Massive cyberattacks from China? Report claims to expose secret 'Unit 61398.'
A new report claims to have found the exact origin of a campaign of massive cyberattacks against the US, Canada, and Britain. The building in Shanghai is linked to the Chinese military.
A new report claims to have found the exact origin of a campaign of massive cyberattacks against the US, Canada, and Britain. The building in Shanghai is linked to the Chinese military.
China鈥檚 military is the silent hand behind a major cyberespionage organization located in Shanghai and blamed for stealing titanic volumes of intellectual property from more than 100 companies worldwide during the past seven years, concludes a new report by a leading US cybersecurity firm.
The report, issued by Mandiant of Alexandria, Va., is unusual in the degree to which it points the finger directly at China's military. For years, researchers have chronicled an 鈥渁dvanced persistent threat鈥 against Western cyber networks and hinted that Chinese actors were the likely culprits, not outsiders coopting Chinese computers. But the Mandiant report, 鈥淎PT1: Exposing One of China鈥檚 Cyber Espionage Units,鈥 pulls no punches.
鈥淚t is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,鈥 the Mandiant report said. 鈥淲ithout establishing a solid connection to China, there will always be room for observers to dismiss APT [advanced persistent threat] actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.鈥
Mandiant says it observed a group it dubbed 鈥淎PT1鈥 first infiltrating, then stealing data from computer networks of at least 141 companies spanning 20 major industries. Of the targeted companies, 115 were in the US, seven in Canada and Britain, and 17 of 19 others also conducting their business in English.
Targeted for theft were 鈥渂road categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations鈥 leadership.鈥
At just one company, Mandiant researchers discovered 6.5 terabytes of data were stolen over a 10 month period 鈥 all exfiltrated back to computers identified in the same block in Shanghai 鈥 where the Chinese military鈥檚 cyberespionage unit is located. Sometimes data was seen being stolen from dozens of victims at once, Mandiant reported.
APT1 generally established access through spear-phishing 鈥 the ploy of sending to someone in a targeted company an e-mail that is designed to look legitimate but carries malware in an attachment. Once they gained access to a system, the cyberspies periodically revisited the victim鈥檚 network over several months or years.
The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called 聽鈥淐omment Crew鈥 or the 鈥淪hanghai Group.鈥 But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People鈥檚 Liberation Army (PLA) 鈥 even if it lacks a 鈥渟moking gun.鈥
Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA鈥檚 General Staff Department鈥檚 Third Department. That group鈥檚 most common designation is 鈥淯nit 61398,鈥 and it is estimated to have hundreds or possibly thousands of employees 鈥 and English proficiency is a requirement.
The Mandiant findings make sense to L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group in Arlington, Va., that has made a specialty of analyzing China's cyber and signals intelligence units within the PLA.
In 2011, Project 2049 produced a report that also identifies Unit 61398 as a cyberespionage group run by the PLA that 鈥渁ppears to function as the Third Department鈥檚 premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.鈥
Among the details in the Mandiant report:
- Some 3,000 digital indicators linked to APT1, such as domain names, IP addresses, and MD5 hashes of malware the group uses.
- A list of more than 40 families of malware in APT1鈥檚 arsenal of digital weapons along with 13 encryption certificates the group used.
- A collection of videos showing actual attacker sessions.
- Documents including one in which an Internet provider agrees to install high-speed fiber optic lines for the unit at the building address.
- The identification of three individuals affiliated with APT1 with the hacker handles Ugly Gorilla, DOTA, and SuperHard.
鈥淲e believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,鈥 the report concludes.
Indeed, the report 鈥減rovides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,鈥 Mr. Hsiao says.
Not everyone is entirely convinced, however. While agreeing Mandiant makes a strong circumstantial case, Dell Secureworks cyber counterspy expert Joe Stewart, who also has tracked 20 or so Chinese cyberespionage groups, says any conclusive link to the Chinese military is one step too far for him.
鈥淭here鈥檚 what we suspect and what we can prove,鈥 Mr. Stewart says. 鈥淲e still don鈥檛 have any hard proof that this 鈥楥omment Crew鈥 or APT1 is coming out of that [12-story] building, other than lot of weird coincidence pointing that direction. To me it鈥檚 not hard evidence.鈥
Chinese authorities agree, saying that China鈥檚 military was not behind the hacking in the report.
鈥淐yber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable,鈥 Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. 鈥淐hinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.鈥
Mandiant attempts to address these concerns, suggesting that the circumstantial evidence is becoming overwhelming. The only other plausible conclusion, it adds, is that 鈥渁 secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398鈥檚 gates, performing tasks similar to Unit 61398鈥檚 known mission.鈥
The report coincides with completion of a classified National Intelligence Estimate by the US intelligence community that concludes China was the most aggressive perpetrator of a massive, campaign of cyberespionage against commercial targets in the US, according to a Times report on the estimate. And the report comes on the heels of President Obama鈥檚 vow to protect the nation鈥檚 critical infrastructure.
鈥淲e know foreign countries and companies swipe our corporate secrets,鈥 Mr. Obama said in his State of the Union speech. 鈥淣ow our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.鈥
Attacks by APT1 on Telvent, a Canadian supplier of natural gas pipeline control systems, are one such worrying sign, says Rocky DeStefano, a cybersecurity researcher at Visible Risk in Austin, Texas. The attacks were known before the Mandiant report and could provide the Chinese military with a lever to use against the US in a cyberattack.
鈥淲hat we have here is a really delicate situation where our government is afraid to commit to the fact that we have a global economic partner organizing against us,鈥 he says. 鈥淎nd that鈥檚 because the ultimate conclusion you have to draw from this report 鈥 is that it鈥檚 not just theft of information 鈥 but it鈥檚 the Chinese military doing it. What does that lead us toward in terms of policy and action? Nobody wants to get into that.鈥