Mandiant: has the leopard changed its spots in its first major report since being acquired by FireEye
The Mandiant M-Trends 2014 Threat Report: Beyond the Breach, published today, is Mandiant’s first report since its acquisition by FireEye. Mandiant is a technically competent company (it was one of the original four companies chosen by GCHQ to take part in the pilot incident response scheme); but for me it is also a politically suspect company. The latter stems from its famous or infamous APT1 report from just over a year ago. That report very clearly accused the Chinese government of being involved with the APT1 hacking group, which it said was part of the People’s Liberation Army Unit 61398. This was at a time when it was politically expedient for the US government to hype the cyber terrorism threat, and to particularly challenge China. No other security expert or company that I have spoken to has ever suggested that it is possible to be so certain about the precise source of a cyber attack.
So I consider that there are two aspects to this new report worthy of consideration: firstly its content because of Mandiant’s expertise; and secondly, any political over- or undertones following the takeover by the more circumspect and therefore believable FireEye.
There are five sections to this report. Jason Steer, director of technology strategy (from the FireEye pedigree) guided me through them: some general statistics; a closer look at Syrian Electronic Army activities followed by an evaluation of ‘suspected’ Iranian activities; a look at financial attacks with particular focus on the retail industry; and then what amounts to a defence of the APT1 report.
The statistics come from Mandiant customers, but Jason pointed out that doesn’t mean only large companies. “Some of our customers have as few as 200 users,” he told me. It’s not the size of the company that would warrant FireEye/Mandiant involvement, but the value of the data to be protected. He mentioned small companies that might have a highly valuable Trading Floor algorithm to protect, or a patent on the transmission of power via laser.
Those statistics appear to show a very slight improvement in the state of security. Compromises are being detected up to two weeks faster than they were in 2012; but against this the number of breaches detected by the breached company is down from 37% to 33%. 67% of victims were warned of the breach by an outside source, sometimes a bank or financial institution, but “Law enforcement is one of the primary sources,” Jason told me. Agents watch and monitor the underground chat rooms, pick up hints and warn the victim. (Of course, if the victim is particularly unlucky, discovery may come via Brian Krebs and Hold Security and be exposed to the world via KrebsOnSecurity.)
One conclusion from the statistics could be that criminals and malware are getting better at hiding themselves on the network; but that law enforcement has become even better at infiltrating underground chat rooms.
The section on the Syrian Electronic Army provides additional lesser known facts about SEA’s methods. It is often suggested that SEA is unsophisticated and technically inferior to other groups. We don’t actually know this because it has been very successful in what it does and what it seeks: compromise sites and accounts for propaganda purposes. It needs little more than successful phishing, and its phishing has been very successful.
“Since its inception in 2011,” reports Mandiant, “the SEA has successfully infiltrated more than 40 organizations, primarily targeting the websites and social media accounts of major Western news agencies.” But the effort used to do this is revealing. In one particular incident, Mandiant says, “All told, the SEA sent thousands of phishing emails to a large number of employees over the span of three hours. Despite having a success rate of only 0.04%, the phishing emails still allowed the SEA to harvest the credentials necessary to access the targeted resources. Within two hours of the first phishing email, the SEA obtained credentials for the news agency’s main website.”
The next section, Iran-based Activity, is particularly interesting since it gives clues on whether the Mandiant leopard has changed its spots. Mandiant had been called in to investigate a suspected breach at a state government office. Its investigation led it to believe that the attackers were probably Iran-based and not particularly competent.
Mandiant’s observations of suspected Iranian actors have not provided any indication that they possess the range of tools or capabilities that are hallmarks of a capable, full-scope cyber actor. They rely on publicly available tools and capitalize solely on Web-based vulnerabilities — constraints that suggest these cyber actors have relatively limited capabilities.
I put it to Jason that this is exactly how I would behave if I were a third-party agency, perhaps beginning with N or G, who for political purposes wished firstly to be discovered, and secondly to implicate Iran. “Absolutely,” he replied. “That’s why we have said ‘suspected’ Iranian involvement.” When you read this section you get the overwhelming feeling that Mandiant is accusing Iran – but when you examine the content you find the word ‘suspected’ repeated eight times (out of a total of nine throughout the whole document) at strategic points. It is, one might almost say, a suspected semantic insertion after the event.
If this sounds like a paranoid conspiracy theory, I would briefly refer you back to the very first page of the report. It says, “With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important.” You cannot have a diplomatic solution to criminal activity. I suspect, then, that this report was always, or at least originally, intended to highlight the type of state-sponsored activity that could be swayed by diplomacy. If this is the case, a primary purpose of the report was to accuse Iran of state-sponsored cyberwar – and the leopard has not yet changed its spots.
This conclusion is possibly confirmed by the final section of the report which is an analysis of the period since Mandiant’s APT1 report last year. It starts with that ninth use of the word ‘suspected’: “January 2013 marked the first large-scale public disclosure that an advanced persistent threat (APT) group with suspected ties to the People’s Republic of China (PRC) had compromised a key U.S. media company: The New York Times.” The rest of the section, however, amounts to a renewal of the original accusations and a robust defence of Mandiant’s of conclusions.
Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.
My reading of this report is that Mandiant still wishes to name and shame political opponents to the United States; but that it is being reined in somewhat by FireEye proof readers. If this is the case, I wish FireEye all success in doing so. Mandiant’s technical expertise is overshadowed by doubts over its political desires – and that is a huge shame. The information that Mandiant is otherwise able to give security defenders is too valuable and useful to be lost to such concerns. That missing fourth section, for example, includes the warning that average criminals are mass compromising systems, and then selling on the cherries to more advanced and organized gangs who take over the initial entry point with more sophisticated and stealthy malware intent on long-term compromise and data exfiltration. Such insights will only serve to improve industry’s overall security stance by helping to formulate and guide more effective defensive policies.