we can get back to our<br>
regularly scheduled navel-gazing.<br>
-snip-<br>
<br>
/mh<br>
<span class="HOEnZb"><font color="#888888">--<br>
Haroon Meer | Thinkst Applied Research<br>
<a href="http://thinkst.com/pgp/haroon.txt" target="_blank">http://thinkst.com/pgp/haroon.txt</a><br>
Tel: <a href="tel:%2B27%2083%20786%206637" value="+27837866637">+27 83 786 6637</a><br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div>