Indeed, no technical proof will ever show the sponsorship of any attacks – hence all the controversy associated with Mandiant’s report. It only builds towards characterising the attack. For sponsorship, other types of evidence are needed (e.g. a whistle-blower, as in the case of Stuxnet), and more importantly, judgement to assess the evidence within its own context.
In this case, judgement as well as the official response from China make it hard to dismiss Mandiant’s conclusions.
More on the Mandiant report from the excellent Kings of War blog. For balance, here are the highlights from xihuan.net's reporting on the Mandiant report:
However, it is beyond belief that a firm specialized in the field of cybersecurity could be so indiscreetly desperate as to jump to a conclusion so full of loopholes, unless it has a good reason.
If one takes a closer look at Mandiant's report, it is not too difficult to find that it reeks of a commercial stunt.
In a statement accompanying the firm's report, Kevin Mandia, founder and CEO of Mandiant, seems to do nothing but market the products and services of his company.
To which I'll respond (from Kings of War:
It is correct that anyone can send Internet packets with forged origin IP addresses to masquerade as someone else. It is usually what happens when denial-of-service attacks are conducted. But in the case of denial-of-service attacks, there is no return address. The attacker does not seek to send packets from the victim machine to his own machine. When this is the case, the return address must be somehow correct, even if it goes through different ‘hops’. In other words, the traffic connecting to the command-and-control server and downloading the packets must have at the end a valid address for the packets to reach their destinations.
Potentially over-reading into their statement, the Ministry seems to implicitly acknowledge that the IP addresses found by Mandiant are indeed their own, and not the ones of another private company for instance. Furthermore, they failed to acknowledge that their servers could have been compromised and merely acting as ‘hops’ towards the final destination of the packets.











