Corrected to reflect that McAfee’s response to Kevin Mandia’s comments on page 2 is from a company senior vice president.
The brand-new operations center of cybersecurity firm Mandiant is deceptively tranquil. Rooms in the third-floor office, overlooking a lagoon in Redwood City, Calif., are playfully named after locations on the Starship Enterprise from Star Trek, including a kitchen called 10-Forward.
In one large central control room, dubbed the Bridge, a dozen security analysts peer quietly at their computer monitors, looking for anomalous activity on the computer networks of Mandiant’s hundreds of corporate clients around the world. A large computer display on the wall shows an image of the earth, seen from space, that highlights inbound and outbound network activity in each country. Mandiant monitors the entire planet, yet a printout taped to the desk of one analyst suggests that these days, the company has a more specific focus. “To accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless,” reads an excerpt from a recent Chinese government statement. Jennifer Ayers, who manages the Redwood City facility, removes the printout and folds it in half. “We’re not supposed to editorialize,” she says.
Last week, a succession of news stories divulged that the computer systems of major news organizations including the New York Times, Wall Street Journal, and Washington Post had been breached by hackers with connections to the Chinese government. Unsuccessful attempts were made to infiltrate the computers of Bloomberg LP, which owns Bloomberg Businessweek, as well, says Ty Trippet, a company spokesman. China’s censors are apparently trying to stifle dissent by reaching across the ocean to expose the anonymous sources of Western journalists who have written negative stories about the country or its government. After detecting the breaches, papers including the Times and Post contacted Mandiant, a 9-year-old Alexandria (Va.)-based company with a reputation among industry insiders for technical proficiency and large egos. It also has a budding business on the front lines of U.S. companies’ intensifying war with international cyberspies.
In a wave of cyberattacks beginning in 2009, dubbed Operation Aurora by security firm McAfee, sophisticated hackers based in China breached the corporate networks of Google, Yahoo!, Juniper Networks, Adobe Systems, and dozens of other prominent technology companies and tried to access their source code. China’s hackers seemed narrowly focused on military technology and telecommunications companies as early as 2000. They were seen as a way to purloin intellectual property and narrow the marketplace advantages enjoyed by U.S. rivals over Chinese companies like Huawei Technology and ZTE, neither of which has been implicated in cyberattacks.
Now China’s targets appear to be much broader. Wiley Rein, a prominent Washington law firm working on a trade case against China, was hit in 2011; the White House was targeted last year. Last month, hackers breached the website of the Council on Foreign Relations and rigged it to deliver malware to anyone who visited it.
Hacking groups with ties to the Chinese government have also aggressively targeted Western oil and gas companies (and often their law firms and investment banks) as a way to get proprietary financial information, sometimes in advance of an acquisition by a Chinese company. In 2011, when debt-plagued Chesapeake Energy put billions worth of its natural gas holdings on the market, its investment bank, Jefferies, was targeted around the time a Chinese government official visited Chesapeake’s Oklahoma headquarters. “You can almost think of it as part of their due diligence,” says Richard Bejtlich, Mandiant’s chief security officer, who says the data are often stolen by military-sponsored hacking groups and then given to Chinese companies. “It’s almost like they’re thinking, ‘When we report our finances, they’re all garbage, so yours are probably garbage, too. I’m just going to steal it straight from you and get the real story.’ ”
To stop such hacks, Mandiant uses unconventional methods. Teams of three to five specialists are assigned to track each victim company’s computer system, a painstaking process that can last for months. After they have identified every security hole and piece of malware in the customer’s network, Mandiant gives the bad guys the boot, in some cases by replacing every infected machine within 48 hours. For companies that fear their secrets might be lost before the hackers are cut off, it can be a white-knuckle wait.
Mandiant says it booked more than $100 million in revenue in 2012, up 76 percent from the year before, and counts 30 percent of the Fortune 100 as clients. Its business is booming because of hackers’ ability to steal data on a far greater scale than with traditional methods of espionage. “The fact that you can do this from a safe harbor thousands of miles away with no risk or repercussions has changed the game,” says Kevin Mandia, the company’s 42-year-old founder and chief executive officer.
