Thinkst Blog

The Mandiant APT1 report that was released a week ago has been causing some consternation, which makes it a ripe topic for our ThinkstScapes service . This morning, we issued an ad-hoc update to our customers containing our views of the APT1 report. In short, the data is interesting, but does not conclusively point to Unit 61938. There are too many open questions to justify the finger pointing. Take, for example, the markers released for the APT1 group. The report does not contain sufficient data to replicate the grouping of attackers bearing those markers into a single cohesive unit. By Mandiant's own admission the presence of a single marker is insufficient to tag an attacker as APT1, but thresholds are not provided for the number of markers required. In the end, it appears as if the classification boils down to an analyst's opinion, metrics are absent the public report. The entire report is founded on the notion that APT1 exists and is definable; should this not be the case...