Report: Chinese Army Tied to Hacking U.S. Web Properties and Organizations

A 60-page study released today by Mandiant, an American cyber security company, is garnering lots of attention on the web today. The detailed report provides evidence of Chinese government-sponsored "Advanced Persistent Threat" (APT) hacking groups and highlights the activities of one group in particular. Referred to in the report as APT1, it is one of more than 20 APT groups with origins in China, Mandiant says, and it has been conducting a cyber espionage campaign against a broad range of victims since at least 2006.

"The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted," Mandiant states in its report. "Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others."

Unit 61398

According to Mandiant, a large percentage of attacks on American businesses and government agencies originated from a 12-story office tower in Shanghai's Pudong district, Unit 61398 of China's People's Liberation Army (PLA). Work conducted at Unit 61398 is considered by China to be a state secret, however Mandiant says it engages in cyber espionage. Unit 61398 is believed to be staffed by hundreds, if not thousands of people, based on the size of the physical infrastructure, all of which are trained in computer security and network operations, and also must be proficient in English.

All told, APT1 alone has systematically stolen hundreds of terabytes of data from no less than 141 organizations, and is able to steal from dozens of organizations at the same time, Mandiant says. Stolen data has included confidential product development details, manufacturing procedures, business plans, emails of high-ranking employees, user credentials, and much more.

Another explanation is that China, with all its restrictions on the Internet, is somehow clueless about thousands of hackers attacking foreign entities from a singular location, but it's easy to see why that's an unlikely scenario.

"In a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed and documented in this report. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government," Mandiant concludes.