Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:45 PM
Tom Parker
Tom Parker

Got Attitude?

Attack attitude: Does China really not care about attribution?

Following up on my previous blog post on the Comment Crew (or APT1, to quote a Mandiantism) attack and related coverage, I wanted to dig a little deeper into the observed attitude about the documented attack activity and what we might learn about the operating environment and overall sentiment toward OPSEC and attribution.

In the United States, the general perception both in and outside of the security industry is that China-based threat actors simply don’t care about attribution. Given the outwardly brazen appearance of the many attacks thought to have originated from China, one could certainly be forgiven for making this assumption. While not entirely incorrect, I firmly believe that what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for.

Let me begin by saying clearly: China cares far less in the subtlety department than, say, the United States. If this weren’t the case, then you would surely expect to have seen more evidence of the U.S. (and other nations) using offensive cybercapabilities with the same frequency and scale that we’re seeing coming from over the Pacific. China, in the same breath as denying its own involvement in cyberattacks, has stated that it believes the U.S. is up to the very same things that the U.S. has accused it of -- and yet the evidence all points in the direction of the former accusation.

Sure, this could, in part, also be attributed to the U.S., et al., viewing cybercapabilities as more of a tactical capability and therefore far more narrowly focused. However, the point is that there is an overt sense of justification in the use of offensive cybercapabilities on the part of China, which plays a key role when forming attitudes toward attacks for adversaries both within and outside of its government. This and other driving factors are infrequently discussed as a part of the investigative dialogue when dissecting attacks.

When we consider this attitude toward the use of cybercapabilities against the U.S. and the Comment Crew attacks, a slightly different story emerges than one of complete arrogance on the part of the individuals documented to be associated with the Comment Crew. This matters because it demonstrates a presence of mind, rather than belligerence in the planning and execution of these attacks. In short, being attributed was a decision, not a foregone conclusion, owing to a lack of capability on the part of the adversary.

Since the press frenzy over the Comment Crew attacks, I’ve had numerous conversations with peers in the industry over possible repercussions for the individuals who were publicly named and shamed. The general response I seem to get goes somewhere along the lines of, “Of course nothing will happen to them; China simply doesn’t care about attribution.” While this would likely be true if we were dealing with a belligerent adversary who feels it can act without consequence, I think this is far from the truth. Further, the military unit implicated in the Comment Crew case (Unit “61398”) is a branch of a military (read: non-civilian) organization, where discipline and consequence are certainly not unfamiliar concepts. If I were to place bets on the topic, then my money would be on the population of a Chinese labor camp having increased by at least one in the past month.

In closing, while the bravado, denial, and other more overt attributes of attacks associated with the PRC may draw us to believe that China just doesn’t care, this is simply not the case. The reasons stated make it a far more formidable adversary than the cyberdrunkard that China is often mischaracterized as.

Tom Parker is CTO of FusionX LLC

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/10/2013 | 3:11:18 AM
re: Got Attitude?
Even though the claim made by-Tom Parker that,

"...what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for."

may very well be true, since the Chinese typically have a strategic bent, he did not prove it conclusively in his article. -The article merely skirts around this issue with-rhetoric-and does not provide specific evidence and analysis to prove his point.

To this reader the article therefore was a disappointment.
User Rank: Strategist
4/4/2013 | 10:12:56 PM
re: Got Attitude?
This is an interesting question -- why doesn't China employ more obfuscation or false flags to put the blame on other nation-states?

Kelly Jackson Higgins, Senior Editor, Dark Reading
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, code execution without user confirmation was possible for untrusted projects.
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.