Chinese PLA soldiers 'mastermind cyber-espionage Cold War'

NYT-hired security biz claims scores of US corps hacked by state-sponsored crew

High performance access to file storage

Chinese military spies, holed up in ho-hum Shanghai tower blocks surrounded by restaurants and massage parlours, have siphoned hundreds of terabytes of data from computers at scores of US corporations.

We're assured that, rather than being a work of fiction, this is the conclusion of a new study by Mandiant that claims a unit of China's People's Liberation Army is masterminding a state-sponsored cyber-espionage hub.

The security consultancy published its report [PDF] today, and linked PLA unit 61398* to hackers who apparently infiltrated American businesses in sectors from high-tech to energy.

The electronic intrusions were allegedly carried out by a group dubbed an advanced persistent threat (APT) and previously codenamed by Western experts as APT1 or the Comment Crew**. Mandiant blamed APT1 for a campaign of espionage waged against 141 corporations in 20 industries since 2006, and accused the team of swiping hundreds of terabytes in data.

Mandiant doesn't name the supposedly attacked firms, but other reports suggest these include Coca-Cola, RSA Security and Telvent, a firm that supplies power grid control systems and smart meters.

"In seeking to identify the organisation behind this activity, our research found that People's Liberation Army unit 61398 is similar to APT1 in its mission, capabilities, and resources," Mandiant wrote in its report. "PLA unit 61398 is also located in precisely the same area from which APT1 activity appears to originate."

More precisely, according to Mandiant, unit 61398 is housed in a series of nondescript tower blocks on Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai, that were built in 2007. The buildings were pictured in a front-page story by the New York Times on Mandiant's research; the newspaper said China's alleged cyber-espionage hub is surrounded by diners, massage parlours and a wine importer.

According to a US intelligence agency assessment quoted by the NYT, digital-espionage agents operating in China are either handled by army officers or are contractors working for outfits such as unit 61398. The NYT hired Mandiant to investigate a high-profile breach of the paper's network security, which the consultants concluded was the work of a Chinese APT group. A US spook grilled by the NYT said Mandiant's report was consistent with the American government's own analysis.

The charges that China is carrying out international electronic espionage on an industrial scale are, of course, years old, but Mandiant's 60-page study is a fascinating read because it goes into considerable detail.

Mandiant claimed APT1 is just one of 20 computer spying crews in operation in China, and is among dozens it is tracking worldwide. APT1's handiwork is partially identifiable, we're told, because its members use distinct hacking tools, techniques and resources not used by other groups. Mandiant claimed:

Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures).

According to the security consultancy, the group's modus-operandi involves gaining access to networks using spear-phishing messages and custom-built malware. It then revisits compromised systems over time to copy intellectual property including technology blueprints, documentation of manufacturing processes, test results, business plans, partnership agreements, emails and contact lists of senior execs.

The industries APT1 targets match industries that China has identified as strategic to its growth.

A video compiled by Mandiant apparently showing APT1's attacks and intrusions as they happened can be found here or watched below:

Some of those allegedly involved in the corporate spying were personally identifiable because they skirted around the Great Firewall of China to log into Twitter and Facebook accounts.

Malware used in APT-style attacks were apparently created by a character called UglyGorilla, who first appeared on a Chinese military forum in 2004 to ask whether China was planning a response to the formation of a US cyberspace command. The user then appeared years later on IP addresses linked to unit 61398.

Another person called DOTA created email accounts that were used to plant malware from IP addresses also associated with unit 61398's network. And confirmation messages to set up those mail accounts were sent to a mobile phone number provided by a Shanghai-based operator.

A third person, who uses the nickname SuperHard, was allegedly involved in creating the AURIGA and BANGAT malware families used by APT1. According to Mandiant the trio are soldiers in a unit of dozens if not hundreds of personnel that targets the English-speaking world from IP addresses registered in Shanghai and systems configured to use the simplified Chinese language.

Mandiant also revealed domain names, IP addresses and MD5 hashes of malware associated with APT1. The release includes 13 X.509 encryption certificates used by the team.

The security consultancy concluded: "Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission, or APT1 is Unit 61398."

The Chinese government has angrily dismissed the latest charges as another round of China bashing. Officials dismissed Mandiant's APT1 report as "groundless", the Asian nation's official news agency Xinhua reported.

"Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem," said Foreign Ministry spokesman Hong Lei, adding that China has also been a victim of cyber-attacks and reiterating the need for international cooperation in addressing the problem.

Mandiant's detailed and well-written report was well received in security circles. About the only substantive criticism comes from a cogently argued blog post by Jeffrey Carr, who claimed that Mandiant failed to take into account that multiple states are engaged in this activity; not just China. Mandiant did not consider and rule out competing hypotheses on the identity of the hackers, according to Carr. ®

* Unit 61398 was otherwise known as the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. ** The Comment Crew earned its nickname from its habit of embedding hidden code or comments in web pages.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.