Massive cyberattacks from China? Report claims to expose secret 'Unit 61398.'

A new report claims to have found the exact origin of a campaign of massive cyberattacks against the US, Canada, and Britain. The building in Shanghai is linked to the Chinese military. 

The building housing 'Unit 61398' of the People’s Liberation Army is seen in the outskirts of Shanghai Tuesday. Cyberattacks that stole information from 141 targets in the US and other countries have been traced to the Chinese military unit in the building, a US security firm alleged Tuesday. China dismissed the report as 'groundless.'

China’s military is the silent hand behind a major cyberespionage organization located in Shanghai and blamed for stealing titanic volumes of intellectual property from more than 100 companies worldwide during the past seven years, concludes a new report by a leading US cybersecurity firm.

The report, issued by Mandiant of Alexandria, Va., is unusual in the degree to which it points the finger directly at China's military. For years, researchers have chronicled an “advanced persistent threat” against Western cyber networks and hinted that Chinese actors were the likely culprits, not outsiders coopting Chinese computers. But the Mandiant report, “APT1: Exposing One of China’s Cyber Espionage Units,” pulls no punches.

“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the Mandiant report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT [advanced persistent threat] actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”

Mandiant says it observed a group it dubbed “APT1” first infiltrating, then stealing data from computer networks of at least 141 companies spanning 20 major industries. Of the targeted companies, 115 were in the US, seven in Canada and Britain, and 17 of 19 others also conducting their business in English.

Targeted for theft were “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”

At just one company, Mandiant researchers discovered 6.5 terabytes of data were stolen over a 10 month period – all exfiltrated back to computers identified in the same block in Shanghai – where the Chinese military’s cyberespionage unit is located. Sometimes data was seen being stolen from dozens of victims at once, Mandiant reported.

APT1 generally established access through spear-phishing – the ploy of sending to someone in a targeted company an e-mail that is designed to look legitimate but carries malware in an attachment. Once they gained access to a system, the cyberspies periodically revisited the victim’s network over several months or years.

The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called  “Comment Crew” or the “Shanghai Group.” But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People’s Liberation Army (PLA) – even if it lacks a “smoking gun.”

Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA’s General Staff Department’s Third Department. That group’s most common designation is “Unit 61398,” and it is estimated to have hundreds or possibly thousands of employees – and English proficiency is a requirement.

The Mandiant findings make sense to L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group in Arlington, Va., that has made a specialty of analyzing China's cyber and signals intelligence units within the PLA.

In 2011, Project 2049 produced a report that also identifies Unit 61398 as a cyberespionage group run by the PLA that “appears to function as the Third Department’s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.”

Among the details in the Mandiant report:

  • Some 3,000 digital indicators linked to APT1, such as domain names, IP addresses, and MD5 hashes of malware the group uses.
  • A list of more than 40 families of malware in APT1’s arsenal of digital weapons along with 13 encryption certificates the group used.
  • A collection of videos showing actual attacker sessions.
  • Documents including one in which an Internet provider agrees to install high-speed fiber optic lines for the unit at the building address.
  • The identification of three individuals affiliated with APT1 with the hacker handles Ugly Gorilla, DOTA, and SuperHard.

“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” the report concludes.

Indeed, the report “provides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,” Mr. Hsiao says.

Not everyone is entirely convinced, however. While agreeing Mandiant makes a strong circumstantial case, Dell Secureworks cyber counterspy expert Joe Stewart, who also has tracked 20 or so Chinese cyberespionage groups, says any conclusive link to the Chinese military is one step too far for him.

“There’s what we suspect and what we can prove,” Mr. Stewart says. “We still don’t have any hard proof that this ‘Comment Crew’ or APT1 is coming out of that [12-story] building, other than lot of weird coincidence pointing that direction. To me it’s not hard evidence.”

Chinese authorities agree, saying that China’s military was not behind the hacking in the report.

“Cyber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable,” Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. “Chinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.”

Mandiant attempts to address these concerns, suggesting that the circumstantial evidence is becoming overwhelming. The only other plausible conclusion, it adds, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

The report coincides with completion of a classified National Intelligence Estimate by the US intelligence community that concludes China was the most aggressive perpetrator of a massive, campaign of cyberespionage against commercial targets in the US, according to a Times report on the estimate. And the report comes on the heels of President Obama’s vow to protect the nation’s critical infrastructure.

“We know foreign countries and companies swipe our corporate secrets,” Mr. Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”

Attacks by APT1 on Telvent, a Canadian supplier of natural gas pipeline control systems, are one such worrying sign, says Rocky DeStefano, a cybersecurity researcher at Visible Risk in Austin, Texas. The attacks were known before the Mandiant report and could provide the Chinese military with a lever to use against the US in a cyberattack.

“What we have here is a really delicate situation where our government is afraid to commit to the fact that we have a global economic partner organizing against us,” he says. “And that’s because the ultimate conclusion you have to draw from this report – is that it’s not just theft of information – but it’s the Chinese military doing it. What does that lead us toward in terms of policy and action? Nobody wants to get into that.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to