US security company FireEye has denied a claim aired in a new book that it hacked into laptops owned by Chinese military hackers.
It's common knowledge that prior to its acquisition by FireEye, the security concern Mandiant brought the Chinese operation known as APT1 undone. In its 2013 report, the company attributed espionage against 141 companies in 20 industries to APT in attacks dating back to 2006.
Its report said APT1 operated closely to People's Liberation Army Unit 61398, and had similar “mission, capabilities, and resources”.
In 2015, responding to many requests from the USA, China arrested a number of hackers over the campaigns.
Mandiant's kept its methods secret, and that left room for David Sanger, a New York Times correspondent, to make the sensational claim that it was a “hack-back” operation that included spying on the Chinese hackers via Webcams in their compromised laptops. The allegation appears in his new book, The Perfect Weapon.
Not so, says FireEye. The company's refutation, published here, said “hack-back” techniques weren't used in Mandiant's exposure of APT1.
Here's what the company had to say:
"To state this unequivocally, Mandiant did not employ 'hack back' techniques as part of our investigation of APT1, does not 'hack back' in our incident response practice, and does not endorse the practice of 'hacking back'."
FireEye added that Sanger took part in releasing the original Mandiant report. So how did the author err?
Mandiant says it happened this way: “Included in the evidence we reviewed with Mr. Sanger at the time were videos of APT1 operators interacting with malware command and control servers (a.k.a. 'hop points'), including the operators' 'personal' web browsing (e.g. checking social media...etc.) on those systems.”
In briefing Sanger, the company said, it showed him this video:
If you don't have time to watch the video, here the salient detail from the script:
“This series of videos shows a live APT1 Chinese threat actor conducting computer network espionage activities. We will see him take a variety of actions affecting real victims.”
The company's contention is that Sanger thought what he was seeing – someone creating a Gmail account, the attacker “dota” logging into one of his Gmail accounts, testing a Gh0st RAT command and control server, using another C&C, using the HTRAN connection bouncer, and so on – was captured by “looking over the hacker's shoulder”.
Its explanation is that the activities in the video were captured not by a hack on APT1 machines, but rather by watching activity from within the networks of APT1 victims – with the victims' consent.
“All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye claimed.
“The videos Mr. Sanger viewed were from Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of Internet traffic at these victim organisations. Mandiant has never turned on the webcam of an attacker or victim system”. ®