A secretive Chinese military unit, with Government backing, is engaged in “systematic” cyber espionage and data theft against organisations around the world from Shanghai, an American Internet security firm has claimed.
“Our research and observations indicate that the Communist Party of China (CPC) is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organisations around the world,” alleged the report ‘APT1: Exposing One of China’s Cyber Espionage Units’ by computer security firm Mandiant.
Mandiant Corp said on its website that a group attached to China’s People’s Liberation Army has stolen data from 141 companies, 115 of which were in the US.
It did not name specific targets of the attacks but said they spanned industries ranging from information technology and telecommunications to aerospace and energy.
“Our analysis has led us to conclude that APT1 (Advanced Persistent Threat) is likely government—sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct Government support,” said the executive summary of the 60-page report released yesterday.
Mandiant said it believes the group behind the hacking is Unit 61398, within a wing of the People’s Liberation Army. It said it has observed hacking attempts against nearly 150 victims over seven years. Hundreds of terabytes of data were involved, it said.
A series of cyber attacks on America’s most high-profile media outlets, reported earlier this month by The New York Times and the Wall Street Journal, as well as on Twitter and others, have revived concerns over Chinese hackers.
The New York Times said hackers stole corporate passwords and accessed the personal computers of 53 employees after the newspaper published a report on the family fortune of China’s Premier Wen Jiabao.
“In seeking to identify the organisation behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources.
“PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate,” it alleged.
It pinpointed the group’s location in facilities in Shanghai’s Pudong district. It also reprinted a memo from a Chinese telecommunications provider supplying communications links to the facility that said it would “smoothly accomplish this task for the military based on the principle that national defense construction is important.”
“Though our visibility of APT1’s activities is incomplete, we have analysed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area,” it said.
Shanghai is China’s largest metropolis as well as the country’s financial capital.
“We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others,” Mandiant said.
Releasing the findings of its investigations, Mandiant said the nature of ‘Unit 61398’s ” work is considered by China to be a state secret; however, we believe it engages in harmful “Computer Network Operations“.
“We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure,” the report alleged adding that the China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defence.
Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.
Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is base, it said According to the report, since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.
“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organisation behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” it said.
The report, for the first time, has revealed three personas that are associated with APT1 activities — UglyGorilla, DOTA and SuperHard.
“We have observed both the ‘UglyGorilla’ persona and the ’DOTA’ persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1,” the report alleged.
APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property, it said.
Once APT1 establish access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organisations’ leadership.