Kevin Mandia
Appearances
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
141 times we did investigations and it went back to this bucket of evidence or fingerprints to APT1. They're unbelievably persistent. Like you get these guys out of your network, they're just back the next day. There was no doubt they were badging into a building and this was their job.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Well, I would think it is, and it's taking direction from the PLA. And that's why we've released this report, is there's all this public disclosure now that it's China behind lots of these intrusions.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
I just went into the office by myself and right around 7.30 in the morning, my wife at the time called and literally, this is how I knew we were on the news. I didn't know CNN was filming outside the building, Nicole. The exact words from my wife at the time was, what in the F did you do? And I said, what are you talking about? She's like, turn on the TV. Your name is on every station.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
And I'd never told her we were writing the report. I never really thought to, you know, or anyone for that matter. We didn't even tell the Mandiant board about it till maybe one day prior. Hey, we're going live tomorrow with a report that pins China's PLA unit 61398 to 141 intrusions, primarily to US companies. I just didn't think it was going to be news.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Somebody jumps out of an alleyway and starts hitting me in the face to rob me, I don't block punches going, who are you? I just defend myself, you know?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
However, I came to understand over time attribution absolutely matters to hold nations accountable. We need to have rules of engagement in cyberspace.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
By the time we showed up, it was valid credentials, a user ID and passphrase, log in. And you could tell their operators you're used to just sitting at a desk for eight hours a day. And we're probably getting paid by the pound. Just take everything you can. Because I used to call it the tank through the cornfield.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
I used to describe them as the most polite hackers in cyberspace because they didn't author log files. They didn't delete files. They didn't change your data. They kind of let you know they were there, you know, stealing terabytes of data. And after a while, I started wondering, do they think they're doing anything wrong?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
So it wasn't just hacking for security reasons, which the defense industrial base to me would be between the goalposts for fair game for espionage. And I think everybody would nod to that and go, yeah, that's fair game. They make weapons, they make planes. And for security purposes, you may want to know what's the next weapon system going to look like. So you hack in and find out.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
But why would you hack a beverage company or why would you hack somebody that is in entertainment? Those reasons were because a lot of these places were doing mergers and acquisitions in China. So it was clear to us there's economic reasons behind these intrusions as well.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
The bottom line is if you made something that could help sustain the health and welfare of 1.3 billion people, you got targeted. You know, if you made some heat tolerant crop of some kind, if you made certain chemicals or things that were critical, you were fair game to what they wanted to accomplish in theft of IP.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
The New York Times going live really made the difference. Washington Post followed suit, Wall Street Journal. Everybody, you know, kind of came out after that. And it became OK to say that you had been compromised by Chinese cyber espionage. But 2004 to 2011, it really was just sort of a thing that didn't get announced.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
I've done my 10,000 hours of, you know, forensics on these systems, and it was alphabetical. I mean, I hate to say it, these guys were gaining access to machines and just going through the directory that started with A and then the directory that started with B. And they didn't take by file. They just took the whole directory. I used to call it the tank through the cornfield.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
You know, it was just mowing down files and taking as much as they could.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know they're there. You see these terrible little scraps of, yeah, they looked at this one file. But you know they looked at 10,000 files. And the evidence has only given you the one. And you're like, oh my god, I'm getting less than 1% visibility into what they're doing here.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know, I didn't intend to be the wolf when starting Mandiant or even prior in my career, Nicole. I just thought it was materially important to any security company that you need to have a firsthand view of what attackers are doing. You have an adversary that's trying to evade everything you do in the cyber domain. The most important position to have is kind of own that moment.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
as you called it, the oh shit moment. It was like November, December, 2009, and a whole bunch of companies got compromised. And the one thing about Google is they had an army of people swarming to respond. So I did go out to California. I remember being somewhere in Googleplex, but more in reality, I noticed the cool bikes and the food.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know, it was a lot of the companies that were dealing with similar intrusion sets. You know, when we were responding to Google, we had been responding to that exact group for seven years already. It wasn't like we went, well, this is new to us. It was new to Google, I think.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
China's brought the A game and they've changed. And usually when you see these kind of shift changes on offense, oh, their doctrine's changing. Something's changing over there. All I know is somebody made a decision to up them a notch. And we have a gradual incrementalism of aggression on offense out of China over the last few years. And it's going up every year.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
