FireEye’s Mandiant denies hacking Chinese hackers’ web cams

Mandiant, the FireEye-owned incident response firm, has denied hacking the computers of a top-tier Chinese government hacking crew known as APT1. 

The company is responding to a portion of a new book by the New York Times’ reporter David Sanger, which looks into Mandiant’s 2013 report on the Chinese hacking group called APT1. 

Sanger, the New York Times national security reporter who exposed the Stuxnet attack on Iran’s nuclear enrichment facility, released his book “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” this week. 

The book explores Russian, Chinese, and US hacking against critical infrastructure and how this impacts the public’s confidence in traditional weapons. 

FireEye today effused a section of the book that details the alleged techniques Mandiant’s researchers used to expose the work of and attribute hacking atcivity APT1, which uncovered alleged direct links to China’s People’s Liberation Army. 

The book alleges that Mandiant analysts “could actually look inside the room where the hacks originated”. 

“As soon as they detected Chinese hackers breaking into the private networks of some of their clients — mostly Fortune 500 companies — Mandiant’s investigators reached back through the network t activate the cameras on the hacker’s own laptops. They could see their keystrokes while actually watching them at their desks.”

The hackers, according to Sanger’s account of a Mandiant video, were wearing leather jackets and appeared to be moonlighting, working part time for the government and conducting cybercrime otherwise. 

But FireEye says Sanger misunderstood the video evidence it showed him which led to the reporter to the wrong conclusions.   

“Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts. Specifically, Mr. Sanger suggests our "…investigators reached back through the network to activate the cameras on the hackers' own laptops." We did not do this, nor have we ever done this,” FireEye said in a statement.  

“To state this unequivocally, Mandiant did not employ "hack back" techniques as part of investigation of APT1, does not "hack back" in our incident response practice, and does not endorse the practice of "hacking back.”"

FireEye said that it did not monitor the hacker’s systems in real-time even though the video appears to suggest that. 

“The conclusion that we hacked back, while incorrect, is understandable.” it said.