Likely both. I'm no expert in this domain, but from my perspective, due to the nature of cyber warfare, it's all but impossible to have any kind of concrete evidence or smoking gun. Cyber security firms are deliberately very careful in levelling specific accusations with the lack of concrete evidence.
For example, researchers at Malwarebytes [1] say:
> "While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs."
> "Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone."
Likewise, the report put out by PwC and BAE [2] label APT10 only as a "China-based actor". They cite things like attacks occurring during Chinese timezones and CCP-interest aligned hacking as evidence. This is all great circumstantial evidence and while compelling, it is far from conclusive. The report does not mention the Chinese Ministry of State Security even once.
We can say how likely or unlikely something is, but the likelihood of something in the context of circumstantial evidence should not be taken as a full-on indictment. The most one could say conclusively is that it is likely to be state sponsored.
There's a fair amount of evidence that APT10 is sponsored by China here[1]. It's not 100% proof, but what are the alternatives, and what chances do they have? The alternative possibilities seem slim to me.
The US government accused them of working for China[2]. Of course not everything the US government says is true, but it seems likely to me this is true and they have some non-public evidence to back it up.
>All I'm seeing is the Uber receipt, which even they say they can't verify.
There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC (which is run by MSS). CNITSEC has in the past been confirmed to work with APT3.
>The alternative is that they are black hat hackers, which is very likely.
Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government. For example APT3 and APT1. Also the APT10 stuff appears to have happened during Chinese working hours, which is indicative of government work[1].
>There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC
They can't verify that was Gao, that the poster represented that company, or show that they occupied the office building with the other company.
>Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government
Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is. Chinese people can be smart and motivated by greed too, and they have a ton of people.
If you personally think China is behind this based on the released evidence, that's fine. Using it as justification for attacks on the Chinese requires more proof to even be considered.
>Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is.
The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
And the western media blames some hacks on the US government and its allies as well[2][3].
> Chinese people can be smart and motivated by greed too
How do they plan to make money by hacking NASA and the US military's shipbuilder? They're not installing ransomware asking for bitcoin payment. If they want to hack for money, I would think they would target credit cards, or banks, or better yet: cryptocurrency exchanges. Or maybe popular websites whose databases they can use for credential stuffing. One way to make money by hacking NASA is to be paid by the Chinese government.
>The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
Sorry, I should have said "any hack originating in China." Poor wording on my part.
>How do they plan to make money by hacking NASA and the US military's shipbuilder?
Their methods were to gain access to a machine, and then try to use that access to jump to client servers. There's nothing saying NASA or government contactor's were specifically targeted, but seem like excellent jump targets if an opportunity arose.
