Cybersecurity company Mandiant Corp won plaudits from its peers and made front-page news around the world last week when it published a report that purportedly traced a series of cyberattacks on U.S. companies to a Shanghai-based unit of the Chinese army.
But some hackers have turned the tables on the cyber-expert by creating malicious versions of its 74-page report that were infected with computer viruses. They emailed the tainted reports to their victims this week in a bid to wreak havoc under Mandiant’s name.
Although the episode was embarrassing, the company said its systems were not breached. “Mandiant has not been compromised,” the company said on its corporate blog.
Mandiant was founded in 2004 by Kevin Mandia, a former U.S. Air Force cyber-forensics investigator who co-authored an influential textbook on the subject. The company made its name by automating processes used to investigate computer breaches.
Mandiant was largely unknown outside the computer security industry until last week, when it fingered the People’s Liberation Army’s Shanghai- -based Unit 61398 as the most likely driving force behind a Chinese hacking group known as APT1.
China’s Defense Ministry issued a flat denial of the accusations and called them “unprofessional.” But Mandiant won kudos for the unprecedented level of detail in its report, including the location of a building in Shanghai’s Pudong financial hub from which Mandian said the unit had stolen “hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006.”
Other security companies that have published reports on cyberattacks have shied away from so clearly identifying their perpetrators.
“It was a wonderful report,” said Michael Hayden, a former director of the CIA and National Security Agency, who is now with the Chertoff Group. “Everybody is saying ‘it’s about time.'”
The report did not identify the victims of APT1 or Mandiant’s customers, though the company says it has worked for about 40 percent of the Fortune 500.
When asked why he had decided to go public with this report, Mandia, 42, told Reuters, “There is mounting frustration in the private sector. Tolerance is shrinking. We also have a bunch of employees here who are ex-military who sense that frustration and said, ‘Let’s push this out.'”
The report comes ahead of this week’s annual RSA Conference on security in San Francisco, where Mandiant will showcase its products to help companies identify security breaches.
Mandiant says it begins investigations by installing software it has developed that searches for infections by looking for evidence hackers leave behind. It refers to those digital signatures as Indicators of Compromise, or IOCs.
The proprietary database of those indicators makes up a critical part of the “special sauce” that automates the investigation process and, Mandiant says, enables investigators to root out attackers faster than rivals.
The company has thousands of IOCs in its database, which it is constantly expanding.
“We tend not to take the small jobs. We take the big ones—the ones you would love to read about in the paper, but we keep them out of the paper,” said Mandiant’s’s chief security officer, Richard Bejtlich.
Some investors have speculated that Mandiant is preparing for an initial public offering in the next year or so. On Friday, it named Mel Wesley to the post of chief financial officer. Wesley was CFO of publicly held OPNET, which was sold to Riverbed Technology in December for about $1 billion.
Mandia, who raised $70 million by selling stock to Silicon Valley venture capital firm Kleiner Perkins Caufield & Byers and One Equity Partners, the private investment arm of JPMorgan Chase & Co, said he is in no rush to go public. “I do not believe we need more capital,” he said.
The New York Times and News Corp’s Wall Street Journal recently disclosed that they hired Mandiant to investigate cyberattacks. The company has done similar work for Thomson Reuters Corp., parent of Reuters News, according to two sources with knowledge of the matter. A spokesperson for Thomson Reuters declined to confirm it.
Mandiant declined to discuss its fees, though analysts say they are among the highest in an industry where rivals include much bigger companies such as Accenture, AT&T Inc., Deloitte, PwC and Verizon Communications Inc., which offer cyber-forensics alongside other services.
Mandiant consultants often bill at rates of $450 or more an hour, said a person familiar with the company. Teams of consultants investigate breaches for weeks and sometimes several months, typically ringing up bills of between $250,000 and $1 million.
John Pescatore, director of emerging security trends for the SANS Institute, says Mandiant can charge a premium partly because it gets strong recommendations from the government and other customers.
There is often a waiting list for its services.
Mandiant also competes against CrowdStrike and Cylance, which are run by the founders of a company known as Foundstone, a pioneer in cyber-forensics that had hired Mandia away from the military. He left Foundstone in 2004 to start Mandiant.