The head of the company that famously highlighted Chinese cyber-espionage efforts earlier in the year may be feeling the effect of retaliation, as evidenced by a targeted attack he uncovered that makes use of his limo company.
Every time a car ferries him to one place or another (and Mandia has a lot of speaking engagements), the car service emails him PDFs of his bill. Somehow, bad actors have hijacked that process, which he discovered after being sent invoices on days he hadn’t used the service, so Mandia had them checked out.
"I've been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that's awesome," Mandia told Foreign Policy. "I forwarded them to our security service, and they said, 'Yup, that's got a [malicious] payload.'"
Hackers were able to find out the name of the limo service and spoof an address to send appropriate-looking messages from there. It begs the question of how the attackers were able to gain such intimate knowledge of Mandia’s personal movements.
"I don't know; that makes me wonder," Mandia told Foreign Policy. It is unlikely that hackers were able to compromise Mandiant corporate networks to gain access to his email, he said – they do get attacked “all the time” but the company is prepared, he said.
The only conclusion he could come to was that Chinese intelligence operatives are following him to his public appearances.
"At a lot of these presentations, I'm standing here talking, and there are 10 foreign nationals from China. It could be they saw [my car service],” he said.
If it’s true, the scrutiny isn’t that shocking: Mandiant made waves when it released a report in February stating that Chinese cyber-espionage hackers are operating as an arm of the People’s Liberation Army, attacking a range of US enterprise and government targets to steal everything from technology blueprints to business plans to manufacturing information.
It detailed the activities of “Unit 61398,” a.k.a. “APT1,” which it alleges is a state-sponsored group of 1,000+ people based in Shanghai that successfully compromised 141 companies in 20 industries. In the wake of publication of that high-profile investigative document, cyber-activity decreased. But over the summer, Mandiant said that Unit 61398 is back.
China has been denying any involvement in the attacks. Hong Lei of the Chinese Foreign Ministry said that “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don't know how the evidence in this so-called report can be tenable,” adding that “arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”