Menu
The Tech News Blog

Chinese Military Linked to Extensive Cyber Espionage Campaign

February 19, 2013

China flag

Security researchers have traced a prolific group of computer hackers to a government-backed, military building in Shanghai, China.

According to a new report from Mandiant, the People's Liberation Army Unit 61398 is located "in precisely the same area" as a section of APT1, an advanced persistent threat (APT) group that has stolen hundreds of terabytes of data from at least 141 organizations worldwide. "Mandiant has traced APT1's activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based," the company said.

PLA Unit 61398 has hundreds of staffers, Mandiant said, all of whom are trained in computer security and computer network operations and are required to know English.

"Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors," Mandiant concluded. "We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support."

APT1 is linked to at least 141 company hacks since 2006, Mandiant said. The group uses "a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property." The attacks are not a one-shot deal; APT1 often returns over months or years to "steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations' leadership."

On average, APT1 stays connected to networks for about a year, but the longest time it maintained access was four years and 10 months.

"Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period," Mandiant said. "In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries."

About 87 percent of the targeted companies are located in English-speaking countries.

Mandiant identified three of the more prolific individuals, or handles, associated with APT1 that date back to 2004: UglyGorilla, DOTA, and SuperHard.

"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398," Mandiant.

Another possibility, though very unlikely, Mandiant said, is that "a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398's gates, performing tasks similar to Unit 61398's known mission."

Mandiant acknowledged that it might face backlash for exposing APT1, but "it is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively," the group said.

Mandiant was hired by the New York Times recently when it was discovered that the paper had been hacked. That breach was also traced to Chinese hackers, but the paper said it does not appear to be the work of APT1.

Chinese officials denied any wrongdoing and told the Times in a statement that the accusations were "unprofessional."




Cell Phones Televisions Digital Cameras Computers Shop All Electronics