FireEye in “Hacking Back” Conundrum

While the world collectively experiences football fever and only wants to read stories about Kane, Messi, and Ronaldo all else seems to take a back seat. However, despite our attention been elsewhere the world still turns. An example of this can be seen in recent accusations leveled at security firm, FireEye. The Firm has been accused of illegally "hacking back" a Chinese nation-state cyber-espionage group. The accusations and inevitable social media discussions began after the release of “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” a book written by David Sanger, a renowned New York Times national security journalist.

In 2013, FireEye published a report called “APT1, Exposing One of China’s Cyber Espionage Units.” The report was seen as a revelation in the InfoSec community and is mentioned with the same reverence English academic have for the collected works of Shakespeare. The fabled report exposed the activities of Chinese hackers in a depth of details like never before, even going as far as pinning the hacking on Unit 61398 of China's People’s Liberation Army (PLA). Unit 61398 would earn the name APT1, earning the designation of 1 amongst an estimated 20 other advanced persistent threat groups (APT) believed to be operating out China.

The main reason the report was seen as a landmark for the InfoSec community was that it directly attributed the actions of APT1 to the PLA. This level of attribution was unheard of previously. Attributing responsibility for any cyber attack or cyber espionage campaign is an uphill task at best, often it is near impossible. It is how FireEye managed to get enough evidence it confidently attributes responsibility to a state-sponsored group.

fireeye hacking back

Sanger’s Claims

According to Sanger’s book, FireEye might have obtained all these details by “hacking back” the Chinese APT. “Hacking back” is a term used to generally describe the practice of using offensive hacking techniques to breach an attacker's systems to determine identity, what was perhaps stolen, or even potentially destroy data which may have been stolen. “Hacking back” is currently illegal. Under US law such actions may only be done by approved US military personnel and are incredibly limited. Sanger’s claims arise from him being able to sit down with researchers, prior to the release of the report, when the company in charge of the investigation was Mandiant which was purchased by FireEye in 2014.

In a tweet a portion of Sanger’s book has been reproduced confirming Sanger’s claim:

“Ever resourceful, [Mandiant CEO Kevin Mandia's] staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients—mostly Fortune 500 companies—Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks.”

Further:

“One day I sat next to some of Mandia's team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square. "They were such bros," Andrew Scwartz, one of Mandia's communications specialists, recalled later.”

FireEye Responds to Accusations

In a statement published June 25, FireEye refutes these claims. In the statement, the company believes that Sanger mischaracterized what really happened, and might have simply misunderstood what he was shown that day when he was allowed to sit with Mandiant, now FireEye, employees. FireEye insists that Sanger never observed real-time hacking, but only pre-recorded videos of APT1 operators interacting with computers on the network of compromised companies. Further FireEye was quick to point out that it had obtained permission from these companies to leave the compromised PCs intact and observe what the hackers were doing. Further, it was stated that at no point its employees utilized offensive hacking techniques that are considered illegal.  Attached to the report the company released one of the videos they recorded of APT1 hackers active on one of these compromised PCs.

What’s the big deal?

While it is illegal for security firms and by default individuals some might ask why the big deal. Despite the obvious political ramifications, there are other reasons to make such tactics illegal. Another point to make is while it is illegal cyber-security firms have been known to hack back many times before. No firm will acknowledge it due to its inherent illegality and no firm wants to spend extended periods in court. This is especially true if the targeted hacked back is a state-sponsored group situated in one of the more powerful countries.

However, this illegality might not be the case in the future, particularly in the US. In 2017 a proposed bill was put before the government with the intention to amend section 1030 of the Computer Fraud and Abuse Act. The amendment would enable victims of ongoing cyber-attacks to fight back against hackers by granting victims more powers to engage in active defense measures to identify the hacker and disrupt the attack. Many believe that if this bill is passed in future, or any other bill with similar intentions is a bad idea. Despite our legal right to defend ourselves and property against physical attack, cyberspace does not operate like the real world. As mentioned above attributing responsibility is generally almost impossible. This gives rise to a legitimate fear that “hacking back” responses could target the innocent rather than those responsible. Introduce attacks conducted by botnets, such targeting of the innocent is most certainly a possibility.