When the APT1 report was published, the document was highly detailed, excluding a cyber-spy group from the Chinese People’s Liberation Army, also known as Unit 61398. A year later, the U.S. Department of Justice effectively upheld the report when it convicted five officers. Unit charged with hacking and stealing intellectual property from American companies.
Timothy Stephens, a German cyber-spy investigator and author of the book, says the “APT1 report has fundamentally changed the calculation of attackers’ profit-risk.” Attribution of Advanced Persistent Threats,
“Prior to that report, cyber operations were considered an almost risk-free tool,” he says. The report not only comes with hypotheses but also clearly and transparently documents the analysis methods and data sources. It is clear that this is not a one-off lucky discovery, but that Tradecraft can be applied to other operations and attacks as well.
The results of the headline-grabbing news were far reaching. A similar wave of symptoms followed, with the United States accusing China of systematic large-scale theft. As a result, cyber security was at the center of Chinese President Xi Jinping’s 2015 visit to the United States.
“Before the APT1 report, there was an elephant in the attribution room that no one dared to mention,” says Stephens. “In my opinion it was not only a technical breakthrough, but also a courageous achievement for the writers and their managers to take the final step and make the results public.”
This is the final step that is lacking, as intelligence officers are now well versed in the technical side. To attribute a cyber attack, intelligence analysts look at the range of data, including malware used by hackers, the infrastructure or computers that were designed to attack them, intelligence and intercepted communications, and so on. Qi Bono (Who stands to gain?) – Geopolitical analysis of the strategic motivation behind the attack.
The more data can be examined, the easier the attribution becomes as the pattern emerges. Even the best hackers in the world make mistakes, leave links behind and reuse old tools that help create cases. There is an ongoing arms race between analysts coming up with new ways to unmask hackers and hackers aiming to cover their tracks.
But the speed with which the Russian attack was attributed shows that the earlier delay in naming was not simply due to a lack of data or evidence. The issue was politics.
“It boils down to political will,” says Wild, who has served in the White House until 2019. “For that you need decisive leadership at every level. My interactions with [Anne Neuberger] It leads me to believe that she is the type who can move mountains and cut red tape when needed to start the result. That’s the person he is. “
Wild argues that a possible Russian invasion of Ukraine, which endangers hundreds of thousands of lives, is forcing the White House to act more quickly.
“The administration feels that the best defense is a good precautionary measure to move beyond these stories, to ‘pre-bunk’ them and to inoculate an international audience, whether it’s cyber intrusion or false flags and fake excuses,” he says. Is. Wild.
Public attribution can have a very real impact on opponents’ cyber strategy. It may indicate that they are being viewed and understood, and may impose costs when operations are open and must burn tools to get started. It can also trigger political action such as sanctions that go after the bank accounts of those responsible.
Gavin argues that just as importantly, it is a signal to the public that the government is closely monitoring malicious cyber activity and working to fix it.
“It makes a difference in reliability, especially with the Russians and the Chinese,” he says. “They can obscure everything they want, but the US government is putting it all to public use – forensic accounting of their time and effort.”