Massive cyberattacks from China? Report claims to expose secret 'Unit 61398.' (+video)

Among the details in the Mandiant report:

• Some 3,000 digital indicators linked to APT1, such as domain names, IP addresses, and MD5 hashes of malware the group uses.
• A list of more than 40 families of malware in APT1’s arsenal of digital weapons along with 13 encryption certificates the group used.
• A collection of videos showing actual attacker sessions.
• Documents including one in which an Internet provider agrees to install high-speed fiber optic lines for the unit at the building address.
• The identification of three individuals affiliated with APT1 with the hacker handles Ugly Gorilla, DOTA, and SuperHard.

“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” the report concludes.

Indeed, the report “provides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,” Mr. Hsiao says.

Not everyone is entirely convinced, however. While agreeing Mandiant makes a strong circumstantial case, Dell Secureworks cyber counterspy expert Joe Stewart, who also has tracked 20 or so Chinese cyberespionage groups, says any conclusive link to the Chinese military is one step too far for him.

“There’s what we suspect and what we can prove,” Mr. Stewart says. “We still don’t have any hard proof that this ‘Comment Crew’ or APT1 is coming out of that [12-story] building, other than lot of weird coincidence pointing that direction. To me it’s not hard evidence.”

Chinese authorities agree, saying that China’s military was not behind the hacking in the report.

“Cyber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable,” Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. “Chinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.”

Mandiant attempts to address these concerns, suggesting that the circumstantial evidence is becoming overwhelming. The only other plausible conclusion, it adds, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

The report coincides with completion of a classified National Intelligence Estimate by the US intelligence community that concludes China was the most aggressive perpetrator of a massive, campaign of cyberespionage against commercial targets in the US, according to a Times report on the estimate. And the report comes on the heels of President Obama’s vow to protect the nation’s critical infrastructure.

“We know foreign countries and companies swipe our corporate secrets,” Mr. Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”

Attacks by APT1 on Telvent, a Canadian supplier of natural gas pipeline control systems, are one such worrying sign, says Rocky DeStefano, a cybersecurity researcher at Visible Risk in Austin, Texas. The attacks were known before the Mandiant report and could provide the Chinese military with a lever to use against the US in a cyberattack.

“What we have here is a really delicate situation where our government is afraid to commit to the fact that we have a global economic partner organizing against us,” he says. “And that’s because the ultimate conclusion you have to draw from this report – is that it’s not just theft of information – but it’s the Chinese military doing it. What does that lead us toward in terms of policy and action? Nobody wants to get into that.”

Previous

1 | 2