State role in cyberespionage campaign? China says report 'lacks technical proof'

A report by security firm Mandiant provides one of the most extensive cases yet for the Chinese government's hand in massive-scale online data theft. Targets included an array of key businesses.

China's government says that an extensive report on an alleged ongoing cyberespionage campaign by Chinese military hackers – which included a broad array of business targets – "lacks technical proof" of state involvement.

The Chinese Ministry of Defense released a statement on its website Wednesday arguing that the new report, released by US security firm Mandiant, provides thin support for its assertion that Chinese state forces were behind online attacks against some 150 victims, mostly US-based sites, writes Reuters.

"The report, in only relying on linking IP [Internet protocol] address to reach a conclusion the hacking attacks originated from China, lacks technical proof," the statement said.
"Everyone knows that the use of usurped IP addresses to carry out hacking attacks happens on an almost daily basis." 

"Second, there is still no internationally clear, unified definition of what consists of a 'hacking attack'. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online [information] is online spying," it added.

The Mandiant report, released Tuesday, provides one of the most extensive cases yet for the Chinese government's involvement in online theft of data on a massive scale. The report documents the deeds of a large group of hackers, dubbed "APT1" by the firm, as they cracked the servers of 141 companies in 20 major industries and successfully stole many terabytes of data. Mandiant traced almost all of APT1's routes online back to Shanghai, and some even more specifically to a region in the city where a cyber-focused unit of the Chinese military, Unit 61398, is located.

Although possibly a military enterprise, APT1 appears to be focused toward corporate profit ends. The report notes that hackers' targets included a broad range of business types, including information technology, aerospace, financial services, agriculture, energy, and health care, and that information stolen included product specs, manufacturing procedures, and business plans. That sort of information, writes The Associated Press, could provide China's various state-owned megacorporations with major bargaining leverage and competitive advantages in the global marketplace.

Companies in fields from petrochemicals to software can cut costs by receiving stolen secrets. An energy company bidding for access to an oil field abroad can save money if spies can tell it what foreign rivals might pay. Suppliers can press customers to pay more if they know details of their finances. For China, advanced technology and other information from the West could help speed the rise of giant state owned companies seen as national champions.

Although the report asserts that "the sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1," some cyberespionage experts note that it's still a step short of proving the involvement of Unit 61398 and the Chinese military. Dell Secureworks cybersecurity expert Joe Stewart told The Christian Science Monitor, "There’s what we suspect and what we can prove."

“We still don’t have any hard proof that ... APT1 is coming out of that [Unit 61398's 12-story] building, other than a lot of weird coincidence pointing that direction. To me, it’s not hard evidence,” he said.

But, as the Mandiant report notes, the other valid possibility that the evidence supports seems "unlikely": that "[a] secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission."

Regardless, the report has brought Unit 61398 into the limelight, and the unit has locked down security in response. Agence France-Presse reports that one of its photographers, along with another international photographer, was briefly held by soldiers after shooting video outside the unit's headquarters.

Six Chinese soldiers in uniform pulled the AFP photographer out of a car and brought him to the guardhouse, where they searched his bag and seized his camera's memory card before allowing him to leave with a warning.

Speaking in English, the apparent leader of the group told him no photography was allowed since it was a military installation.