Massive cyberattacks from China? Report claims to expose secret 'Unit 61398.' (+video)
A new report claims to have found the exact origin of a campaign of massive cyberattacks against the US, Canada, and Britain. The building in Shanghai is linked to the Chinese military.
(Page 2 of 3)
The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called “Comment Crew” or the “Shanghai Group.” But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People’s Liberation Army (PLA) – even if it lacks a “smoking gun.”Skip to next paragraph
Subscribe Today to the Monitor
Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA’s General Staff Department’s Third Department. That group’s most common designation is “Unit 61398,” and it is estimated to have hundreds or possibly thousands of employees – and English proficiency is a requirement.
The Mandiant findings make sense to L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group in Arlington, Va., that has made a specialty of analyzing China's cyber and signals intelligence units within the PLA.
In 2011, Project 2049 produced a report that also identifies Unit 61398 as a cyberespionage group run by the PLA that “appears to function as the Third Department’s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.”
Among the details in the Mandiant report:
- Some 3,000 digital indicators linked to APT1, such as domain names, IP addresses, and MD5 hashes of malware the group uses.
- A list of more than 40 families of malware in APT1’s arsenal of digital weapons along with 13 encryption certificates the group used.
- A collection of videos showing actual attacker sessions.
- Documents including one in which an Internet provider agrees to install high-speed fiber optic lines for the unit at the building address.
- The identification of three individuals affiliated with APT1 with the hacker handles Ugly Gorilla, DOTA, and SuperHard.
“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” the report concludes.
Indeed, the report “provides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,” Mr. Hsiao says.
Not everyone is entirely convinced, however. While agreeing Mandiant makes a strong circumstantial case, Dell Secureworks cyber counterspy expert Joe Stewart, who also has tracked 20 or so Chinese cyberespionage groups, says any conclusive link to the Chinese military is one step too far for him.
“There’s what we suspect and what we can prove,” Mr. Stewart says. “We still don’t have any hard proof that this ‘Comment Crew’ or APT1 is coming out of that [12-story] building, other than lot of weird coincidence pointing that direction. To me it’s not hard evidence.”