• 04.03.13

Hacked? Mandiant’s Cyberattack Detectives Want To Know All About It

The cyber-sleuthing company aims to be the go-to investigators for the Fortune 1000. Here’s why they just might do it.

Hacked? Mandiant’s Cyberattack Detectives Want To Know All About It

When the New York Times discovered that their systems were being infiltrated by hackers in late 2012, one of the first phone calls they made was to a company named Mandiant. Founded in 2004 by Kevin Mandia, a former Air Force cybercrime forensic investigator, Mandiant is known within the industry for close ties to both law enforcement and top-tier financial institutions. The company, which reportedly charges high retainer rates, offers clients data forensics services that help trace the origins of cyberattacks.


Once the dust settled from the Times affair, which began shortly after the newspaper of record revealed details of the network of wealth held by former Chinese premier Wen Jibao’s family, Mandiant released a detailed 60-page study of what they found through work on the Times case and breadcrumbs from other client intrusions. In the study, Mandiant’s researchers alleged that the Times hack originated in a nondescript Shanghai building which serves as headquarters for People’s Liberation Army Unit 61398.

One of the surprising aspects of the Mandiant report is the detail in which the alleged hackers are written up. For instance, readers may be taken aback to learn that the alleged military hackers practice colloquial English for spearphishing attacks (spearphishing attacks, to the uninitiated, are emails in which infected files are sent to strategic targets within a company, government agency, university, lab, or military unit) and that they’re trained in linguistics–the better to fool their marks with. Unit 6138’s organizational structure and group culture are also written up.

Richard Bejtlich, Mandiant’s chief security officer, told Fast Company that open source intelligence gathering was used for most of the report. When assembling details about how Unit 61398’s alleged hackers worked, Mandiant relied primarily on job postings, resumes, academic posts in Chinese, and research papers found on Chinese websites. This information–which was posted on the internet, written in Chinese for the whole world to see–was combined with forensic information from Times servers and other computers.

With approximately 350 employees and more than $100 million in profits in 2012, Mandiant is among the larger firms specializing in data forensic services. Company representatives claim that more than 30% of Fortune 1000 firms retain their services, and Alexandria, Virginia-based Mandiant maintains offices in New York, Los Angeles, and the Bay Area.

Dave Merkel, Mandiant’s chief technical officer, also told Fast Company that most of their customers fell into two separate categories. The first group are people who had issues with cybersecurity in the past and had used Mandiant’s services, and the second were organizations whose IT teams spotted vulnerabilities and worried about the likelihood of a breach. “Breaches are unbelievably disruptive events,” Merkel said.

“CEO Kevin Mandiant originally founded the company on the principle that client’s defenses against cyberattacks could fail,” Bejtlich said. “We started out as consultants who would be “firefighters” responding to intrusions, but we went full service shortly after that.”

Merkel also said that “Historically, most of our past clients were customers coming to us saying that they had a problem. That was part of our institutional DNA. We have become more proactive as we scaled out and added more projects [to our workload]. We’re starting to have a decent split between both.”


“Full service” for Mandiant’s clients means a host of proprietary hardware and software products designed to track down the hackers behind complicated online threats. The company’s core product is a software platform designed for clients security teams to use; there is also a defense platform for both in-company employees and Mandiant users to see attacks as they happen and conduct detailed forensics investigations, and a recently launched subscription fee-based intelligence center which contains information on “the tactics, intent, and behavioral patterns of advanced threat groups.” Mandiant also offers their investigative skills to clients as needed.

The data forensics work that Mandiant specializes in plays an integral part in the cybersecurity ecosystem. Most large corporations, public utilities, and government agencies outsource defenses against hackers to a host of firms. While large providers such as McAfee, AVG, and Kaspersky provide meat-and-potatoes anti-virus and anti-malware programs for servers and employee computers, that’s only one part of the cybersecurity package. Companies must be hired to protect against distributed denial-of-service (DDoS) attacks, to protect against advanced persistent threats (APTs), to monitor servers in real-time to note irregularities, to monitor zero-day exploits which could be used to compromise company servers, to conduct forensics investigations post-attack, and to offer a host of other services. Internal cybersecurity teams work arm-in-arm with a huge ecosystem of cybersecurity firms… and there are billions of dollars in potential profits to be made.

Because the market for cybersecurity services is so large, the field is a boomtown for the hundreds of security firms which promote their trade at large industry conventions like the RSA Conference and DEF CON. Mandiant’s largest market share, according to Bejtlich, is among large companies in the private sector. He also noted that Mandiant also specializes in services for “high-profile targets” such as think-tanks and law firms. Bejtlich also has an upcoming book on network security monitoring.

However, Bejtlich also warned in a phone conversation that the “oil, gas and energy sectors have made a lot of improvement in the past few years, but that a lot of progress” was needed in the area and that he expects to see more devastating cyberattacks similar to the Saudi Aramco strike and the recent South Korean attack in the future.

Mandiant has also been criticized by some within the industry. Writing in industry publication SC Magazine, Eric Cole of the SANS Institute argued that the company’s Unit 6138 report endangered other cyberforensics efforts by making public (and, hence, available to the hackers) too much information related to the case. Jeffrey Carr of security firm Taia Global also criticized the report for numerous factual errors, including missing a possible in-joke from the alleged hackers. Others have criticized the company from focusing too much on Chinese -backed hackers in media campaigns, while downplaying other nation-states which are also involved in cyberattacks against American economic interests.

Industry watchers say there is a good likelihood of Mandiant going public sometime in the next year. The company’s last public announcement was the release of their annual threat report last month.

[Top Image: Wikimedia user Cromemco; Bottom Image: Mandiant]