February 19, 2013
U.S. Security Firm Links Hacking of 141 Companies Worldwide to Chinese People’s Liberation Army
The Military unit — labeled Advanced Persistent Threat 1 (APT1) — has carried out the attacks at the behest of the Chinese government, Mandiant Corp. says in its 74-page report, adding the majority of these attacks have targeted American companies and contractors.
“Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army to commit systematic cyber espionage and data theft against organizations around the world,” the report reads.
“Our analysis has led us to conclude that APT1 is … one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”
China is indignantly denying the report’s findings, dismissing it as inaccurate.
During a press conference today (Feb. 19) Chinese Foreign Ministry spokesman Hong Lei described hacking as “anonymous and transnational.”
“It is hard to trace the origin of attacks, so I don’t know how the findings of the report are credible,” Hong was quoted by The Wall Street Journal.
“To make groundless accusations based on some rough material is neither responsible nor professional,” Hong was quoted by The Associated Press, adding China itself is often a victim of cyber-crimes, some of which originate in the U.S.
“As of now, the cyber-attacks and cybercrimes China has suffered are rising rapidly every year.”
Experts, however, are describing Madiant’s report as credible.
“No one as yet has provided the world conclusive evidence of a link between the Chinese military and the attacks. This report is the nearest thing to conclusive evidence that I have seen,” Massimo Cotrozzi, managing director of KCS Group, a London-based international cyber investigation consulting firm, was quoted by The Associated Press.
Mandiant has linked APT1 to the hacking of 141 companies worldwide since 2006, but the security firm says that likely represents only a fraction of the cyber espionage that APT1 has conducted.
The Alexandria, Virginia-based security firm traced the hacking to four large networks in Shanghai, two of which serve the Pudong New Area where a 12-storey building run by Unit 61398 of the People’s Liberation Army is located.
Mandiant says it believes APT1 and Unit 61398 — which requires its personnel to be proficient in computer security, computer network operations and the English language — are one and the same.
“Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership,” the report says.
Other startling observations by Mandiant include:
• APT1 maintained access to a victim’s network was 1,764 days, or four years and 10 months.
• APT1 stole 6.5 terabytes of compressed data from a single organization over a 10-month time period.
• In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries.
• APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
• Conservative estimates indicate APT1’s current attack infrastructure includes more than 1,000 servers.
• APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.
• APT1 would need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping).
Mandiant said it decided making the results of its investigation public was worth the risk of the hackers changing their methodology, thereby becoming even more arduous to trace.
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the report says.