China’s military is the silent hand behind a major cyberespionage organization located in Shanghai and blamed for stealing titanic volumes of intellectual property from more than 100 companies worldwide during the past seven years, concludes a new report by a leading US cybersecurity firm.
The report, issued by Mandiant of Alexandria, Va., is unusual in the degree to which it points the finger directly at China's military. For years, researchers have chronicled an “advanced persistent threat” against Western cyber networks and hinted that Chinese actors were the likely culprits, not outsiders coopting Chinese computers. But the Mandiant report, “APT1: Exposing One of China’s Cyber Espionage Units,” pulls no punches.
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the Mandiant report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT [advanced persistent threat] actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”
Mandiant says it observed a group it dubbed “APT1” first infiltrating, then stealing data from computer networks of at least 141 companies spanning 20 major industries. Of the targeted companies, 115 were in the US, seven in Canada and Britain, and 17 of 19 others also conducting their business in English.
Targeted for theft were “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”
At just one company, Mandiant researchers discovered 6.5 terabytes of data were stolen over a 10 month period – all exfiltrated back to computers identified in the same block in Shanghai – where the Chinese military’s cyberespionage unit is located. Sometimes data was seen being stolen from dozens of victims at once, Mandiant reported.
APT1 generally established access through spear-phishing – the ploy of sending to someone in a targeted company an e-mail that is designed to look legitimate but carries malware in an attachment. Once they gained access to a system, the cyberspies periodically revisited the victim’s network over several months or years.
The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called “Comment Crew” or the “Shanghai Group.” But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People’s Liberation Army (PLA) – even if it lacks a “smoking gun.”
Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA’s General Staff Department’s Third Department. That group’s most common designation is “Unit 61398,” and it is estimated to have hundreds or possibly thousands of employees – and English proficiency is a requirement.
The Mandiant findings make sense to L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group in Arlington, Va., that has made a specialty of analyzing China's cyber and signals intelligence units within the PLA.
In 2011, Project 2049 produced a report that also identifies Unit 61398 as a cyberespionage group run by the PLA that “appears to function as the Third Department’s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.”
Among the details in the Mandiant report:
- Some 3,000 digital indicators linked to APT1, such as domain names, IP addresses, and MD5 hashes of malware the group uses.
- A list of more than 40 families of malware in APT1’s arsenal of digital weapons along with 13 encryption certificates the group used.
- A collection of videos showing actual attacker sessions.
- Documents including one in which an Internet provider agrees to install high-speed fiber optic lines for the unit at the building address.
- The identification of three individuals affiliated with APT1 with the hacker handles Ugly Gorilla, DOTA, and SuperHard.
“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” the report concludes.
Indeed, the report “provides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,” Mr. Hsiao says.
Not everyone is entirely convinced, however. While agreeing Mandiant makes a strong circumstantial case, Dell Secureworks cyber counterspy expert Joe Stewart, who also has tracked 20 or so Chinese cyberespionage groups, says any conclusive link to the Chinese military is one step too far for him.
“There’s what we suspect and what we can prove,” Mr. Stewart says. “We still don’t have any hard proof that this ‘Comment Crew’ or APT1 is coming out of that [12-story] building, other than lot of weird coincidence pointing that direction. To me it’s not hard evidence.”
Chinese authorities agree, saying that China’s military was not behind the hacking in the report.
“Cyber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable,” Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. “Chinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.”
Mandiant attempts to address these concerns, suggesting that the circumstantial evidence is becoming overwhelming. The only other plausible conclusion, it adds, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”
The report coincides with completion of a classified National Intelligence Estimate by the US intelligence community that concludes China was the most aggressive perpetrator of a massive, campaign of cyberespionage against commercial targets in the US, according to a Times report on the estimate. And the report comes on the heels of President Obama’s vow to protect the nation’s critical infrastructure.
“We know foreign countries and companies swipe our corporate secrets,” Mr. Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”
Attacks by APT1 on Telvent, a Canadian supplier of natural gas pipeline control systems, are one such worrying sign, says Rocky DeStefano, a cybersecurity researcher at Visible Risk in Austin, Texas. The attacks were known before the Mandiant report and could provide the Chinese military with a lever to use against the US in a cyberattack.
“What we have here is a really delicate situation where our government is afraid to commit to the fact that we have a global economic partner organizing against us,” he says. “And that’s because the ultimate conclusion you have to draw from this report – is that it’s not just theft of information – but it’s the Chinese military doing it. What does that lead us toward in terms of policy and action? Nobody wants to get into that.”