Seven reasons why claims of PLA hacking fail the test
Graeme Maxton says the claim that the PLA is running an organised hacking operation from a building in Shanghai not only lacks convincing evidence, but its timing is also too convenient
Recently, a US company few of us had heard of gained instant fame for saying the People's Liberation Army was behind a lot of computer hacking. That may be. But the claims made by Mandiant should also be treated with caution, and not just because they have been vigorously denied.
There are seven reasons.
First, the report said exactly what many people wanted to hear. It reinforced the belief that China is the world's worst cyber bogeyman and gives Western diplomats another cudgel to wield in Beijing. Neither Iran nor Afghanistan is a credible cyber villain and with the US State Department wanting to turn up the heat in the Pacific, it was useful to have someone point the finger at China. In truth, many big governments have sophisticated hacking capabilities today, particularly the US.
Second, the timing of the report was extremely useful for the US defence industry. The US military is facing the biggest cuts to its budget for years, with the potential for widespread reductions imminent. A report that strengthens the case for additional spending, especially when it appears to come from an independent source, was just what was needed.
Third, the timing of the report was also perfect for Mandiant, and this was not a coincidence. The company published its findings just days before a big annual get-together on computer security, the RSA Conference. Like many of its rivals in years gone by, it issued a sensationalist report before the meeting started because it was looking for the limelight.
The fourth reason we should raise an eyebrow is the fact that Mandiant is a private company that sells IT security. The report did not come from a dedicated government intelligence unit or some private investigation firm. It came from a company which is trying to sell IT security. It is in the firm's interests to tell the world that there are nasty threats and to point the finger at everyone's favourite baddie.
Fifth, if you read the report, and it appears few journalists or commentators have done so, it is easy to see that it is high on accusations but less meaty when it comes to evidence. Many conclusions are rather far-fetched, appearing to fit a hypothesis more than proving a solid case. There are a lot of fancy charts, some highly complicated program tables and a generous sprinkling of unnecessary Chinese characters to give it an air of authenticity.
But there is no overwhelming proof that the cyber attacks Mandiant says it has been tracking came from the PLA building in Pudong it identified. The company found computer IP addresses that are from a part of Shanghai. It also found a PLA office there. It then tied these facts together and came to the conclusion that they are linked.
Sixth, it is not just that finding IP addresses and a PLA unit in Pudong may be coincidental. It is that someone may have been using them as a cover. If you want to be a hacker, then the most obvious place to appear to be is in China. Because China is constantly being accused of hacking, everyone will assume that this is where the trail ends. If you are hacking from Russia or Iran or Tel Aviv, the best way to disguise your activities is to appear to use a server in China. There's bound to be a PLA unit nearby too, an added bonus.
Seventh, the Mandiant report suggests that China's ability to hack into America is highly developed but that its ability to cover its tracks is laughably poor. Those statements don't go together. If you can break into a well-protected network, you can hide your location. Yet Mandiant wants us to believe that the PLA used its own IP address with only a couple of easy-to-track hops through other systems.
Even without knowing a lot about it, it is easy to appear to be somewhere you are not on the internet. This article was submitted from an IP address in Sweden, for example, while my e-mails to the editor came from an IP address in southern England. Yet I never left Hong Kong. And there is no way anyone could work that out because the encryption used to send these messages, available for a small monthly fee, is so strong.
Like so many China finger-pointers, Mandiant is stretching our credulity. Every week we read about 18-year-old hackers who have managed to crack systems without being discovered. Or we read about the anarchistic exploits of Anonymous, a group of apparent nerds with an agenda. And, in almost every case, they have wrought havoc under cover, without being identified. They are even able to post claims about their exploits and still not be found out. But now we are expected to believe that one of the most dangerous hacking groups is actually based in a small building in Pudong under the guise of a crack unit of incompetent PLA soldiers.
It just doesn't add up.
Graeme Maxton is currently writing a book on online privacy