U.S. firm blames Chinese army unit for hacking American businesses

McClatchy NewspapersFebruary 19, 2013 

China Hacking

The building housing "Unit 61398" of the People’s Liberation Army is seen in the outskirts of Shanghai, on Feb. 19, 2013.


— A U.S. cyber-security firm has publicly accused the Chinese military of carrying out a series of Internet-based attacks on American and foreign companies in a one of the most detailed reports to date alleging such activity is officially condoned in China.

Alexandria, Va.-based Mandiant said that it tracked a People’s Liberation Army organization, known as Unit 61398, that since 2006 launched online attacks against at least 141 companies and organizations.

Of those 141 targets, 115 were in the United States, according to Mendiant’s 74-page report. “The activity we have directly observed likely represents only a small fraction of the cyber espionage,” the report said.

“Our research and observations indicate that the Communist Party of China … is tasking the Chinese People’s Liberation Army … to commit systematic cyber espionage and data theft against organizations around the world,” the report said.

The accusations seem certain to further stoke tensions between Washington and Beijing in what has become on one side a mounting body of allegations and evidence that hacking is being condoned, if not directed, by Beijing and, on the other side, continued denials from China.

In a regularly scheduled press briefing on Tuesday, the Chinese Foreign Ministry again denied official Chinese involvement in online hacking activity and pointed out that China is itself regularly subjected to such attacks.

While not citing China specifically, President Barack Obama said in his State of the Union address on Feb. 12 that, “America must also face the rapidly growing threat from cyber-attacks.”

“Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Obama said in the address. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Mandiant report identified one of the buildings from which Unit 61398 works in Shanghai and provided Google Earth images of the white, 12-floor structure. Mandiant distributed a copy of what it said was a China Telecom memorandum saying the state-owned company provided Unit 61398 with special fiber optic lines.

It also identified Unit 61398’s place within the Chinese military’s command structure: the second bureau of the general staff’s third department, which has a focus including signals intelligence and cyber surveillance.

Mandiant, which contracts with corporations to help protect their computer systems from hackers, said that it had analyzed the group’s intrusions through painstaking examination of electronic clues left behind in the wake of attacks.

While not naming specific cases, Mandiant said that its investigators sifted for digitial “fingerprints” such as Internet protocol addresses and information gleaned from the e-mail addresses used to launch “spearphishing” notes that carry attachments that, when clicked, allow access to a user’s computer. Those attachments contain dense code that may carry language identifying them as the work of a particular programmer or group.

Mandiant, which cited its “unique vantage point responding to victims,” issued a video showing what it said was screen footage of a member of the group setting up anonymous e-mail accounts that were used for “spearphishing.” The video also recorded a group member allegedly breaking into computer systems online and stealing files.

The industries targeted by Unit 61398, the report said, are consistent with those that China has marked as being strategically important to its growth. Mandiant did not identify the companies affected, but said they were from a broad range of sectors including aerospace, energy, telecommunications and scientific research.

Among the types of information stolen, the report said, were system designs, manufacturing procedures, contract negotiation positions and business plans.

The Mandiant document, which was first reported by The New York Times, said with obvious derision that besides Unit 61398, there was only one other possible culprit: “A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”

Email: tlasseter@mcclatchydc.com; Twitter: @tomlasseter

McClatchy Washington Bureau is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service