Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:45 PM
Tom Parker
Tom Parker

Got Attitude?

Attack attitude: Does China really not care about attribution?

Following up on my previous blog post on the Comment Crew (or APT1, to quote a Mandiantism) attack and related coverage, I wanted to dig a little deeper into the observed attitude about the documented attack activity and what we might learn about the operating environment and overall sentiment toward OPSEC and attribution.

In the United States, the general perception both in and outside of the security industry is that China-based threat actors simply don’t care about attribution. Given the outwardly brazen appearance of the many attacks thought to have originated from China, one could certainly be forgiven for making this assumption. While not entirely incorrect, I firmly believe that what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for.

Let me begin by saying clearly: China cares far less in the subtlety department than, say, the United States. If this weren’t the case, then you would surely expect to have seen more evidence of the U.S. (and other nations) using offensive cybercapabilities with the same frequency and scale that we’re seeing coming from over the Pacific. China, in the same breath as denying its own involvement in cyberattacks, has stated that it believes the U.S. is up to the very same things that the U.S. has accused it of -- and yet the evidence all points in the direction of the former accusation.

Sure, this could, in part, also be attributed to the U.S., et al., viewing cybercapabilities as more of a tactical capability and therefore far more narrowly focused. However, the point is that there is an overt sense of justification in the use of offensive cybercapabilities on the part of China, which plays a key role when forming attitudes toward attacks for adversaries both within and outside of its government. This and other driving factors are infrequently discussed as a part of the investigative dialogue when dissecting attacks.

When we consider this attitude toward the use of cybercapabilities against the U.S. and the Comment Crew attacks, a slightly different story emerges than one of complete arrogance on the part of the individuals documented to be associated with the Comment Crew. This matters because it demonstrates a presence of mind, rather than belligerence in the planning and execution of these attacks. In short, being attributed was a decision, not a foregone conclusion, owing to a lack of capability on the part of the adversary.

Since the press frenzy over the Comment Crew attacks, I’ve had numerous conversations with peers in the industry over possible repercussions for the individuals who were publicly named and shamed. The general response I seem to get goes somewhere along the lines of, “Of course nothing will happen to them; China simply doesn’t care about attribution.” While this would likely be true if we were dealing with a belligerent adversary who feels it can act without consequence, I think this is far from the truth. Further, the military unit implicated in the Comment Crew case (Unit “61398”) is a branch of a military (read: non-civilian) organization, where discipline and consequence are certainly not unfamiliar concepts. If I were to place bets on the topic, then my money would be on the population of a Chinese labor camp having increased by at least one in the past month.

In closing, while the bravado, denial, and other more overt attributes of attacks associated with the PRC may draw us to believe that China just doesn’t care, this is simply not the case. The reasons stated make it a far more formidable adversary than the cyberdrunkard that China is often mischaracterized as.

Tom Parker is CTO of FusionX LLC


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/10/2013 | 3:11:18 AM
re: Got Attitude?
Even though the claim made by-Tom Parker that,

"...what is actually going on is far more deeply nuanced than we are currently giving the Chinese credit for."

may very well be true, since the Chinese typically have a strategic bent, he did not prove it conclusively in his article. -The article merely skirts around this issue with-rhetoric-and does not provide specific evidence and analysis to prove his point.

To this reader the article therefore was a disappointment.
User Rank: Strategist
4/4/2013 | 10:12:56 PM
re: Got Attitude?
This is an interesting question -- why doesn't China employ more obfuscation or false flags to put the blame on other nation-states?

Kelly Jackson Higgins, Senior Editor, Dark Reading
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.