Tuesday, February 19, 2013

Solid evidence of Chinese cyber-espionage

Readers may have noted a Reuters report identifying a Chinese military unit as probably involved in industrial and other cyber-espionage activities, including so-called 'hacking attacks'.  China, of course, immediately denounced the claim and denied the report.

I took the time to read the source material for the Reuters article, which is an investigative report from Mandiant, an information security company based in Alexandria, Virginia, near Washington DC.  It's very detailed, and very interesting.  Here's an excerpt from its Executive Summary:

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 [the unit in question] has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.

. . .


  • APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.

There's more at the link.  It's a very long, very detailed, and very interesting report for those with exposure to or experience in such things.  Recommended reading.  Kudos to Mandiant for taking the time and trouble to report in such detail.


1 comment:

Matt said...

I'm not questioning that this has happened, but I question the timing of the release of information.

The timing is very convenient and self-serving.

Obama just signed his Internet E.O. on the 12th of this month.