China's Hack Attack Revealed

China’s military linked to cyber espionage

February 19, 2013

A secret Chinese military unit is the major player in cyber espionage against an array of computer networks around the world, according to an intelligence report by a cyber security firm.

"Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world," the report by the security firm Mandiant said.

Mandiant conducts cyber threat analyses for both government and industry clients. A threat intelligence report produced in 2010 by the company was unable to confirm Chinese military involvement in widespread cyber attacks that were suspected as originating in China.

"Now, three years later, we have the evidence required to change our assessment," the report said.

"The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them."

Rep. Mike Rogers (R., Mich.), chairman of the House Permanent Select Committee on Intelligence, said the Chinese government plays a direct role in cyber theft that is "rampant," and a problem growing "exponentially."

"The Mandiant report provides vital insights into the Chinese government’s economic cyber espionage campaign against American companies," Rogers said through a spokeswoman. "It is crucial that the administration begin bilateral discussions to ensure that Beijing understands that there are consequences for state sponsored espionage."

The Chinese cyber espionage unit was identified as a PLA unit that is "a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006," the report said, adding that "it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen."

The report represents an unusual but not unprecedented disclosure about Chinese military-related cyber warfare and cyber espionage that until recently has remained limited to classified intelligence and military reports.

The Pentagon declined to comment on the Mandiant disclosure of Chinese military spying.

"We are aware of the Mandiant Technologies Report and its contents," said Pentagon spokesman Lt. Col. Damien Pickart. "However, as a matter of policy we do not comment on the details of private-sector reports such as this, nor do we discuss matters of intelligence."

Pickart said the government is seeking to address cyber theft and that the Pentagon "takes seriously" its role in cyber security, but declined to specify.

Instead, Pickart said the United States and China need to continue "a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."

A U.S. intelligence official said Chinese cyber spying relies on both military specialists as well as semi-government computer hackers.

China’s government, as it has in the past, denied the findings of the Mandiant report and dismissed the reported links to the PLA as "groundless."

The Project 2049 Institute in an October report disclosed for the first time that China’s military was conducting extensive cyber warfare and spying operations from a site called the Beijing North Computing Center that was linked to extensive cyber espionage against the U.S. government and private networks. Its military cover name is Unit 61539. The Washington Free Beacon first disclosed the report.

Classified State Department cables disclosed in 2011 revealed that China’s military was involved in cyber spying through a PLA unit in Chengdu called the First Technical Reconnaissance Bureau.

The Mandiant report said China’s main military cyber espionage organization is the PLA’s 2nd Bureau of the General Staff Department’s 3rd Dept., code-named Unit 61398.

"The nature of Unit 61398’s work is considered by China to be a state secret; however, we believe it engages in harmful Computer Network Operations," the report said.

The unit is located on Datong Road in a region called Gaoqiaozhen near Shanghai where hundreds to thousands of cyber spies are at work.

The unit relies on special fiber optic lines provided by the state-run China Telecom.

The Shanghai cyber network has "systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously," the report said.

The cyberspy unit used well-defined computer network attack methods developed over years and, once it gained access over several months or years, stole broad categories of information. They include technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from leaders within the victim organizations.

Chinese hackers targeted British military drone technology, the London Times reported Saturday. Cyber attacks from Chinese government spies targeted British aerospace, defense and technology firms working on drones. The attacks used a spyware program identified as Beebus.

Special software is also used to steal email, and in one case the PLA cyber spies gained access to a target network for four years and 10 months.

The unit uses at least 937 command and control servers hosted on 849 distinct Internet Protocol addresses in 13 countries.

The report identified three online personas linked to Chinese hacking. They include "UglyGorilla," a screen name for a hacker named Wang Dong linked to computer attacks since October 2004, and "DOTA," who was connected to dozens of email accounts linked to social engineering and spear phishing cyber attacks in PLA campaigns. DOTA, believed to be taken from the video game "Defense of the Ancients," was identified by a Shanghai phone number used in registering his online accounts.

"We have observed both the UglyGorilla persona and the DOTA persona using the same shared infrastructure," the report said.

A third person behind the Chinese attacks uses the nickname "SuperHard" and is believed to be Mei Qiang, who was identified in the report as a significant contributor to several types of malicious software used in cyber attacks by the Chinese military. SuperHard revealed his location to be in the Pudong New Area of Shanghai.

Mandiant made public more than 3,000 indicators that can be used by network administrators to harden computers against cyber attacks from the spying unit.

"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind [Advanced Persistent Threat 1]," the report said. "We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398."

The report said another unlikely possibility is that the Chinese hacking group is a secret group that is well-resourced and has direct access to Shanghai-based telecommunications infrastructure "right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission."

Due to extensive Chinese government monitoring of the Internet, the spying unit’s long-running operations indicate it "is acting with the full knowledge and cooperation of the government," the report said.

"In a state that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai," the report said. "The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed and documented in this report."