Chinese military unit ‘behind hacking attacks’

Unit 61398 is more than 20 similar hacking groups linked to China which pose an “Advanced Persistent Threat”, said Mandiant. Its report styles Unit 61398 as APT1, one of the “most prolific cyber espionage groups” and persistent of China’s “cyber-threat” actors.

While most of the victims of APT1 are US-based, five are said to be based in the UK. Mandiant said that over a seven-year period Unit 61398 has stolen a wide range of intellectual property, including technology blueprints, manufacturing processes, test results, business plans, pricing documents, partnership agreements, e-mails and contact lists.

The report said the group is likely “government-sponsored” and that it is able to carry out such extensive cyber attacks “in large part because it receives direct government support”.

Mandiant said it has traced the hackers to a building in the Pudong area of Shanghai, which houses the 2nd Bureau of the People’s Liberation Army General Staff Department’s 3rd Department, known as Unit 61398. The report suggests this is the base for the hacking effort, since the only other option is “a secret, resourced organisation full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates”.

Mandiant said its report probably only covered a “small fraction of the cyber espionage that APT1 has conducted”.

The Chinese government denied the allegations as “groundless”. A foreign ministry spokesman said cyber crime was an international problem and should be solved through co-operation on the basis of mutual trust and respect.

He added that “groundless criticism is irresponsible and unprofessional and it will not help to solve the problem”. He said the Chinese government objects to the allegations that the cyber attacks originated from a building owned by the PLA.

Richard Bejtlich, chief security officer for Mandiant said he could have “predicted the exact words the [Chinese] spokesman used”. Responding to China’s claims of hacking by the US, he said: “Western countries focus activity on legitimate targets of espionage, foreign military and foreign government. Other countries such as China and Russia also focus on private companies,” he said.

He added that one of the dangers of this type of activity was “the erosion of economic competitiveness” and that stolen information stolen could be passed onto Chinese state companies. He said there was also a risk China could destroy information through hacking.

Recently news organisations including the New York Times, Wall Street Journal and Washington Post reported they had been attacked by hackers. The New York Times said it was hacked after carrying a report about the alleged wealth of the family of outgoing premier Wen Jiabao. Mandiant were hired by the newspaper to investigate. It traced the hacking to China but not to APT1.

Cyber-security firm that rarely seeks publicity

Mandiant is one of a handful of US cyber-security companies that specialise in attempting to detect, prevent and trace advanced hacking attacks, as opposed to the common-or-garden-variety viruses and criminal intrusions that plague corporate networks every day.

Privately owned and little known to the general public, Mandiant does not promote its analysis in public and only rarely issues topical papers about changes in techniques or behaviours. It has never before directly linked hackers to a military branch of the Chinese government, which gives the new report special resonance.

In the report, Mandiant details the attack programmes and dummy websites used to infiltrate US companies, typically via deceptive e-mails.

US officials complained in the past that China sanctioned trade-secret theft, but have had limited evidence. Mandiant said it knew the Chinese military would shift tactics and programmes in response to its report but concluded that the disclosure was worth it because of the scale of the harm and the ability of China to issue denials in the past and duck accountability.

The Mandiant report comes a week after president Barack Obama issued an executive order to get owners of power plants and other critical infrastructure to share data on attacks to improve security.