• Sat
  • Dec 20, 2014
  • Updated: 10:10pm
CommentInsight & Opinion

Seven reasons why claims of PLA hacking fail the test

Graeme Maxton says the claim that the PLA is running an organised hacking operation from a building in Shanghai not only lacks convincing evidence, but its timing is also too convenient

PUBLISHED : Monday, 04 March, 2013, 12:00am
UPDATED : Monday, 04 March, 2013, 8:39am

Recently, a US company few of us had heard of gained instant fame for saying the People's Liberation Army was behind a lot of computer hacking. That may be. But the claims made by Mandiant should also be treated with caution, and not just because they have been vigorously denied.

There are seven reasons.

First, the report said exactly what many people wanted to hear. It reinforced the belief that China is the world's worst cyber bogeyman and gives Western diplomats another cudgel to wield in Beijing. Neither Iran nor Afghanistan is a credible cyber villain and with the US State Department wanting to turn up the heat in the Pacific, it was useful to have someone point the finger at China. In truth, many big governments have sophisticated hacking capabilities today, particularly the US.

Second, the timing of the report was extremely useful for the US defence industry. The US military is facing the biggest cuts to its budget for years, with the potential for widespread reductions imminent. A report that strengthens the case for additional spending, especially when it appears to come from an independent source, was just what was needed.

Third, the timing of the report was also perfect for Mandiant, and this was not a coincidence. The company published its findings just days before a big annual get-together on computer security, the RSA Conference. Like many of its rivals in years gone by, it issued a sensationalist report before the meeting started because it was looking for the limelight.

The fourth reason we should raise an eyebrow is the fact that Mandiant is a private company that sells IT security. The report did not come from a dedicated government intelligence unit or some private investigation firm. It came from a company which is trying to sell IT security. It is in the firm's interests to tell the world that there are nasty threats and to point the finger at everyone's favourite baddie.

Fifth, if you read the report, and it appears few journalists or commentators have done so, it is easy to see that it is high on accusations but less meaty when it comes to evidence. Many conclusions are rather far-fetched, appearing to fit a hypothesis more than proving a solid case. There are a lot of fancy charts, some highly complicated program tables and a generous sprinkling of unnecessary Chinese characters to give it an air of authenticity.

But there is no overwhelming proof that the cyber attacks Mandiant says it has been tracking came from the PLA building in Pudong it identified. The company found computer IP addresses that are from a part of Shanghai. It also found a PLA office there. It then tied these facts together and came to the conclusion that they are linked.

Sixth, it is not just that finding IP addresses and a PLA unit in Pudong may be coincidental. It is that someone may have been using them as a cover. If you want to be a hacker, then the most obvious place to appear to be is in China. Because China is constantly being accused of hacking, everyone will assume that this is where the trail ends. If you are hacking from Russia or Iran or Tel Aviv, the best way to disguise your activities is to appear to use a server in China. There's bound to be a PLA unit nearby too, an added bonus.

Seventh, the Mandiant report suggests that China's ability to hack into America is highly developed but that its ability to cover its tracks is laughably poor. Those statements don't go together. If you can break into a well-protected network, you can hide your location. Yet Mandiant wants us to believe that the PLA used its own IP address with only a couple of easy-to-track hops through other systems.

Even without knowing a lot about it, it is easy to appear to be somewhere you are not on the internet. This article was submitted from an IP address in Sweden, for example, while my e-mails to the editor came from an IP address in southern England. Yet I never left Hong Kong. And there is no way anyone could work that out because the encryption used to send these messages, available for a small monthly fee, is so strong.

Like so many China finger-pointers, Mandiant is stretching our credulity. Every week we read about 18-year-old hackers who have managed to crack systems without being discovered. Or we read about the anarchistic exploits of Anonymous, a group of apparent nerds with an agenda. And, in almost every case, they have wrought havoc under cover, without being identified. They are even able to post claims about their exploits and still not be found out. But now we are expected to believe that one of the most dangerous hacking groups is actually based in a small building in Pudong under the guise of a crack unit of incompetent PLA soldiers.

