loader gif

FireEye denies 'hack back' against Chinese government cyberespionage group

FireEye denies 'hack back' against Chinese government cyberespionage group
  • New York Times reporter David Sanger's new book claims Mandiant compromised laptops belonging to APT1 as part of their investigative work
  • In one excerpt, Sanger claimed he viewed "live footage" of the Chinese hackers
  • FireEye, which acquired Mandiant in 2014, has pushed back against the "hack back" claims

Cybersecurity firm FireEye has refuted claims that its subsidiary Madiant illegally "hacked back" a Chinese government cyberespionage group. The claims and subsequent social media buzz were sparked by the publication of New York Times security journalist David Sanger's new book "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age."

The book, released last week, alleges that cyber firm Madiant managed to infiltrate laptops belonging to Chinese hackers and activate their cameras to track them. The campaign was apparently a part of Mandiant's exposure of the Chinese cyberespionage group APT1 that had targeted multiple American companies for years. The unprecedented 2013 report about APT1 revealed various in-depth details of Chinese hackers and linked them to the People's Liberation Army's Unit 61398.

Sanger's side of the story

In his book, Sanger claimed Madiant allowed him to sit down with them during one of the "hacking back" incidents.

"As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies –Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks," an excerpt in which Sanger talks about investigators working for Kevin Madia, now FireEye's CEO, reads.

Sanger also claimed he viewed footage of the hackers via the compromised cameras as well.

“One day I sat next to some of Mandia’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight,” he wrote. “My previous mental image of [People's Liberation Army] officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square.”

However, the "hack back" technique is illegal under US law and is only limited to approved US military personnel.

FireEye pushes back

Madiant was later acquired by FireEye for around $1 billion in early 2014. In a statement on Monday, FireEye refuted the claims alleging Sanger's account mischaracterized the company's investigative work.

"Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts," FireEye said in a blog post. "We did not do this, nor have we ever done this. To state this unequivocally, Mandiant did not employ 'hack back' techniques as part of investigation of APT1, does not 'hack back' in our incident response practice, and does not endorse the practice of 'hacking back'."

FireEye also suggested that Sanger may have mistakenly concluded that Mandiant had breached the Chinese hackers' computers while viewing videos compiled by researchers that showed hackers interacting with malware command and control servers.

“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring,” FireEye said. “Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised. As a standard practice, in an effort to protect companies from unauthorized intrusions, we implement consensual network monitoring agreements with many victim organizations for the purposes of helping better secure those organizations."

FireEye said the videos viewed by Sanger were from Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of Internet traffic at these victim organizations.

However, the video referenced by Mandiant do not feature hackers wearing "leather jackets" or "undershirts."

"Mandiant has never turned on the webcam of an attacker or victim system," the security firm said. "In short, we do not fight hackers by hacking, but by diligently and legally pursuing attribution with a rigor and discipline that the cause requires. The anonymity of the Internet is routinely used to mask the identities of perpetrators who violate our privacy and our laws, and it is our goal to relentlessly protect our customers and make the Internet a fair and safe place to operate."

In response to FireEye, Sanger said in a statement that Mandiant "gave us extraordinary access to their investigation as we were preparing to write about Unit 61398 in late 2012, and the result was our story in the Times, and the company’s report, in February, 2013."

He added that it wasn't his understanding that Mandiant was able to track the Chinese hackers as a result of "consensual monitoring" when he engaged with the firm to inform his reporting at the time.

"While that wasn't my understanding at the time, passive monitoring is reasonable explanation of how the company came to link the hacks to specific individuals, several of whom have since been indicted by the United States," he continued.

Sensitive time for geopolitical relations

The controversy comes as at a particularly pertinent time when political alliances between technology firms and governments are being dragged into the spotlight.

Recently, the European Parliament passed a motion branding Russian cybersecurity firm Kaspersky Lab's software as being "confirmed as malicious." Multiple governments have since moved to limit or restrict use of Kaspersky's products from their networks, particularly with sensitive operations, amid concerns of links to the Kremlin. Late last year, the US government ordering a full ban on the company's products within government networks by October 2018.

loader gif