US cyber firm denies claim it breached Chinese military hackers

US cyber firm denies claim it breached Chinese military hackers
© Getty Images

Cybersecurity firm FireEye is pushing back on New York Times reporter David Sanger’s new book for claiming the company’s subsidiary hacked into web cameras used by hackers working for the Chinese government, describing one passage as a “serious mischaracterization” of the company’s investigative work. 

Sanger’s book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” alleges that cyber firm Mandiant breached laptops belonging to the Chinese hackers and activated their cameras to track them as part of the company’s work to link cyber-espionage activities to the Chinese group, known as APT1.


On Monday, FireEye, which purchased Mandiant in early 2014, alleged that Sanger mischaracterized the firm’s investigative efforts, stating that the company does not engage in nor endorse “hack back” techniques.

“Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts,” FireEye said a statement.

“We did not do this, nor have we ever done this,” the firm said. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”

In an excerpt highlighted by Johns Hopkins University professor Thomas Rid, Sanger writes of investigators working for Kevin Mandia, now FireEye’s CEO: “As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies –Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks.”

Sanger also claims he viewed footage of the hackers via the hacked cameras. 

“One day I sat next to some of Mandia’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight,” Sanger wrote. “My previous mental image of [People's Liberation Army] officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square.” 

FireEye suggested Monday that Sanger may have mistakenly concluded that the company breached the hackers’ computers while viewing videos the company compiled showing hackers interacting with malware command and control servers. Those clips, the company said, were made through consensual network monitoring of the company’s infected clients. One of the videos was made public in 2013, when Mandiant released its report exposing the cyber espionage group’s activity.

“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring,” FireEye said Monday. “Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised.”

The video referenced by FireEye contains no real-time images of hackers wearing “leather jackets” or "undershirts."

In a statement responding to FireEye later Monday, Sanger said that it wasn't his understanding that Mandiant was able to track the hackers as a result of "consensual monitoring" when he engaged with the firm to inform his reporting, but that in hindsight it is a "reasonable explanation" for the information they were able to access.

"Mandiant gave us extraordinary access to their investigation as we were preparing to write about Unit 61398 in late 2012, and the result was our story in the Times, and the company's report, in February, 2013. I spent considerable time with their investigators, and saw the images of the hackers as described in 'The Perfect Weapon,'" Sanger said.

"Mandiant now says that all those images came from 'consensual monitoring' -- in other words, that everything they received, from code to message traffic to imagery, was visible because the hackers themselves were transmitting them in the course of breaking into the systems owned by Mandiant's clients," Sanger continued. "While that wasn't my understanding at the time, passive monitoring is reasonable explanation of how the company came to link the hacks to specific individuals, several of whom have since been indicted by the United States."

In 2013, Mandiant released its unprecedented report exposing a multi-year cyberattack campaign by Chinese espionage group APT1. FireEye acquired Mandiant for about $1 billion at the beginning of 2014.

Sanger’s book, which was released last week, delves into major cyberattacks that have impacted geopolitics in recent years.

This story was updated at 6:29 p.m. to reflect comment from David Sanger.