Chinese Army Unit Linked To Hacks Against U.S. Companies And Agencies

By Alexandra Burlacu | Feb 19, 2013 01:08 PM EST

Tags Chinese army, hacks, Mandiant, Shanghai, Advanced Persistent Threat group 1

Previous image Enlarge Close Next image

Share This Story

A Chinese military unit is likely responsible for a series of prolific hackings against U.S. companies and agencies, claims a U.S. computer security company.

Despite the Chinese government's claims that it is not involved in such operations, an "overwhelming percentage" of cyber attacks on U.S. corporations, government agencies and organizations apparently came from a 12-story office tower in Shanghai.

According to a comprehensive New York Times (NYT) report, the office tower on the outskirts of Shanghai is tied to the People's Liberation Army. The NYT cites an extensive 60-page report from U.S. security firm Mandiant, tracing the activities of a Chinese hacking group known as "Comment Crew" or "Shanghai Group" to the headquarters of PLA Unit 61398.

Mandiant said it observed the "Comment Crew" systematically steal hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since 2006. The security firm claims the activity can be traced to four networks near Shanghai, with some operations originating from the headquarters of Unit 61398, a secret division of China's military.

"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind," says Mandiant. "We believe the totality of the evidence we provide in this document bolsters the claim the [the group] is Unit 61398."

"Either they are coming from inside Unit 61398 or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood," Mandiant founder and CEO Kevin Mandia told the Times.

Mandiant also released a very detailed video (see below) as part of its report, claiming to show actual hack sessions conducted by a hacker group in China. Mandiant calls that group Advanced Persistent Threat group 1, or APT1.

"Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors," explains Mandiant.

Last month, The New York Times revealed that it was the victim of a four-month cyber attack stemming from China. As part of that attack, hackers breached its systems and stole the passwords of its employees to get information on sources and contacts for the NYT's expose on Chinese Prime Minister Wen Jiabao and his family. The NYT said the methods used in the cyber attacks were similar to past attacks by the Chinese military, but Chinese authorities denied any involvement.

Such reports surface as the U.S. is starting a more aggressive cyber defense policy against hackers. President Obama signed a long-anticipated executive order last week, allowing companies to share confidential information such as hackers' unique digital signatures with intelligence agencies.

The order aims to make it easier for private companies dealing with the nation's critical infrastructure to share information about cyber attacks with the government. At the same time, the order also prompts the government to work with the private sector on standards to help protect private companies from cyber attacks.