Security firm report details APT attacks by Chinese Army hackers

Security firm Mandiant released a detailed report and video 'proof' of Chinese hackers from People’s Liberation Army Unit 61398.

We hear a great deal about Advanced Persistent Threats (APT) and how China has hacked every major U.S. company. China seems stuck in a rut, echoing the same denials that "the Chinese army has never supported any hacking activity." The China propaganda machine called these allegations "groundless." Although spokesman Hong Lei stated that "hacking attacks are transnational and anonymous," security firm Mandiant, the firm that the New York Times hired while it was being attacked by Chinese hackers, released a report showing that the Chinese hackers are not as anonymous as China believes they are. This is the same group of nation-state hackers that Chinese hacking victims have previously called "Comment Crew" or "Shanghai Group."

Mandiant's extremely detailed report, "APT1: Exposing One of China's Cyber Espionage Units," points a finger directly at Chinese Army hackers that have "stolen hundreds of terabytes of data from at least 141 organizations. The size of APT1's infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators." Mandiant has tracked the hacking group for six years; "APT1 is not a ghost in a digital machine," the report states. 87% of the victims are in English-speaking countries. The "People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources....The nature of 'Unit 61398's' work is considered by China to be a state secret; however, we believe it engages in harmful 'Computer Network Operations'."

The hacking headquarters for Unit 61398 is a 12-story white building that looks similar to other Shanghai office buildings. The "130,663 square-foot building on Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai," is "where more than 90 percent of the attacks we followed come from," Mandiant told the New York Times.

Although the PLA base had no signs declaring it was full of English-speaking Chinese hackers, there are guards and a sign that states, "Restricted military area. No photographing or filming." The Telegraph wrote about Chinese propaganda posters lining the street and that "a woman who identified herself as a member of 'Unit 61398' but refused to produce any identification reprimanded the Daily Telegraph for taking notes on a nearby street corner."

Kevin Mandia, Mandiant's founder and chief executive, told the New York Times, "Either they are coming from inside Unit 61398 or the people who run the most controlled, most monitored internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood."

Dan Mcwhorter, Mandiant's Threat Intelligence managing director, wrote, "It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively."

The report [PDF] concludes an either/or scenario. It is either, "a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398's gates, performing tasks similar to Unit 61398's known mission." Or "APT1 is Unit 61398."

The security firm also released a video and "more than 3,000 indicators to bolster defenses against APT1 operations."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

8 pitfalls that undermine security program success