Why Mandiant Decided to Go Public About Chinese Cyber Spies

For computer security company, official denials about hacking became "comical"

Computer security firm Mandiant’s decision to expose what it calls one of China’s most aggressive cyber espionage units is likely to have far-reaching and as yet unknowable implications for U.S.-China relations, as well as ongoing intelligence operations that could conceivably be disrupted now that the company has outed the Chinese hackers. So why didn’t they stay quiet? 

Back in October, after years of collecting data, the company considered writing a report about the Chinese group, which it has dubbed APT1. But it was the high-profile hacking of the New York Times, revealed last month, that convinced Mandiant they should make their case publicly about pervasive spying operations targeting U.S. companies. 

Initially, the company’s experts thought they’d produce a much smaller release than the unusually detailed, 74-page report (not including appendices) that Mandiant publishedTuesday. As discussions progressed over the next two months, the company decided “it was an interesting idea, and we should go forward,” says Dan McWhorther, a managing director in charge of threat intelligence at Mandiant. 

But then, late last month, the Times revealed that its reporters had been targeted by hackers, believed to be in China, who were looking for information on a major expose about Chinese officials. The Times hired Mandiant to investigate the breach, and its experts found that the spying aimed at the newspaper fit the profile of other espionage campaigns it had traced to China. A day later came reports that Chinese spies had penetrated the networks of other news organizations, including the Washington Post and the Wall Street Journal. The Chinese government gave its usual boilerplate denial. A spokesman for the Chinese embassy in Washington said it was “irresponsible to make such an allegation without solid proof and evidence.”  

But Mandiant believed it had the evidence–and plenty of it–not just about Chinese spying against news companies, but of a much broader, persistent campaign going back to 2006, targeting many different sectors of the U.S. economy. 

China’s denials have become “comical,” McWhorter says. After officials’ protestations about the Times story, which called into question Mandiant’s own credibility since it had assisted in the investigation, the company decided it was time to name names. 

“That definitely cemented our resolve to make this a very public document,” McWhorter says. 

A big question now is whether the U.S. government is happy that Mandiant did. Sources close to the Defense Department and the intelligence community tell me that the initial reaction has been generally positive. It’s not as though the Obama administration doesn’t believe that China is behind much of the cyber spying against U.S. companies. But now, a credible document, with evidence that can be debated and tested, is out in the open. Behind the scenes, U.S. officials will have a detailed and, importantly, non-classified body of evidence to present to Chinese officials, and they might have better luck persuading them to stop the spying. (Wishful thinking perhaps.)  

Also important, the fact that this document comes from a private source means that if the government chooses to use it in negotiations, it doesn’t compromise any ongoing U.S. operations against the Chinese group in question, of which there are some, sources say.

Another indication that the U.S. is ready for this information to see the light of day: Three days ago, the FBI and the Homeland Security Department issued a security bulletin about “various cyber actors” that have engaged in malicious activity against the U.S. The document doesn’t name China or any Chinese military organizations. However, it includes a long list of IP addresses and domain names that companies should watch out for, because they’re believed to be associated with malicious actors. 

Many of those same specific warnings are contained in the appendices of Mandiant’s report, which traces them back to the Chinese hacker group, APT1. Considering that the U.S. government’s advisory was released within a day of Mandiant’s report, it would seem that U.S. officials also thought now was the time to make a public warning about Chinese spies.