Posted on June 26, 2018 at 8:56 PM
According to the new book published by David Sanger, it would seem that the company called Mandiant, currently owned by FireEye, used ‘hack back’ technique during the unmaking of Chinese hacking group known as Unit 61398. The hack back supposedly occurred back in 2013, and the researchers managed to hack into the original hackers’ webcams. FireEye denies these allegations.
Researcher claims to have witnessed a ‘hack back’
A cybersecurity reporter for The New York Times by the name of David Sanger has recently published a new book called The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. According to the book, while the reported collected the information about the book, he witnessed a hacking attack by China’s hacking group called Unit 61398.
Sanger describes the experience as ‘remarkable’, but the part that caused a large controversy comes after that, where he claims that Mandiant’s researchers used a technique called ‘hack back’ to hack into the attackers’ webcams.
Previously unreported details on some of the evidence & methods used by Mandiant to attribute China’s PLA Unit 61398 in the landmark 2013 APT1 report.
Source: David Sanger’s new book pic.twitter.com/VTL8b1oZ13
— Thomas Rid (@RidT) June 23, 2018
The technique basically includes the use of the network to reach the computers that are attacking someone else. Not only is this very unsafe and unwise, but some go as far as to call it ‘the worst idea in cybersecurity’.
FireEye continues to deny the allegations
Because of the unsafe nature of the technique, there has been a lot of debate regarding Mandiant researchers’ actions. After discovering the claim, FireEye denied that their researchers ever did such a thing, or that they managed to gain access to hackers’ webcams. According to the company, the researchers only followed standard procedures regarding the forensic investigation of the Unit’s attack.
The firm continued to claim that their researchers did not perform hack back technique, neither on this or any other occasion. They also commented on the book, and stated that the claims provide within its pages are likely a result of the author misunderstanding the consensual network monitoring. In other words, the author supposedly only witnessed company’s videos on various protocols regarding the earlier attacks, but not live to monitor of what the hackers were doing.
Richard Bejtlich, the company’s previous chief security officer also claimed that the company never approved of, or performed the activities described in the book. According to him, performing hack backs is against the company’s policy, and the researchers would never perform such acts. He even claimed to have contacted his old team, which had no knowledge of any such activities performed by the other researchers.
FireEye’s story leaves many unconvinced
As a response, a lot of individuals tweeted that Sanger couldn’t have misinterpreted seeing leather jackets that he describes. According to them, the author either completely made up the story, or he witnessed it first-hand, there cannot be anything in-between.
How can you misinterpret seeing leather jackets? He either made it up, or he saw it. https://t.co/aykdu7n4Yd
— Ryan Naraine (@ryanaraine) June 25, 2018
Some believe that the hack back did occur and that the insight gained by the event allowed the US government to criticize Chinese military hacking more vocally. This theory gathered a lot of strength, considering that FireEye is known for being close to the US government.
Employees of private US company Mandiant hacked into computers of Chinese military, eventually resulting in APT1 report. The privatized hackback enabled US gov to more vocally criticize Chinese military hacking of US companies since there was now public unclassified reporting. https://t.co/v18HMgNvow
— Artturi Lehtiö (@lehtior2) June 23, 2018
One interesting thing includes the last year’s bill that the US Congress introduced, in which they basically allow the hacking victims to go on the offensive in case of hacking. Individuals and companies alike have the permission to perform the hack back if they are trying to disrupt the attack, monitor it, or destroy the files that were stolen from them.