It just doesn't add up.

Graeme Maxton is currently writing a book on online privacy


For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive



This article is now closed to comments

This lovely essay misses a critical point that renders the seven points invalid: There is no money to be made in China bashing. Companies don't like to admit they were hacked by China because it causes a loss of trust among their potential clients. Mandiant has, with a single PDF file, guaranteed it will never be able to do business in the world's largest internet market.
The author also ignores the content of what was allegedly stolen. It wasn't bank accounts, but industrial design data. No individual hacker in their right mind would waste time trying to sell tech specs for a missile, when it's much easier to steal credit card numbers.
As for Mandiant "easily" following the trail... I don't think there's any evidence at all that what they did was "easy". They are professionals who get hired by other corporations because tracking hackers is NOT easy. If it was so simple, the NYTimes would track the hackers by themselves.
I think the video showing the hacker at work, along with the technical data regarding IP addresses, and program assembly is very compelling. There is lots of circumstantial evidence too, like hackers using pinyin names for the folders they created on compromised systems, hackers doing less work around CNY, or the NYTimes getting hacked after releasing a report on Wen Jiabao's family wealth.
But again, back to my original point. No company will make money on China bashing. That should be reason enough to take these accusations seriously.
WHo will listen to you MAXTON? You not China Bashing NO FREEDOM LOVING PERSON (brainwashed fools) will ever listen to you. China is the bully, its big and its communist, it lack human rights, blah blah blah blahhh... so anything negative report by the glorious & mighty west is the only and real truth. Anything that even challenges this notion is pure evil or BS.
Just like Huawei & ZTE those phoney reports even claim they have no eveidence but still it is up to the Chinese to defend themsevles to proove they are innocent. The horrid double standards, no wonder China see no reason to reform its legal system when the innocent until proven guilty rule never applies to them, only the opposite does. To them I suppose its nothing more than a myth.
The only truthful thing these reports they admit they have no evidence AT ALL. But then why you need evidence when your audience are illiterate twitter users, and bash China is simply the hippest thing. You hear reports all the time about Beijing diverting attention away by bashing Japan, yet the "Free world" bashing of China and using China as the perfect scape goat seems to be, well you know "different". Throw any C rap at China and it will stick whether truthful or not, the righteous nut jobs in the West need not to think as they preceive they are the chosen people.
this is only the latest in the long run of western propaganda about China. nobody who likes the report, actually understands its contents. which makes this a big joke. Mandient refuses to release the IP's. yet 3rd party observers consistently poke holes in the report. the ones who accept it at face value, are authors at low quality media outlets. this should tell you enough. in this day and age you NEVER accept anything at face value. not from China or the US. watch out for anyone who does.
Clear, reasonable but inconvenient truth
But let's follow the comments and see
how it is received in this newspaper
of a large filth readership
basking in colonial afterglow
with China bashing being the only skill
similar reasoning is used by conspiracy theorists, namely straw man arguments and red herrings. its good to be skeptical but i did not find this article convincing.
"First, the report said exactly what many people (hate-China scumbags) wanted to hear. " Touche!
Maxton you've just made news, causing all kinds of friends forwarding your article to me: "Look! An article that relies on rational analysis! And not China bashing! And it appears on the SCMP!" What an exciting day for HK's journalism! I read the following article which you might also find interesting:
Many governments and organisations around the World, over the past 7-10 years have reported numerous hacking episodes, all traced back to China. And a lot of this hacked information was already available to the U.S., so there was no reason for the US to do the hacking. Sorry, the author's conclusion does not make sense. Chances are the Mandiant report is correct, and our lone author above, is wrong. I think it may be quite a long time before his upcoming book is actually published.
one sentence...jealous of China !
i read the Mandiant report. Please note that it also doubles up as a marketing brochure of sorts for the company.
What a joke.. you mean those evidenceless reports?
i have not read the report. however mandiant is a serious company with a deep understanding of computer security. the author of this article, on the other hand, does not. i'm just saying look at the evidence, rather than assume its not true.


SCMP.com Account