This post is a response to a few questions that appeared as comments on earlier blog posts or in response to our M-Trends report.
One of our blog readers asked if Mandiant sees multiple threat groups working within single victim organizations. The answer is yes, we sometimes see more than one threat group active simultaneously in an enterprise. We see this happen at different times.
In some cases our Professional Services team is doing an incident response engagement for a customer. While helping the customer with the incident for which they were notified by a third party, we discover the presence of other actors. Sometimes those other actors are "commodity" threats not associated with a targeted threat group. Other times we see several targeted threat groups working independently against a single enterprise. Once in a while we see targeted threat groups collaborating against a single enterprise.
In other cases our MCIRT is driving our Mandiant Intelligent Response (MIR) software as part of a subscription service, typically for multiple years. During this extended period of time (much longer than most incident response engagements), our analysts will see multiple threat groups interacting with customer assets. Sometimes the activity overlaps, and other times it is distinct.
A second question involved identifying the responsible parties by country of origin. As I've stated in my public testimony and press reporting, the majority of the targeted activity that Mandiant handles can ultimately be traced back to China. A much smaller amount of activity is likely attributed to Russia. Beyond that, we see organized crime activity that resolves to a variety of locations. These organized crime groups typically target financially-centered data, but they are adopting more of the tools and techniques of the more espionage-minded Chinese and Russian groups.