Embarrassing China with reports won't aid security

Embarrassing China with reports won't aid security

Summary: Mandiant report alleging the Chinese army launched cyberattacks is counteractive since China will now revamp its tactics to be stealthier, and security industry must re-evaluate its defense strategy.


The Mandiant report on Chinese hackers has no "value-add" to the security industry as adversaries potentially will now revise their tactics to become stealthier and the industry will have to re-evaluate their detection strategies. Many Advanced Persistent Threats (APTs) today also are evolving to target data modification instead of extraction.

Eric Cole, CEO of security firm SecureAnchor Consulting, further expressed concerns about the impact of publishing security reports which identify the source of attacks. He was speaking to ZDNet Asia Wednesday at the sidelines of SANS Secure Singapore 2013 held here this week.

Cole was referring to a report last week by U.S.-based security vendor, Mandiant, which alleged a building in Shanghai was associated with the Chinese military and the source of an "overwhelming" percentage of cyberattacks.

"Now that Mandiant has publicly embarrassed the Chinese and showed how they are operating, they will be changing everything they do, going deeper and stealthier."
-- Eric Cole
CEO of SecureAnchor Consulting

While the report was "fascinating in the level of details it provided" and showed the U.S. it had a sophisticated adversary, Cole was concerned about its "value-add" to the IT security industry. Once an advanced adversary is shown what is known about the organization, it will change its behavior and method of operation, he noted.

"Now that Mandiant has sort of publicly embarrassed the Chinese and showed how they are operating, [the Chinese] will be changing everything they do, going deeper and stealthier," he said.

If the report had not been published, Cole added, the Chinese would continue operating the same way and the security industry would eventually identify ways to stop the attacks.

Publishing such reports would make things harder for the security industry, he pointed out. Whatever that is known about how the adversary operates will change, and the industry will now have to re-evaluate their attack and defense strategies in the future, he said.

APTs evolving from data extraction to destruction
Cole observed that, in the past, Advanced Persistent Threats (APTs) were focused on the extraction of data, such as intellectual property, trade secrets, and product designs. APTs carried out by the Chinese were focused on extracting military information to give them an advantage, he pointed out.

However, the mission of APTs has since evolved to the modification and destruction of data, he said. He pointed to Stuxnet and Flame as examples, noting that these did not extract data but instead modified data to bring down a system.

When adversaries succeed in stealing the targeted information, they would want to give themselves an advantage by modifying the data so it is no longer valuable to their competitors, he explained.

Cole further noted that many enterprises are still unclear about the definition of APTs and assume it refers to cutting-edge, state-of-the-art technologies aimed at breaking into systems. "It is overly hyped as an adjective to describe everything in terms of corporation, but in terms of understanding what it does, it is under-hyped," he said.

He described APT as an advanced adversary which has a wide range of methods of breaking into a system, continuously targeting that system until it is successful. "If an organization is targeted, it [eventually] will be breached," he noted.

According to Cole, organizations can safeguard against APTs by focusing on outbound detection instead of just traffic coming in. This can be done by setting up a netflow, gathering data packets and analyzing everything that leaves the network, he suggested. With higher network visibility, companies can quickly spot what is in their environment, he added.

Topics: Security, Malware, Networking, China

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Mandiant's "state actor" attribution questionable

    Has anyone fact checked Mandiant's attribution? The APT1 report is full of holes:

    1) Mandiant claims Hebei is part of Shanghai, but it's actually 500 miles and 3 provinces away.

    2) The address Mandiant claims is Unit 61398 central building on page 11, 208 Datong Road, is the address of the Unit 61398 Kindergarten. (Ref. Google "site:starbaby.cn 61398")

    3) One the hacker cited, DOTA, was outted by Anonymous back in 2011. (Ref. Google "d0ta010 2j3c1k HBGary").

    Who’d be dumb enough to reuse compromised identity?
  • Go Mandiant!

    I think Cole is short sighted. It must be having some effect on the Chinese leadership or else the foreign and defense ministries wouldn't have addressed it. It should also have some effect on the West's leadership to make it a priority to work together to protect themselves. If we are in a cyberwar, the public has a right to know.
  • I disagree

    If nothing else, the report gave sysadmins some information they can use to protect their systems and a greater sense of urgency. And the harder the PLA has to try to get the data they want (assuming the report is correct), the less effective it will be.

    It certainly got the attention of both U.S. and Chinese authorities, which could potentially lead to some serious discussion.
    John L. Ries