The mysterious disappearance of China’s elite hacking unit

The company that helped uncover major online security breaches from China last year says exposing the hackers had the effect of shutting them down — at least temporarily.
Last year, the New York Times reported on what it believed to be an elite Chinese military unit that had been sitting on its networks, quietly spying on it and countless other U.S. companies. The news kicked off months' worth of debate about America's exposure to cyberattack.
The unit, labeled as "Advanced Persistent Threat 1" or APT1 by the independent security firm Mandiant, usually communicates with the malware it has installed in various targets year-round.
But after the Times sounded the alarm in early 2013, APT1 ceased virtually all its activity, according to a new report from Mandiant published Thursday.

(Mandiant)

That's unusual behavior for this group compared to previous years. And it's also an abnormal pattern compared to other threats Mandiant tracks and that it says are based in China. Take an actor they call APT12, for instance.

(Mandiant)

After the Times report, this advanced persistent threat didn't stop its activities for more than a couple months. If anything, its command and control communications seemed to intensify in late summer last year compared to previous years.
What can we draw from this data?  First, security experts say it appears that APT1 is being operated by a rational actor that can alter its behavior in response to external stimuli. The decline in APT1's activity coincided not only with the Times' report, but also with denials by the Chinese government that it was probing U.S. networks.
"This is actually fascinating evidence that shows that you have an adaptive adversary," said Allan Friedman, a cybersecurity scholar at George Washington University. "If we interpret this as a fairly complete sample, then it looks like they shut down things as soon as this information was published."
That's supported by another finding in the Mandiant report showing that APT1 abruptly changed the IP addresses it was using to access its malware when Mandiant issued its own profile on the hacking unit.

(Mandiant)

The fact that APT1 took steps to avoid detection is also relevant, experts say.
"To see that that's actually playing out in the background, that APT1 is supporting this denial storyline the government is telling, shows that they wanted to be seen as not actively doing this, or at least to cover up their involvement," said Mandiant threat intelligence manager Laura Galante.
The drop in activity may also suggest that "naming and shaming" by the United States is a viable tactic, said Jason Healey, a cyber scholar at the Washington-based Atlantic Council.
"When APT1 eventually bounced back," said Healey, "I heard from people saying, naming and shaming doesn't work. But it was never followed up by a campaign of, 'When they bounce back, what do we do to hit them again?'"
What's still unclear is who orchestrated the change in behavior. It's possible that higher-ups in the Chinese government were not aware of what APT1 was doing, said Friedman. If that's the case, he said, then upon seeing the U.S. reports, Beijing may have called down to stop the activity because it didn't serve China's strategic mission. But Friedman adds there's also a chance that APT1's espionage was part of an officially sanctioned program, and that when APT1 was detected, its tactics changed simply to limit the Chinese government's exposure to criticism.
Based on Mandiant's more recent data that hasn't been published yet, Galante finds the latter argument more persuasive.
"We still see a similar volume of Chinese APT activity in client networks," she said. "I could say with confidence that the threat from Chinese-based actors to corporate networks, particularly in industries the Chinese [government] has identified to be strategic emerging industries, remains an unabated threat."