Got Attitude?

Attack attitude: Does China really not care about attribution?
Following up on my previous blog post on the Comment Crew (or APT1, to quote a Mandiantism) attack and related coverage, I wanted to dig a little deeper into the observed attitude about the documented attack activity and what we might learn about the operating environment and overall sentiment toward OPSEC and attribution.

In the United States, the general perception both in and outside of the security industry is that China-based threat actors simply don’t care about attribution. Given the outwardly brazen appearance of the many attacks thought to have originated from China, one could certainly be forgiven for making this assumption. While not entirely incorrect, I firmly believe that what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for.

Let me begin by saying clearly: China cares far less in the subtlety department than, say, the United States. If this weren’t the case, then you would surely expect to have seen more evidence of the U.S. (and other nations) using offensive cybercapabilities with the same frequency and scale that we’re seeing coming from over the Pacific. China, in the same breath as denying its own involvement in cyberattacks, has stated that it believes the U.S. is up to the very same things that the U.S. has accused it of -- and yet the evidence all points in the direction of the former accusation.

Sure, this could, in part, also be attributed to the U.S., et al., viewing cybercapabilities as more of a tactical capability and therefore far more narrowly focused. However, the point is that there is an overt sense of justification in the use of offensive cybercapabilities on the part of China, which plays a key role when forming attitudes toward attacks for adversaries both within and outside of its government. This and other driving factors are infrequently discussed as a part of the investigative dialogue when dissecting attacks.

When we consider this attitude toward the use of cybercapabilities against the U.S. and the Comment Crew attacks, a slightly different story emerges than one of complete arrogance on the part of the individuals documented to be associated with the Comment Crew. This matters because it demonstrates a presence of mind, rather than belligerence in the planning and execution of these attacks. In short, being attributed was a decision, not a foregone conclusion, owing to a lack of capability on the part of the adversary.

Since the press frenzy over the Comment Crew attacks, I’ve had numerous conversations with peers in the industry over possible repercussions for the individuals who were publicly named and shamed. The general response I seem to get goes somewhere along the lines of, “Of course nothing will happen to them; China simply doesn’t care about attribution.” While this would likely be true if we were dealing with a belligerent adversary who feels it can act without consequence, I think this is far from the truth. Further, the military unit implicated in the Comment Crew case (Unit “61398”) is a branch of a military (read: non-civilian) organization, where discipline and consequence are certainly not unfamiliar concepts. If I were to place bets on the topic, then my money would be on the population of a Chinese labor camp having increased by at least one in the past month.

In closing, while the bravado, denial, and other more overt attributes of attacks associated with the PRC may draw us to believe that China just doesn’t care, this is simply not the case. The reasons stated make it a far more formidable adversary than the cyberdrunkard that China is often mischaracterized as.

Tom Parker is CTO of FusionX LLC