NEAL CONAN, HOST:
Yesterday, the Pentagon blamed China for hacking into U.S. computers to steal America's innovations. An annual report on China's military included the accusations that some cyberattacks, quote, "appear to be attributable directly to the Chinese government and military." China's military denied those accusations just as it did earlier this year when The New York Times was hacked. A computer security company traced that attack and others back to an area just outside of Shanghai that's home to a unit of the Chinese military. Dan McWhorter is managing director of threat intelligence at Mandiant. He joins us now by phone from his office in Columbus, Ohio. Nice to have you on the program today.
DAN MCWHORTER: Yeah. Thanks, Neal. I appreciate it.
CONAN: And does the Pentagon's allegations - do you think they vindicate your earlier finding?
MCWHORTER: Yeah. I think they do to some extent, although we've seen a lot of evidence earlier, not necessarily from the Pentagon but from, you know, the House and the Senate and former, you know, high-ranking officials where they validated our response, or our publication. But, yeah, it's nice to see it written by the Pentagon as well.
CONAN: And take us back. You were brought in to The New York Times by The New York Times after they realized that they were being hacked.
MCWHORTER: Yeah. They were one of several media outlets that we had observed being attacked by different attackers. The groups that were there were different than the ones that we outlined in our report in February but very much still centered on China and, you know, their quest to conduct cyber activities for their benefit.
CONAN: For their benefit in the case of The New York Times, what they might've been interested in is The New York Times reporters in China, their sources.
MCWHORTER: Yeah. I think there's a lot of different ways to look at it. You know, you'll never quite know for sure what their intentions were. I mean, you come look at things that have been stolen from their compromises and the victims and try to, you know, assess what the final impact was. But certainly, you know, trying to understand, you know, the dissidents and their motivations and understanding sources of information and then also affecting the, you know, the message that's going out to the people is definitely in the interest of the PRC.
CONAN: Other companies, their interests are different?
MCWHORTER: Yeah. A lot of times we're seeing, you know, a lot interest as far as, you know, industry and economic advantage. So hacking into companies in order to obtain intellectual property that can help them come to market faster in a certain, you know, area or product, to make something more efficient, to make it more effective, to take ingenuity and invention that we've come up with and be able to bring them to market in a quick period of time without having to (technical difficulties) that we did, coming up with the ideas or coming up with the innovation.
CONAN: And is there an example you could give us? I know this is sensitive information.
MCWHORTER: Sure. One of the examples of, you know, you can look at is, you know, some of the military examples we've seen before like, you know, the stealth bomber is a good example where, you know, you look - it was really a process of over 50 years that it took us to develop such technology but yet, you know, China was able to embrace that technology and come up with a similar type of capability in extremely rapid times by being able to, you know, hack in and obtain, you know, drawings and things like that that explain how the fighter was put together.
CONAN: And that sort of, you know, stealing military secrets is - everybody's espionage services do that. It's also expected. Stealing corporate secrets, that's different.
MCWHORTER: Yeah, it is. And it's really something different that we've seen. You know, we've seen hackers or, you know, cyber-espionage or rather cyberattacks go on for financial benefit and gain. We've seen that a lot out of like Eastern Europe, where they're stealing credit cards and things like that. Where China's very different. They seem to be attacking early to improve their economy, to improve their economic advantage as well as doing traditional cyber-espionage type of military to military type of intelligence gathering.
CONAN: And what's been different is in the past year or so, more companies have made public the fact that they've been hacked.
MCWHORTER: Yeah, I think it's happening more and more. It's no longer a super-taboo thing where no one would talk about it. That was one of the interesting things when our company first started, you know, nine years ago and we would be responding to incidents. It was very, very uncommon for someone to come out and say, hey, yeah, we've been compromised, let's talk about it, because it was seen as, oh, there was a huge breakdown in security. What are you doing? You're not protecting your IP. Shareholders are going to be furious and leave and your stocks are going to drop.
What we're seeing now more and more is that almost every company that has, you know, major significance in the economic market, at one time or another has suffered a breach. And so it's not nearly as taboo to come out and say, yeah, we had a problem. This is how we dealt with it, and this is the impact of what was lost.
CONAN: In your experience, is it American companies that do business with China that find themselves hacked, or is it - could be anybody?
MCWHORTER: Well, the APT1 report that we put out in February is sort of a good indication of that, in that, you know, we have a lot of visibility in the U.S. and what happens here. But I mean, we have plenty of evidence of non-U.S.-based companies, you know, being attacked and we've helped people all over the world deal with compromise. I don't think it's, you know, exclusively limited to people that do business in China or have an interest in the Chinese market.
I think where the focus comes where, you know, China's attention towards you or your company or your organization comes is when they see that you have a competitive advantage. So whether you choose to compete in the Chinese market or not, there are still risks that they see that you have something they don't and that they want to acquire.
CONAN: You expect that the Defense Department or big defense contractors like Lockheed Martin should be able to protect themselves. Companies need to protect themselves as well. Yet what are they - what can they do about it when their intellectual property is stolen?
MCWHORTER: There's not a lot you can do. I mean, it's difficult to trace it back to the exact organizations or the exact locations or the exact people that stole the data, and that's one of the things we run into often. And that's one of the more unique things about the report we put out in February, that we did have a lot information, a lot of data because of the amount of activity that that APT1 group had done and for length, you know, over six period - six years period, if not longer, that we were watching them.
We have a lot of data to go on to predict, you know, where the attacks are coming from and to be able to analyze that and figure out which unit was doing the work. A lot of times you're not in that situation when you've been hacked. You're almost - you're a victim and you don't really know who the attacker was. It's like someone - our CEO jokes sometimes, it's like someone coming up, punching you in the face and turning around and running. You just don't know who did it.
