Report Fingers Chinese Army in Anti-U.S. Hacking Attacks

Wednesday, February 20, 2013
Headquarters of PLA Unit 61398 (photo: New York Times)

An American assessment of foreign cyber-attacks has directly fingered the Chinese army for the numerous hacking attempts on U.S. computer networks.


Mandiant, an American computer security firm, said in a report that most of the attacks on corporate, governmental and organizational computers in recent years have originated inside a unit of China’s People’s Liberation Army (PLA).


PLA Unit 61398, said to be located in a 12-story building outside Shanghai, housed what Mandiant called the “Comment Crew” or “Shanghai Group,” which digital forensics had shown was responsible for a large percentage of cyber-attacks on American systems.


The New York Times reported that other security firms have claimed the “Comment Crew” is state-sponsored, and “a recent classified National Intelligence Estimate…makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398.”


Mandiant has documented more than 140 cyber-attacks launched by the “Comment Crew” since 2006. Numerous other security firms have identified 20 other active Chinese hacking groups that are contracted with it.


The substance of the Mandiant report was confirmed by U.S. intelligence officials, who claim to have been tracking this particular PLA unit for years. The building that is assumed to be the nerve center of PLA’s cyber assault operations, off Datong Road, stands in the midst of massage parlors, a wine importer, and various restaurants.


Kevin Mandia, founder and chief executive of Mandiant, told the newspaper: “Either they [the attacks] are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”


Mandiant was able to track down the source of the attacks to the PLA unit because two of the hackers momentarily logged on to their personal Facebook or Twitter accounts without first signing off of the servers they were using for their espionage work. A hacker’s use of his cell phone number to register a Google email account for himself provided another clue.


Unit 61398—once referred to by the code name “Byzantine Candor” by U.S. intelligence—is a ghost-like entity within the official Chinese military structure, but acknowledged by the U.S. as the center of Chinese cyber espionage operations.

-Danny Biederman, Noel Brinkerhoff


To Learn More:

Chinese Army Unit Is Seen as Tied to Hacking Against U.S. (by David E. Sanger, David Barboze, Nicole Perloth, New York Times)

Chinese Hackers Outed Themselves by Logging into Their Personal Facebook Accounts (by Max Fisher, Washington Post)

Chinese Military Group Linked to Hacks of More Than 100 Companies (by Kim Zetter, Wired)

APT1: Exposing One of China’s Cyber Espionage Units (Mandiant) (pdf)

Chinese Government Brags on TV about Cyber Attacks against U.S. Sites (by Noel Brinkerhoff, AllGov)

Chinese Government Hackers Gone Wild (by Noel Brinkerhoff, AllGov)


Leave a comment