Following the compromise of The New York Times’ network, Mandiant–the company that responded to the incident and conducted the forensics analysis–collected enough evidence to identify the attacker. Yet, “identify” is a loaded word in the field of digital forensics and the name that the company had for the perpetrators came down to an internal designation: APT group 12.
Mandiant tracks some 20-odd information-stealing groups–all related to China–basing its identification on characteristics of the attackers’ tactics, techniques and procedures, including the specific pieces of malware that are being used, the command-and-control (C2) channels, the specific domains from which they attack, and the sorts of data they target.
While the firm does not necessarily identify individuals in the monitored groups, by linking the attackers to APT-12, Mandiant also linked them to China, which can help inform a target’s strategy, says Nick Bennett, principal consultant with the firm.
“We can tie this activity to a specific group that we’ve been tracking through our forensic analysis,” Bennett says. “This group, and other groups like it, we have been able to monitor over months and years, and based on that, their activities fall in line with the interests of the Chinese.”