Oh, yeah, it's just like all other hacking, except it's gov-to-gov.
Richard Stiennon wonders in his Wednesday blog post if the PLA hackers that pwned Ministry of Defense e-mail systems wanted to get caught. His theory goes, government-quality hackers should be so good that they are undetectable unless they intend to disrupt systems. Since neither thing happened in this case, Richard suggests that maybe China meant to get caught in order to send a message.
Personally, I think there's a simpler explanation. It goes back to a conversation that I had with Richard Bejtlich about the detectability of breaches. The "Titan Rain" attacks have been going on for the better part of three years (as far as we know). And there were bound to be good hacks that were still detected. Especially since this story made Time Magazine in 2005, we should assume that all of the Allied Forces' three-letter branches have been on the lookout for Chinese hackers.
We often hear (and some of us often say) that, "We have to get it right every time, the bad guys only have to get it right once," when security folks talk about defending against network attacks. But as soon as the attack starts, that equation flips on hackers' avoiding detection, especially if you're going to stay on a system for an extended period of time in order to gather intel. The number of chances that formal security detection mechanisms will catch you increases exponentially with time. Not to mention curious admins, auditors, and plain old dumb luck.
Bottom line is that the best hackers in the world can penetrate nearly any system, and can cover their tracks well. But eventually they'll get caught, whether they mean to or not. And that's what happened to the Chinese hackers in this case. Oops.