FireEye Refutes Claims That It Hacked Back a Chinese APT

US cyber-security firm FireEye has denied claims that have been ramping up on social media all last week about illegally "hacking back" a Chinese nation-state cyber-espionage group.

The claims and social media discussions started after the publication of "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age," a book authored by David Sanger, New York Times national security journalist.

In the book, Sanger recounted a series of events from 2013, in the lead up to FireEye publishing a report called "APT1, Exposing One of China’s Cyber Espionage Units."

At the time, the report was a landmark moment in the cyber intelligence community, as it exposed the activities of Chinese hackers in a depth of details like never before, even going as far as pinning the hacking on Unit 61398 of China's People Liberation Army (PLA), an attribution level unheard at the time.

Sanger's side of the events

But according to Sanger's book, FireEye might have obtained all these details while "hacking back," a term used to describe the practice of using offensive hacking techniques to breach an attacker's systems to determine his identity, what he stole, and even destroy some of the stolen data in order to protect the victim. The technique is illegal, under the terms of US law, and limited to approved US military personnel only.

In his book, Sanger claims Mandiant (former cyber-security firm behind the report and later purchased by FireEye a year later in 2014), allowed him to sit down with its security researchers during one of these incidents.

Passages from Sanger's book are available below, as per this tweet.

Ever resourceful, [Mandiant CEO Kevin Mandia's] staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients—mostly Fortune 500 companies—Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks.

The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. then, when the clock struck nine, they started methodically breaking into computer systems around the world, banking on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.

One day I sat next to some of Mandia's team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square. "They were such bros," Andrew Scwartz, one of Mandia's communications specialists, recalled later.

FireEye claims it was a misrepresenation/misunderstanding

But in a statement released today, FireEye refutes these claims. The company says that Sanger mischaracterized what really happened, and might have simply misunderstood what he was shown that day when he was allowed to sit with Mandiant [now FireEye] employees.

FireEye says Sanger never observed real-time hacking, but only pre-recorded videos of APT1 (PLA Unit 61398) operators interacting with computers on the network of compromised companies.

Furthermore, FireEye says it obtained permission from these companies to leave the compromised PCs intact and observe what the hackers were doing, and that at no point its employees used offensive hacking techniques.

Specifically, Mr. Sanger suggests our "…investigators reached back through the network to activate the cameras on the hackers' own laptops." We did not do this, nor have we ever done this. To state this unequivocally, Mandiant did not employ "hack back" techniques as part of our investigation of APT1, does not "hack back" in our incident response practice, and does not endorse the practice of "hacking back."

[...]

The conclusion that we hacked back, while incorrect, is understandable.

[...]

To someone observing this video "over the shoulder" of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through "hacking back" or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised.

[...]

The videos Mr. Sanger viewed were from Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of Internet traffic at these victim organizations. Mandiant has never turned on the webcam of an attacker or victim system.

[...]

In short, we do not fight hackers by hacking, but by diligently and legally pursuing attribution with a rigor and discipline that the cause requires.

The company released one of the videos they recorded of APT1 hackers active on one of these compromised PCs.

Both sides of the events present valid scenarios. While being illegal, cyber-security firms have been known to hack back many times before. No firm in its right mind will acknowledge it, especially when the hacked back target is the Chinese military and not some random BEC scammer. The political implications are far-reaching.

But FireEye's explanation also holds water, as it's easy to misinterpret an RDP session for a live hacking op, especially if you're not told what you're watching. Although, one minor detail remains unaccounted for...