BEIJING — A U.S. security firm has tied more than a hundred cyber attacks on U.S. corporations to China’s military, including several involved with critical U.S. infrastructure such as pipelines and power grids, according to a report released Tuesday.
The 60-page study by investigators at the Alexandria-based Mandiant security firm presents one of the most comprehensive and detailed analysis to date tracing corporate cyber espionage to the doorstep of Chinese military facilities. And it calls into question China’s repeated denials that its military is engaged in such activities.
The document, first reported by the New York Times, draws on data Mandiant collected from 147 attacks during seven years it traced back to a single group it designated “APT1,” a group Mandiant has now identified as a military unit within the 2nd bureau of China’s People’s Liberation Army General Staff Department’s 3rd Department, going by the designation “Unit 61398.”
The Chinese military has repeatedly denounced such accusations. Last month — amid reports that the Times, Wall Street Journal and The Washington Post had been the target of cyber attacks apparently originating from China — the Chinese Defense Ministry responded to a faxed question saying, “The Chinese military has never supported any hack attacks…. It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence.”
Mandiant investigators said they based their conclusion in part by tracing an overwhelming number of cyber attacks by the APT1 group to networks serving a small area on the edges of Shanghai — the same area where Unit 61398 is believed to be operating in a 12-story building. It also found evidence that China Telecom had provided special high-speed fiber optic lines for those headquarters in the name of national defense.
The only alternative explanation to military involvement, Mandiant argues in the report, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”
Other security experts have also traced cyber attacks to China in the past. In one instance, documented by Bloomberg reporters last week, a malware expert at Dell SecureWorks and other security experts traced cyber attacks to a man named Zhang Changhe teaching at the Chinese military academy, PLA Information Engineering University.
Along with Tuesday’s report, Mandiant included lengthy descriptions of the group’s past methods and more than 3,000 indicators to help others bolster their defenses against the unit’s tactics.
The company explained its rationale, saying its leaders decided that the benefits of exposing the military unit’s activity and pinning responsibility squarely on China now outweighed the usefulness of keeping silent.
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”
Company officials, however, acknowledged that the report would likely lead to negative consequences such as prompting Unit 61398 and other military operations to change their methods, making them harder to detect and stop. They also concluded the report saying Mandiant as a company was ready to face “reprisals from China as well as an onslaught of criticism.”
The 60-page study by investigators at the Alexandria-based Mandiant security firm presents one of the most comprehensive and detailed analysis to date tracing corporate cyber espionage to the doorstep of Chinese military facilities. And it calls into question China’s repeated denials that its military is engaged in such activities.
The document, first reported by the New York Times, draws on data Mandiant collected from 147 attacks during seven years it traced back to a single group it designated “APT1,” a group Mandiant has now identified as a military unit within the 2nd bureau of China’s People’s Liberation Army General Staff Department’s 3rd Department, going by the designation “Unit 61398.”
The Chinese military has repeatedly denounced such accusations. Last month — amid reports that the Times, Wall Street Journal and The Washington Post had been the target of cyber attacks apparently originating from China — the Chinese Defense Ministry responded to a faxed question saying, “The Chinese military has never supported any hack attacks…. It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence.”
Mandiant investigators said they based their conclusion in part by tracing an overwhelming number of cyber attacks by the APT1 group to networks serving a small area on the edges of Shanghai — the same area where Unit 61398 is believed to be operating in a 12-story building. It also found evidence that China Telecom had provided special high-speed fiber optic lines for those headquarters in the name of national defense.
The only alternative explanation to military involvement, Mandiant argues in the report, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”
Other security experts have also traced cyber attacks to China in the past. In one instance, documented by Bloomberg reporters last week, a malware expert at Dell SecureWorks and other security experts traced cyber attacks to a man named Zhang Changhe teaching at the Chinese military academy, PLA Information Engineering University.
Along with Tuesday’s report, Mandiant included lengthy descriptions of the group’s past methods and more than 3,000 indicators to help others bolster their defenses against the unit’s tactics.
The company explained its rationale, saying its leaders decided that the benefits of exposing the military unit’s activity and pinning responsibility squarely on China now outweighed the usefulness of keeping silent.
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”
Company officials, however, acknowledged that the report would likely lead to negative consequences such as prompting Unit 61398 and other military operations to change their methods, making them harder to detect and stop. They also concluded the report saying Mandiant as a company was ready to face “reprisals from China as well as an onslaught of criticism.”