FireEye denies 'hack back' against China's Unit 61398

Security researchers involved in the 2013 unmasking of Chinese hacking group “Unit 61398” have denied explosive claims aired this week that they “hacked back” against the group to monitor its activities.

Mandiant researchers say they could not see hackers' keystrokes.

The claim comes from a new book by the NYT security correspondent David Sanger, titled The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age.

Excerpts of the book, republished via Twitter yesterday, said that when researchers from Mandiant - now owned by FireEye - detected the Chinese group breaking into clients’ networks, “Mandiant’s investigators reached back through the network to activate the cameras on the hackers’ own laptops”.

“They could see their keystrokes while actually watching them at their desks,” the excerpt states.

“One day I sat next to some of Mandiant’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight.”

The apparent use of hack back techniques as part of Mandiant’s investigation was fiercely debated among security professionals.

Hack back - where people attack computers that are attacking them - has been invariably described as “very unwise” to “the worst idea in cybersecurity”.

Those involved in the unmasking of Unit 61398 - which resulted in Mandiant’s landmark “APT1” report in 2013 - say they did not hack back as part of their forensic investigations.

FireEye categorically denied ever watching hackers at work via the hackers' own webcams.

“We did not do this, nor have we ever done this,” the firm said.

“To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back’.”

FireEye said that the book’s claims were likely the result of a misunderstanding of “consensual network monitoring” of victim organisations, which the firm said Sanger observed with Mandiant investigators as part of the initial 2013 disclosure.

The firm said the author was shown videos of “Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of internet traffic at these victim organisations”, but these did not show “live system monitoring” of hackers’ activities.

“Mandiant has never turned on the webcam of an attacker or victim system,” it said.
“In short, we do not fight hackers by hacking, but by diligently and legally pursuing attribution with a rigour and discipline that the cause requires.”

Mandiant’s former chief security officer Richard Bejtlich similarly refuted the idea that researchers had gained a direct line into Unit 61398’s operations.

“At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” he said.

“During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations.

“No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”

Bejtlich said he had “privately contacted former Mandiant personnel with whom I worked during the time of the APT1 report creation and distribution” and they similarly had no knowledge of hack back operations being used.