Mandia has been training to take on hackers his whole career. A square-jawed former football player at Lafayette College in Pennsylvania, he joined the Air Force after graduation and later got a masters of forensic science at George Washington University. Then he returned to the Air Force as a cybercrime investigator in its Office of Special Investigations, looking into the first wave of online security breaches at the Pentagon. The cast of characters was different in the 1990s: Groups mainly from Russia and Israel were trying to exploit a new era of global communications to steal secrets from America’s supercomputers. After leaving the Air Force, Mandia joined Sytex Group, a company that provides IT training to federal agencies. In 2001 he co-authored a book called Incident Response: Investigating Computer Crime, considered an early bible of computer forensics.
Mandia started his own firm after recognizing that companies, not just governments, were becoming targets of international espionage. He says he also felt that the big anti-virus companies such as Symantec and McAfee, whose software scours hard drives for the digital signatures of known malware, could not keep up with the pace of attacks or with malware that morphs as it infects new machines. “There was nowhere I could go where I belonged,” Mandia says. “I felt responding to incidents had to be core, because that was the only way you could build the next-generation security company.” (Symantec did not respond to requests for comment but in a statement after the Times breach said that “anti-virus software alone is not enough.” Vincent Weafer, senior vice president of McAfee Labs and R&D, said that “complex and agile attacks require complex and agile security, and anti-virus is a single element in that protection mix.”)
For the first few years, his company remained small and relatively unknown outside computer security circles. But it was in the right place at the right time. In 2011, as anxieties about attacks by China spread, the company raised $70 million from venture capital firm Kleiner Perkins Caufield & Byers and the investment arm of JPMorgan Chase. It has used the cash to increase in size to more than 300 employees and open an operations center in Dublin, Ireland, and the new facility in Redwood City. “Outside of the NSA, I would guess that Mandiant knows more about advanced persistent threats [APT] than anyone in the world,” says Ted Schlein, a Kleiner Perkins partner, using the industry term for high-end cyber-espionage.
Mandiant’s success partly stems from what its customers perceive as a strong relationship with the U.S. government. The firm is retained by major banks and on Wall Street because it has credibility with federal regulators. When the New York Police Department’s counterterrorism unit was breached by Chinese cyberspies, the FBI told the department to call Mandiant, according to a person familiar with the incident. Mandiant executives say they have earned this trust, though the relationship likely has roots in the personal connections that Mandia and other company executives have forged with government investigators over the years. “It’s a reputational thing,” says Mischel Kwon, former head of U.S. Computer Emergency Readiness Team, a government cybersecurity agency. “They play well with law enforcement.”
The question of whether Mandiant is in fact better than rivals in combating international hacking is a big topic of discussion in security circles. The company unabashedly claims it is. It says it has assembled sophisticated dossiers on dozens of hacking gangs, including 22 in China. For example, a large percentage of computer attacks from China are performed by a group it has dubbed APT 1, a Shanghai-based group also known as the Comment Crew that gained notoriety last year for obtaining the e-mails of the president of the European Union Council.
Mandiant believes the New York Times was targeted by APT 12, a stealthier group known primarily for hitting defense contractors. According to the company, the attackers had complete access to the newspaper’s internal network but stuck to rifling through the files of two reporters who had written a series of stories about the personal wealth of China’s Communist Party leadership.
Mandiant charges some of the highest fees in the business, say several people in the security industry. Some of its analysts bill $650 per hour, according to two people with direct knowledge of its rates, though the company says its average rate is half that. Other cybersecurity firms like Terremark and Dell SecureWorks offer similar services.
Mandiant’s critics charge that the company does not share intelligence with others in the tightknit and collaborative cybersecurity community. While many security companies keep some of their best findings to themselves, Mandiant is known to share less than most, and its engineers rarely participate in industry working groups. But critics and competitors also tend to acknowledge that Mandiant is good at what it does. “Over the last two years they’ve experienced some growing pains, but they’re definitely the 800-pound gorilla of incident response,” says Rocky DeStefano, founder and CEO of the security firm VisibleRisk.
Mandia himself is unapologetic about his company’s elite status and claims its software allows it to solve problems quickly and save clients money. “I think we get to the answers a lot faster than anyone else,” he says.