After several hacks of prominent U.S. newspapers were revealed earlier this year and attributed to the Chinese, the country’s defense ministry said it was “unprofessional and groundless” for China’s military to be accused. But a new report is not only pulling together evidence that implicates the Chinese for cyberattacking U.S. companies, it is also revealing just where such activities might be originating.
In this building.
The report released Tuesday by Mandiant — first reported on by the New York Times— unveils investigations against Advanced Persistent Threats (APT), one of which is APT1. APT1, the report states, is one of more than 20 APTs in China that has been active since 2006 and “is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.”
Mandiant states that it has analyzed attacks by APT1 against more than 140 victims over a period of seven years, but it acknowledges that this could likely only represent as small portion of the group’s full activities.
“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors,” the authors stated in the report’s executive summary. “We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”
This area in the report is detailed as a 12-story, 130,663-square-foot building in Shanghai’s Pudong New Area on Datong Road in Gaoqiaozhen. The New York Times reported American intelligence officials saying this location as a hub for “cyberwarriors” is in line with their own evidence of the origin of cyberattacks against companies and government entities over the years.
In January, the New York Times announced it had been the victim of hacking by the Chinese. The Wall Street Journal, and the Washington Post soon followed. Among the government agencies that have revealed cyberattacks that were attributed to the Chinese was NASA’s Jet Propulsion Lab in March 2012. And in December 2011, security analysts traced cyberattacks against defense systems and critical infrastructure to 12 entities supposedly backed by the Chinese government.
Mandiant stated in the report that it decided to make its extensive research public because “it is time to acknowledge the threat is originating in China.”
“Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches,” it said.
Massimo Cotrozzi, managing director of KCS Group, a London-based international cyber investigation consulting firm that was not involved in Mandiant’s research, told the Associated Press Mandiant’s methodology used in the investigation was sound.
“No one as yet has provided the world conclusive evidence of a link between the Chinese military and the attacks. This report is the nearest thing to conclusive evidence that I have seen,” Cotrozzi said.
In a statement faxed to the Associated Press in response to this latest report, the Defense Ministry firmly rejected any involvement in hacking, saying Chinese law forbids all activities harming Internet security.
“The Chinese government has always firmly combated such activities and the Chinese military has never supported any form of hacking activity,” the ministry said. “Statements to the effect that the Chinese military takes part in Internet attacks are unprofessional and are not in accordance with the facts.”
Chinese Foreign Ministry spokesman Hong Lei did not directly address the claims, but when questioned on the report Tuesday, he said he doubted the evidence would withstand scrutiny.
“To make groundless accusations based on some rough material is neither responsible nor professional,” Hong told reporters at a regularly scheduled news conference.
Reiterating a standard China government response on hacking claims, Hong said China itself is a major victim of such crimes, including attacks originating in the United States.
Mandiant’s report stated that it believes there is “little doubt” that Unit 61398 — also known as “Comment Crew,” according to the Times — is the organization behind APT1. But they do give one “unlikely possibility” that could be contrary to this.
“A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission,” the report stated.
Mandiant said it expects an “onslaught of criticism” from China for the evidence they’re presenting and recognizes there are risks that come with unveiling some of the technologies and techniques used by hackers in the report. But the authors said they hope the report will help “temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way.”
The Associated Press contributed to this report.