FireEye denies ‘hack back’ claims detailed in new book

Mandiant is pushing back against a claim in David Sanger's new book that its researched was partly aided by 'hacking back' into Chinese government systems.

The company that authored a watershed report on how Chinese hackers operate is pushing back against claims in a new book that the research was conducted through the use of illegal offensive hacking techniques.

In “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” New York Times national security correspondent David Sanger writes that the U.S.-based cybersecurity firm Mandiant penetrated a Chinese military cyber unit after it hacked into one of its customer’s systems in order to nail down attribution.

According to Sanger, while Mandiant observed Chinese hackers breaching a client several years ago, they used it as an opportunity to target the attackers’ systems, which allowed access to a video camera that exposed the hackers’ faces:

 [Then CEO Kevin Mandia] was certain the hackers were part of Unit 61398, but he also knew that accusing the Chinese military directly would constitute a huge step for his company. Over seven years, he had compiled a list of the unit’s suspected attacks on 141 companies across nearly two dozen industries, but he needed solid evidence before he could name them. Yet as long as none of his investigators could get inside the building, whether physically or virtually, to identify the thieves, the Chinese would keep denying that their military had been tasked with stealing technology for state-run Chinese firms.

The passage continues:

Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients—mostly Fortune 500 companies—Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops. They could see their keystrokes while actually watching them at their desks.”

Mandiant, a subsidiary of cybersecurity giant FireEye, denied the book’s claims in a lengthy statement Monday.

“Mr. Sanger’s description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts,” the statement notes. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.'”


The famous 2013 Mandiant report in question, which analyzed cyber operations undertaken by a specialized Chinese military group, played an important role in establishing the geopolitical significance surrounding nation state-linked hacking groups, which are often tracked by the private sector.

“What Mandiant did through it’s reporting on the PLA [People’s Liberation Army] hackers’ activities was a great public service to the United States,” Andrew Schwartz, a former Mandiant spokesperson and current communications specialist for D.C. thinktank CSIS, told CyberScoop. “The crimes the PLA were committing against U.S. companies was substantial and have led to indictments in U.S. courts as well as important bipartisan policy efforts to stop their crimes.”

Readers highlighted some of the book’s controversial passage on social media, resulting in additional backlash for FireEye.

The book’s claim is especially significant, because of how the U.S. government has cited the APT1 report in policy over the last five years. It essentially provided the government with a way to publicly shame China, without exposing any of its own technical sources or methods. Though senior U.S. officials have repeatedly backed Mandiant’s findings, they’ve done little to independently release declassified research to support its conclusions.


CyberScoop spoke with several current and former FireEye employees who criticized Sanger’s account, instead suggesting a misinterpretation. The employees spoke on condition of anonymity because they were not authorized to speak for the company.

Another passage from the book explicitly describes the outfits of the Chinese hackers that Sanger witnessed through computer cameras allegedly compromised by Mandiant:

“One day I sat next to some of Mandia’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square.”

In an emailed response, Sanger responded to Mandiant’s statement from earlier in the day:

Mandiant gave us extraordinary access to their investigation as we were preparing to write about Unit 61398 in late 2012, and the result was our story in the Times, and the company’s report, in February, 2013.  I spent considerable time with their investigators, and saw the images of the hackers as described in “The Perfect Weapon.” Mandiant now says that all those images came from “consensual monitoring” — in other words, that everything they received, from code to message traffic to imagery, was visible because the hackers themselves were transmitting them in the course of breaking into the systems owned by Mandiant’s clients.  While that wasn’t my understanding at the time, passive monitoring is reasonable explanation of how the company came to link the hacks to specific individuals, several of whom have since been indicted by the United States.”

Some industry insiders told CyberScoop they were less than shocked by the claims. Broadly speaking, ‘hacking back’ to gain novel insight into an attacker is fairly well known, despite it being illegal under U.S. law. The practice is often the subject of commonplace rumors amongst the industry.

Subsequent similar research reports from other prominent and capable cybersecurity firms, including CrowdStrike and Dell SecureWorks, has served to further explain in recent years the ways in which China deploys hacking tools to steal intellectual property and U.S. national security secrets.

The dispute also comes during a pertinent moment in time. Public concerns over the geopolitical allegiances of global technology companies has become ever more present.

Recent legislation banned Russian cybersecurity firm Kaspersky Lab from doing business with the federal government due to reported national security risks. Additionally, lawmakers are currently pushing a bill that would place restrictions on business between U.S. suppliers and Chinese telecom companies ZTE and Huawei.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts