Kevin Mandia
Appearances
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
141 times we did investigations and it went back to this bucket of evidence or fingerprints to APT1. They're unbelievably persistent. Like you get these guys out of your network, they're just back the next day. There was no doubt they were badging into a building and this was their job.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Well, I would think it is, and it's taking direction from the PLA. And that's why we've released this report, is there's all this public disclosure now that it's China behind lots of these intrusions.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
I just went into the office by myself and right around 7.30 in the morning, my wife at the time called and literally, this is how I knew we were on the news. I didn't know CNN was filming outside the building, Nicole. The exact words from my wife at the time was, what in the F did you do? And I said, what are you talking about? She's like, turn on the TV. Your name is on every station.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
And I'd never told her we were writing the report. I never really thought to, you know, or anyone for that matter. We didn't even tell the Mandiant board about it till maybe one day prior. Hey, we're going live tomorrow with a report that pins China's PLA unit 61398 to 141 intrusions, primarily to US companies. I just didn't think it was going to be news.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
Somebody jumps out of an alleyway and starts hitting me in the face to rob me, I don't block punches going, who are you? I just defend myself, you know?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
However, I came to understand over time attribution absolutely matters to hold nations accountable. We need to have rules of engagement in cyberspace.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 4: Naming and Shaming
By the time we showed up, it was valid credentials, a user ID and passphrase, log in. And you could tell their operators you're used to just sitting at a desk for eight hours a day. And we're probably getting paid by the pound. Just take everything you can. Because I used to call it the tank through the cornfield.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
I used to describe them as the most polite hackers in cyberspace because they didn't author log files. They didn't delete files. They didn't change your data. They kind of let you know they were there, you know, stealing terabytes of data. And after a while, I started wondering, do they think they're doing anything wrong?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
So it wasn't just hacking for security reasons, which the defense industrial base to me would be between the goalposts for fair game for espionage. And I think everybody would nod to that and go, yeah, that's fair game. They make weapons, they make planes. And for security purposes, you may want to know what's the next weapon system going to look like. So you hack in and find out.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
But why would you hack a beverage company or why would you hack somebody that is in entertainment? Those reasons were because a lot of these places were doing mergers and acquisitions in China. So it was clear to us there's economic reasons behind these intrusions as well.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 3: The Most Dangerous Time in American History
The bottom line is if you made something that could help sustain the health and welfare of 1.3 billion people, you got targeted. You know, if you made some heat tolerant crop of some kind, if you made certain chemicals or things that were critical, you were fair game to what they wanted to accomplish in theft of IP.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
The New York Times going live really made the difference. Washington Post followed suit, Wall Street Journal. Everybody, you know, kind of came out after that. And it became OK to say that you had been compromised by Chinese cyber espionage. But 2004 to 2011, it really was just sort of a thing that didn't get announced.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
I've done my 10,000 hours of, you know, forensics on these systems, and it was alphabetical. I mean, I hate to say it, these guys were gaining access to machines and just going through the directory that started with A and then the directory that started with B. And they didn't take by file. They just took the whole directory. I used to call it the tank through the cornfield.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 2: Then They Came for Us
You know, it was just mowing down files and taking as much as they could.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know they're there. You see these terrible little scraps of, yeah, they looked at this one file. But you know they looked at 10,000 files. And the evidence has only given you the one. And you're like, oh my god, I'm getting less than 1% visibility into what they're doing here.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know, I didn't intend to be the wolf when starting Mandiant or even prior in my career, Nicole. I just thought it was materially important to any security company that you need to have a firsthand view of what attackers are doing. You have an adversary that's trying to evade everything you do in the cyber domain. The most important position to have is kind of own that moment.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
as you called it, the oh shit moment. It was like November, December, 2009, and a whole bunch of companies got compromised. And the one thing about Google is they had an army of people swarming to respond. So I did go out to California. I remember being somewhere in Googleplex, but more in reality, I noticed the cool bikes and the food.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 1: The Five Poisons
You know, it was a lot of the companies that were dealing with similar intrusion sets. You know, when we were responding to Google, we had been responding to that exact group for seven years already. It wasn't like we went, well, this is new to us. It was new to Google, I think.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
We could lock in on the Chinese threat pretty well. And again, between seven to 80 companies a month, sometimes only 30 companies were compromised in a month. And it went down to four or five in August of 2015. And it never comes back up really for a while. And people will say, well, it didn't come back up because China evaded your detection. No, not really. Their behavior changed.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 5: A Cyber Detente
You know, it's they're not going to change. We've observed them for so long. You know, they change their behavior when they have to. They were told to change their behavior.