twitter facebook rss

FireEye/Mandiant points finger at China – again

Posted by on April 15, 2015.

apt30reportWhen I first started commenting on FireEye the company was noticeably reluctant to attribute malware and malware campaigns to specific actors. The accusation market changed when Mandiant published its famous report: APT1 Exposing One of China’s Cyber Espionage Units. And things changed for FireEye when it bought Mandiant.

I am somewhat cynical about Mandiant (it is close to both the US and UK governments, and is employed and recommended by both), and it tends to follow or support government lines. I am also somewhat cynical about the reasons for FireEye to buy Mandiant at such a high price (see: That Mandiant sale thing). The purchase of Mandiant certainly makes it more likely that governments will look favourably on FireEye.

Be that as it may, it is clear that FireEye has also begun to say in all but ‘J’accuse’ language, it was the Chinese that did it. Indeed, for the latest FireEye report, its publicity machine comments on the APT30 group, “Much of their social engineering efforts suggest the group is particularly interested in regional political, military, and economic issues, disputed territories, and media organisations and journalists who report on topics pertaining to China and the government’s legitimacy.” See the danger in unguarded attributions described by respected security expert David Harley here: iToons: Attribution and the Media.

In this latest report (APT30 and the Mechanics of a Long-Running Cyber Espionage Operation), published within the last few days, FireEye implies beyond any possibility of doubt that APT30 is a Chinese government espionage unit. It says of APT30:

China-based threat groups have targeted journalists before; we believe they often do so to get a better understanding on developing stories to anticipate unfavorable coverage and better position themselves to shape public messaging.

Is FireEye correct? Quite possibly – I just don’t know and I don’t really care. The reason I don’t care can be found in this recent article by The Intercept: Britain used spy team to shape Latin American public opinion on Falklands:

The group, first revealed last year by NBC News and The Intercept, has developed various techniques — including “false flag” operations, sexual “honey traps,” and implanting computer viruses — to collect intelligence, plant propaganda and diminish or discredit opponents. As reported in The Intercept last year, JTRIG “has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, ‘amplif[y]’ sanctioned messages on YouTube,” and plant false Facebook wall posts for “entire countries.”

So my question is this: why is it OK for Britain to behave in this outrageous manner, but not OK for China to do the same? And why, if FireEye/Mandiant is so good at tracking down Chinese malware actors, has it so far been beyond them to track any misbehaviour by GCHQ or the NSA?

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions, News, News_malware | Tags: , ,