Showing posts with label Mandiant. Show all posts
Showing posts with label Mandiant. Show all posts

Wednesday, February 20, 2013

PLA hackers case revisited - who calls the shots in China?

The PLA building in Shanghai
Outside observers look at China too often as a one-party state with a top-down government. When you are living in China or have been there a while, things look a tidbit more complicated, as internal divisions, infighting, if not outright factional wars cause heavy divisions. If you have no eye for those internal differences between government bodies, you might never be able to really understand China.
So, when the Chinese Ministry of Foreign Affairs came out with a firm denial on China's hacking efforts, after US security firm Mandiant published their report, I could not help but smile a bit. In cases of a crisis, the ministry of Foreign Affairs is the last one to get informed; they often have to rely on domestic and international media to find out what is really going on. The denial by the Chinese Ministry of Defense sounds slightly more convincing, although China's government bodies do not have a good tradition of informing each other. There is a fair chance the New York Times report on the country's hacking efforts came as a surprise to the leadership in Beijing too, not only to the ministry of foreign affairs.

Just as a reminder a relative recent incident to illustrate my point. Just hours before the US Secretary of State Robert Gates was due to meet President Hu Jintao during a visit to Beijing in January 2011, China's military conducted a first test flight with a stealth fighter. While US diplomats initially thought this was a way the Chinese leadership wanted to put pressure on the talks in Beijing, they found out their Chinese counterparts, including Hu Jintao, did not even have the information on the test flight. Hu Jintao was then the first in charge of the PLA, but even he was not informed about the test flight.
Perhaps the PLA leadership wanted to make a point? But to who? To the US, or to their comrades in the Zhongnanhai, China's political center? Or perhaps there was no point, as the PLA just had the high-level talks not on their radar screen. Only when some of the real decision makers will write their memoirs, we might possibly know.

The problem of the much quoted Mandiant report is that they come closer than ever in linking hacking efforts to China's military, they still fail to produce the smoking gun. Yes, the IP-addresses they found are linked to a neighborhood in Pudong, Shanghai, where a PLA-related offices of the APT1 or P.L.A. Unit 61398 operate. But even an amateur hacker like me knows that hiding your real IP-address is one of the first things you would have to do as a serious hacker.
So, there are two options. Or, these professional army hackers have not been able, or have been slacking, in hiding their real IP-addresses. Or other hackers have cleverly used those IP-addresses to implicate those poor Chinese. Both options look rather unlikely, but I cannot come up with a valid third one.

While I have no inside information on who is hacking who and for what reason, there is one golden rule to explain what is happening in China, also when it concerns the government: follow the money. Who might have a financial interest in hacking a wide variation of targets, from Coca-Cola to pipe-line companies, from government agencies to journalists?
My estimation is that this PLA-office in Shanghai is largely a commercial operation, bringing in money for both the PLA and possibly the units who are directly involved. They might have also worked on more political assignments, as long as that did not interfere with their commercial targets.
Of course, that is bad, whether hacking is done for financial or for political reasons, or both. But it would be hard to imagine that other parts of the world, including Russia and the US, would not have similar hacking operations. In the US it is even legally covered by the Patriot Act - although only legal from a US perspective.
Of course, by now high-level but low-profile investigation team from Beijing have arrived in Shanghai to find out what has really been happening in those office. But we might have to wait for a Chinese Wikileaks to find out what their findings will be.

At best these report can act as a wake-up call. It is not a China versus the US struggle, we are looking at a global threat that can come from everywhere.

Enhanced by Zemanta