Their techniques are far more innovative and improved than even three years ago. China is the winner in innovation. And you see what happens when they win. You get 75 zero days in a year.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
We used to be able to bucketize the forensics, Nicole, into very few groups out of China. And then all of a sudden we get an explosion. That's really it. Where the forensic evidence of each intrusion doesn't feel related to any other intrusion, or it's just different enough that we're like, ah, we're not quite sure if it's the same people.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
There's just a dramatic increase in the volume of change, the pace of change on offense.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
You know, cyber exploits that have no patch, that's what a zero day is. There's just no way to stop those attacks from working.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
we had 32 zero days in 2019 exploded in the wild. To me, that was a world record. I'm like, we've been tracking this since the nineties, 32 in a year. It was mind blowing. And then all of a sudden we hit 81 in 21. And I'm like, wow, the world's different now. And this is seven times what you'd see in 2010. You know, I mean, it's just, that tells you the art of the game right now that you,
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
People are finding exploitable code at rates higher than ever before and using it in the wild. Because our numbers, Nicole, are what we assume if we see it, we see it. We're responding to a breach. There's the zero day. And we're seeing that even into today.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 6: The Gunslingers
More zero days than ever before makes no sense to me when code was way less secure 30 years ago, 20 years ago, and 10 years ago than it is today. So we're building the most secure code we've ever built before, and yet there's more zero days than ever before.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
We could lock in on the Chinese threat pretty well. And again, between seven to 80 companies a month, sometimes only 30 companies were compromised in a month. And it went down to four or five in August of 2015. And it never comes back up really for a while. And people will say, well, it didn't come back up because China evaded your detection. No, not really. Their behavior changed.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
You know, it's they're not going to change. We've observed them for so long. You know, they change their behavior when they have to. They were told to change their behavior.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
I think that's what's happening here and that's why there's been additional concern. It's way harder to investigate. So when Mandy and folks go out to figure out what happened and you're up against a group like Little Typhoon, you know they're there.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
You see these terrible little scraps of, yeah, they looked at this one file, but you know they looked at 10,000 files and the evidence has only given you the one. And you're like, oh my God, I'm getting less than 1% visibility into what they're doing here. And unless you have great identity security, great identity monitoring, you're not going to catch these folks that live off the land.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
And that phrase, I'm going to explain it again, it means the attackers are accessing a organization's network the same way the organization does, period. Same user IDs, same passphrases, same programs. There's nothing special. They've learned your network so well that they look like they're part of your network. And that's really hard to investigate.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
It's not impossible, but it does change how we look at things. We have to do forensics a little differently.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
Nobody really knows if the gloves came off in cyberspace between China and the US, what would really happen. Like, is it pandemonium? I've had the privilege of lecturing on modern warfare, and even I'm not so sure of the collateral damage, but I do know that a lot of things would get less predictable and it would be eerie. Like if the gloves came off in cyberspace,
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
The impact of it, you know, some companies can make phone calls, some can't. Some companies, the gate rises when you go to park and sometimes you can't. Services might shut down. We don't really know the impact just yet and how widespread it would be because we don't understand all the complex dependencies. So it's really hard to even know what to fear.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
What I'm hopeful about is the gloves just don't come off. I don't think they do till they come off kinetically. I really don't think people are just going to unleash everything they've got in cyber. I don't think we've seen China's total A-game.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
And all of a sudden we see Chinese threat groups since about late 2020, at least from my observables, hack in and we don't know why, because they're not the tank through the cornfield. They're hacking in and just, that's it. There's no other activity. And then you're like, why are they there? And it's maybe they have access later. Maybe it's to mine user IDs and passphrases.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
There's no better way to compromise any organization then you can just log in, period. It's the best way to breach an organization is log into it the same way the employees do. There's just no evidence. And that's what living off the land means. There's no malicious code. There's no backdoor. There's good operational security. If they created a log file that's suspicious, they would edit it.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 8: Living Off The Land
When they wanted to go surreptitious, they were good at it. And that's the thing about digital evidence. You can edit it or delete it. You can change it. It's different than the physical world. You can do some wonderful things if you're on offense and you have the patience and time and skill to do it.