Science Defies Politics

APT [Advanced Persistent Threat] is a term to refer to Chinese espionage
without saying Chinese espionage. Full stop.
Scott J Roberts, APT is a Who not a What …

The full quote:

“This classified intelligence was a problem. … These DoD/IC teams wanted to help, but couldn’t disclose classified information. They came up with a compromise: sharing indicators and information without disclosing the actual actor behind it. Specifically APT, supposedly coined by Colonel Greg Rattray, was a couple groups of actors primarily operating out of mainland China and believed to be members of the People’s Liberation Army. We now know these groups today as APT1, Anchor Panda, and Elderwood, as well as other private designations.

APT is a term to refer to Chinese espionage without saying Chinese espionage. Full stop.”

Thus, the term Advanced Persistent Threat (APT) appeared around 2006 and referred to hacker group(s) operated by one nation state – China. Such attribution was feasible and probably correct. But it worked only for China in the first decade of this century.

That made sense for the cyber intrusions traced to IP addresses in China. China is unique among nations of the world in that it’s a cyber-fortress surrounded by the Great Firewall of China (GFW). A packet round-trip time (RTT) between the U.S. and China was more than half a second, 5-10 times the RTT between the U.S. and France. Internet was tightly controlled by the government of China. The GFW restricted the ability of ordinary China citizens to access destinations outside of China and degraded the quality of cross-border connection. It would have been very counterproductive, difficult, and risky for anybody outside of China to access a computer in China and then to breach a computer network in the U.S. from that computer. Thus, cyber-intrusion and attempts apparently coming from China were really coming from China, likely ordered or at least authorized by the PRC government.  Breaches of the networks of the U.S. government, defense contractors, and accounts of opponents of the Chinese government strengthened the confidence of this attribution. APT1 was probably characterized correctly. Of course, this detection and characterization became obsolete immediately after it was published.

Outside of China and North Korea, these conditions do not exist, so attribution by observed IP addresses does not work. Other detection methods are not reliable against sophisticated hackers. Each intrusion or attempt uses one or more IP addresses, and finding the country to which the IP address belongs is easy. But the hackers might be in another country on the other side of the globe. Even if a security researcher somehow divines the hacker group country, it’s not evidence that the group is state sponsored. It is not even enough to distinguish one hacker group from another one.

If a network or account is probed or breached from an IP address in Russia, it’s likely the work of a lone hacker or one of many criminal gangs connected neither to each other nor to the Russian government.

The so-called APT1 that was active before 2011 might be the only advanced threat group that’s defined and characterized correctly. But definition and characterization of all currently active alleged APT groups are suspect and should be considered invalid.  That includes the so-called APT28 and APT29 (named Fancy Bear and Cozy Bear by CrowdStrike) which were probably fabricated by conflating the activities of multiple unrelated hackers’ groups.

This is a common view in the Western Europe. For example, the head of the French government’s cybersecurity agency Guillaume Poupard laughed at the warning that unspecified U.S. authorities gave their French counterparts before the French election: “We are watching the Russians. We are seeing them penetrate some of your infrastructure. Here is what we have seen. What can we do to try to assist?” The warning was linked to NSA Director Admiral Rogers, and Poupard commented: “Why did Admiral Rogers say that, like that, at that time? It really surprised me. It really surprised my European allies. And to be totally frank, when I spoke about it to my NSA counterparts and asked why did he say that, they didn’t really know how to reply either,” he said. “Perhaps he went further than what he really wanted to say.” Admiral Rogers was influenced by the mass hysteria created by the Democratic Party following the election loss and based on the attribution fraud by CrowdStrike and FireEye.  Poupard also rejected allegations that Russia had hacked the Macron campaign (“The attack was so generic and simple that it could have been practically anyone”) and accurately referred to the so-called APT28 as “what we call collectively APT28” (AP, 2017-06-01).

FireEye/Mandiant

Mandiant was founded in 2004 by people from USAF Office of Special Investigations, according to Scott J Roberts. They were very familiar with the Advanced Persistent Threat – Chinese cyber espionage. In 2010 Mandiant made a mistake or gimmick by attempting to expand the APT definition from China to other state actors. Mandiant abandoned this attempt until appearance of CrowdStrike in 2013. Mandiant was acquired by FireEye (FEYE) in December 2013. In 2014, FireEye started inventing groups not linked to China, and the gimmick became a fraud. FireEye is the second worst offender, after CrowdStrike in promoting the fraudulent attribution of cyber incidents to nation states.

