The decision by the US to name names sets an intriguing but risky precedent
The popular view of state cyberwar and espionage is that it has no name, no face and certainly doesn’t keep regular hours between nine to five. It’s almost as if the attacks happen by themselves, salvoes launched by some kind of nascent machine intelligence that just knows what governments want it to do on their behalf.
The decision by the US Department of Justice to name five members of China’s People’s Liberation Army (PLA) it believes are behind hacks on US firms reminds us that this view is wildly and comically mistaken. Cyberattacks between states are always designed by professionals as the end result of conventional hierarchies, planning meetings, occasional moments of brilliant inspiration, and a few bad ideas.
In the world of cyberwar brands, they don’t come bigger than China’s Comment Crew, also known as PLA unite 61398 since consultancy Mandiant famously tracked their activity down to a non-descript building on the edge of Shanghai.
Although the names of alleged PLA 61398 staff have not been on the record before, just about everything else about this supposedly “shadowy” unit has. The DOJ’s court indictment adds some banal but significant details such as suspiciously regular spikes in hacking activity around 8am, a lull at lunchtime, followed by a further spike until perhaps 5.30pm.
A new analysis by FireEye (which bought Mandiant) backs this up by apparently tracking the group’s operatives logging in to their RDP-based command and control at specific times of the day that correspond to the Chinese military’s hours of business, i.e. only Monday to Friday while keeping regular hours.
“[A total of] 98.8% of the connections occurred between 7am and midnight China Standard Time,” noted FireEye, compelling evidence that these guys might hack the US for a living but they don't do overtime if they can help it.
Assuming one takes this evidence seriously (and we should make clear that the named men are accused rather than guilty), there are insights aplenty to be gleaned. Whoever is behind it, PLA 61398 is happy to steal information from US firms as long as it doesn’t get in the way of a two-hour lunch-break or the need to go home in the evening, presumably to families who couldn’t care less what they do during the day.
The DOJ action is still an important moment. No longer is state cyberwar impersonal but has the face of real people with opinions, beliefs, prejudices and bills to pay. It’s an approach faintly reminiscent of the much more seroious hit-list the US Government released of alleged Al Qaeda members after 2001, who stared menacingly out at us like faces from the world’s most depressing Panini sticker album.
Clearly, the US is sending China and others the message that it can find out who its opponents are, where they live and how they operate. It's not hard to understand why they have decided to use it as a deterrent. Cyber-attackers of every ilk have up to now enjoyed an extraordinary degree of anonymity so losing that status is bad news because a known hacker is probably not a particulary employable one.
It remains a high-risk tactic because it can work in both directions if other states start accusing named US citizens of hacking their systems back. That's the other side of what the DOJ has done. As with every war in the past, digital cyberwar is still going to be a war between real people rather than their clever machines.