And that's the situation a lot of organizations are in. So I think the thing to really think about is how you're going to respond. We've spent tons of money and tons of time and investment over the last, you know, decade, decade and a half, of protecting, building the fence, building the locks, putting the bars on the windows to keep people out. And that's all great. I think we still need to do that. But we also have to be able to detect when these come in. So you need to install that alarm system that says, hey, we've been breached. Now what are we going to do about it? How are we going to respond?
You know, how can we contain the incident, kick out the bad guys and limit the amount of exposure we have to the compromise? And that's really how the game's shifted, I think, as far as what corporations need to do going forward, and the government, for that matter.
CONAN: Tell us a little bit about this unit that you tracked down for six years.
MCWHORTER: Yeah. Unit 61398, they're an intelligence unit inside of the People's Liberation Army of China. We tracked them down. In our report in February, we had - we released over 3,000 digital indicators that would help companies and organizations detect these actors on their network. But they had a very broad thirst for knowledge. We saw over 20 different industries hacked, from, you know, media, to satellites, legal, navigation, public affairs, science, international organizations, electronics, sort of - they had a very broad thirst for information, and so they did a lot of attacking.
In our report alone, and you know, since our report came out, there's been so many other organizations that have stepped up and other security firms to really add to the understanding of the breadth of the problem. It's huge. But we, just ourselves as 300 person company, identified over 140 victims over the last six years that have had their intellectual property stolen. So this is a pretty broad campaign.
CONAN: Is this up to the government to respond, to the Chinese government, saying cut it out or else?
MCWHORTER: Well, I think there's certainly that element. We've seen some of that. You know, I think it was two days after the release of our report you saw the Obama administration come out and make comments towards China as far as, hey, we're going to come to the bottom of this. We need to develop a plan to deal with it. You see reports like the Pentagon report that came out yesterday highlighting and really, for the first time, putting in print from the Pentagon's perspective that this is a problem, at least in a non-classified setting, that this is a problem and this is what's going on with China.
I think, you know, we've seen diplomatic moves on the U.S. part. But there's also a responsibility of American corporations as well to protect themselves. I think for a long time, you know, the thought was let's do as much business as we can in China, you know, recognizing it might have some negative consequences but definitely seeing the net positive. And it still might be the case that there's a net positive to do business in China, that you'll make enough money to overcome the amount of money you're going to lose in, you know, innovation and research and development.
But I think it's getting to be a closer calculation as far as, you know, is it a net positive or is it a net negative to go and do business with China. So I think, you know, as American corporations and organizations, we have a responsibility as well. And I also think the government has a responsibility to step up and try to protect its economy and its, you know, its corporations.
CONAN: Is there a temptation on the side of either corporations or indeed the government to retaliate in kind?
MCWHORTER: I think there is. You know, the government, I think, held a pretty long and hard stance that, you know, when they do conduct computer network operations, it's for national security reasons and for, you know, more like military-to-military type of espionage, which is more accepted. You know, I don't think that it's in America's best interest to lower our standards or the way that we operate things that we believe in as far as free markets and open competition to go and, you know, hack Chinese corporations and steal their secrets.
I think that's a bad plan for us. I think we ought to continue to take the high ground but find ways to apply pressure to China, to get them to quit doing it.
CONAN: Have you seen any change in the activities of, for example, that military unit, 6139A?
MCWHORTER: Yeah. We did. It's sort of interesting. By in large, we tracked over 25 different groups that we attribute back to China. We track another 190 groups that we just don't know yet. We don't have enough data to say where they're coming from and who they area. But, you know, the 25 groups that we watch coming from China, the overall activity level really never changed, even after our report.
That one particular group that we tracked call - that we called APT1, we did see them go dark for a while. They're definitely limited. They never went completely dark. We were always able to watch them, to do some level of activity even after the report was released. But what's interesting is that we are seeing a gradual rise. They went dark for a while but they're coming back.
Just a few months later, we've seen them start to change their infrastructure and their tools so they're not picked up by the indicators that we released in our report. So in our report, we detailed their method of operations and ways that people could find them in their network and identify where they were coming from. And they've changed those, which you would expect.
CONAN: Sure.
MCWHORTER: And they're starting to come back. That particular group is starting to get more active.
CONAN: And I have to ask, in all of this has Mandiant been hacked?
MCWHORTER: No, we haven't. We've definitely been the target of attacks. But that's been the case for, you know, six, seven years. You know, we have a tool that we put out. We've seen people try to, you know, mimic the tool or, you know, mimic the naming of our tools. End(ph) customer's environments they get false sense of security. Those types of things, but nothing that indicates a breach on our end.
But, you know, you need to remain ever vigilant and it's always a potential. I mean, any, you know, whatever security company or regular company, I mean it's always easier to play offense than is to play defense. It's just like, you know, the Secret Service and their job of, you know, protecting the president.
I mean you could do a lot of things. You can the sweep the areas, you can look for people, you can look for weapons, but you know, at the end of the day it's a lot easier to try to take a shot at a president than it is to protect him. And every organization's in that situation - I mean we'll see security companies get compromised in the future just like everybody else.
CONAN: Dan McWhorter, thanks for your time.
MCWHORTER: Thanks, Neal.
CONAN: Dan McWhorter works in threat intelligence at the computer security company Mandiant. He joined us from his office in Columbus, Ohio. You're listening to TALK OF THE NATION from NPR News. Transcript provided by NPR, Copyright NPR.