FireEye uses at least two different, incompatible, and incorrect definitions of APT – one for investors, another one for customers. In the 2018 M-Trends report, intended for customers, the term Advanced Persistent Threat is used to refer to a state-sponsored group: “FireEye tracks thousands of threat actors, but pays special attention to state-sponsored attackers who carry out advanced persistent threat (APT) attacks.“ In the 2018 10-K form filed with SEC, Advanced Persistent Threat is defined as an attack: “We were founded in 2004 to address the inability of signature-based security solutions to detect the new generation of dynamic, stealthy and targeted cyber attacks, known as advanced persistent threats (APTs) … We have expanded our business from a narrow focus on the detection of advanced persistent threats to helping our customers improve their resilience to all cyber attacks …” What is a better evidence of a lie than a contradiction such as this?

FireEye publicly “identified” alleged groups APT28 and APT29 only in 2014, the first alleged APT groups not linked to China. FireEye linked them to Russia. Currently, FireEye lists multiple APTs attributed to China, Russia, North Korea, Iran, Vietnam, and ‘undisclosed.’ Many of the attributions go against common sense. For example, an alleged APT32 is attributed to Vietnam because it targets companies investing or doing business in Vietnam, although common sense would suggest that if such group exists and is state sponsored, the sponsor is Vietnam’s adversary.

Some History, 2010-2016

In 2010, Mandiant attempted to expand definition of APT beyond Chinese espionage. 2010 M-Trends claimed “The APT successfully compromises any target it desires. Conventional information security defenses don’t work,” suggesting potential customers that they could protect themselves only by retaining Mandiant services. This statement might be considered a white lie, or even half true. Private companies holding valuable data could not protect themselves because they were regulation driven and indifferent to cybersecurity, not because of any special sophistication of the hackers. AFAIK, this is still the case for private companies and the government agencies today.

In 2010, cyber security community and the FBI were not corrupt, so Mandiant abandoned its attempt to apply methodology valid for China to the rest of the world. It took a few years for the Obama administration to dumb down and corrupt security and intelligence communities. In early 2013, FBI Director Robert Mueller invited attribution fraud when he included the attribution of cyber incidents as part of the FBI’s mission. It was probably an innocent mistake on his part, but his office spawned CrowdStrike through Shawn Henry, Mueller’s Executive Assistant.

After CrowdStrike started making fraudulent attributions in 2013 and the FBI, government regulators, and the regulated businesses accepted this fraud, its competitors were almost forced to follow. From FireEye M-Trends, 2015:

“Victims are also increasingly pressured to disclose who is behind the attack. We are often asked to attribute attacks to a specific threat actor on the first day of the investigation, a point where we are only starting to gather evidence of the compromise. By the same token, attribution is becoming more complicated as different kinds of threat actors increasingly share the same tools.”

Thus, the attribution fraud became somewhat like “consensus science,” deviation from which was impossible for corporations and dangerous for individuals under the Obama administration. Misattribution of cyber incidents became routine. When CrowdStrike wrongly attributed the DNC breach(es) to Russia in May-June 2016, FireEye and a few other cyber-security companies agreed with the attribution, and no other company publicly objected.

Where is the Government?

One would expect that the FBI, CIA, DHS, DNI, and DoD would rely only on cleared cyber-security firms working exclusively in the U.S. and approved friendly countries, and keeping their findings classified. Surprisingly, this is not the case. For example, CrowdStrike and FireEye serve customers all over the world. CrowdStrike boasts that its main product is deployed in 176 countries, although there is no reason to believe anything coming from CrowdStrike. A couple weeks before the 2016 election Russian Alfa Bank hired FireEye to look into claims by anonymous idiots that a server in one of Trump’s businesses “had conversations” with a server of the Alfa Bank. FireEye team visited premises of the Alfa Bank in Moscow. Note that FireEye was not afraid that terrible Putin would punish it for uncovering and frustrating the most sensitive operations of its intelligence agencies. In other words, FireEye knew that APT28 and APT29 did not exist or were not sponsored by the Russian government.  If you are curious, FireEye found nothing suspicious. In the words of The Guardian: “Cybersecurity firm fails to find links between Donald Trump and Russian bank.”

Remarks

Another quote from Scott J Roberts:

“The fact is the same: APT is a codename for a who, that who being Chinese espionage, not a description of an attacker based on methods or techniques.”

Jeffrey Carr, The DNC Breach and the Hijacking of Common Sense, June 19, 2016 (emphasis added by Jeffrey Carr):

“To my surprise, the report’s authors [referring to the latest FireEye report on APT28] declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities: “APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.”

“Attribution is hard enough without cybersecurity companies picking the evidence they need to support the conclusion that they want with threat actor models that are completely devoid of common sense. We can do better.”

FireEye (FEYE) has not replied to an email seeking comments and its side of the story.