Report claims Chinese hackers are working for government
Security company Mandiant has published evidence that the Chinese government is responsible for industrial espionage and hacking attacks targeting the USA and other countries carried out over a period of several years. As Mandiant details, a huge group of hackers has either been operating in close proximity to military zones without the knowledge of the Chinese government or is in fact a military unit executing official orders to carry out cyber-espionage – a suggestion denied by the Chinese government.
In contrast to many other reports of hacks of US media and businesses, Mandiant sets out concrete statements. It reports that in the course of investigations carried out since 2006, the company has identified conspicuous correlations between the highest profile group of Chinese hackers (ATP1) and Army Unit 61398. Of the roughly 20 known groups of Chinese hackers, ATP1 stands out for its apparent size, the volume of data stolen, and the fact that it concentrates on economic targets. It is also sometimes referred to as the "Comment Group" or "Shanghai Group".
Both ATP1 and Unit 61398 are alleged to be located in Pudong New Area in Shanghai. There is also, claims Mandiant, a suspiciously close correlation between attack targets, the apparent size of the groups, equipment, and the number of attacks.
Since 2006, the security company has observed 141 hacks on around 20 key industries carried out by ATP1. The group has attacked utility companies (including electricity suppliers), RSA, and major US companies such as Coca Cola. The attacks always involved the theft of large volumes of data. Over a ten-month period, for example, the group stole up to 6.5TB of data from a single company. On average, the hackers maintained access to the victims' networks for nearly a year, in one case for nearly five years.
In tracing the attacks, Mandiant discovered that ATP1 had operated nearly 1000 command-and-control servers over the previous two years and that the majority of the IP addresses used were registered to Chinese organisations; 97 per cent of attacks originated from computers on which the language setting was set to "Chinese (simplified) – US Keyboard". According to Mandiant, the group comprises at least a few dozen and probably hundreds of people, including malware coders, industry experts, linguists and translators. The hackers have access to up to 40 different malware families for their operations. Two of the tools used – GETMAIL and MAPIGET – have only been used by this group.
Mandiant's most important finding, however, is that it has been possible to trace ATP1 operations back to four large networks in Shanghai. Two of these networks are located right in Pudong New Area, which was equipped with special fibre-optic communications infrastructure by China Telecom "in the name of national defence".
According to Mandiant, this is also the exact location of Unit 61398 of the People's Liberation Army (PLA), whose mission also includes industrial espionage and which recruits staff with similar skills to those that would be required by a hacker group – staff must be able to speak English and be trained in computer security. In the course of its analysis, Mandiant has identified three individuals, which it calls UglyGorilla, DOTA and SuperHard, who have made statements, in some cases prior to 2004, indicating that they are involved with state-sponsored "cyber-troops".
The Chinese government has denied supporting hacker groups and points out that it is also targeted by cyber-attacks. Based on its investigations, Mandiant is, however, confident that ATP1 is indeed Unit 61398 and is operating on behalf of the government. Mandiant believes that it is extremely difficult to find an alternative explanation for how such a large group of well-equipped hackers is able to operate without government backing. The company does, however, admit that it is also possible that: "A secret, resourced organization is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates." As the report makes clear, however, that would be an astonishing coincidence.
Mandiant is a well-known US security business and a first port of call for computer forensics (analysis of intrusions into IT Infrastructure); the company was, for example, engaged by the New York Times when it identified unusual activity on its network. Mandiant revealed that Chinese hackers were also responsible for that attack. The current report does however, exonerate ATP1 in that particular incident, stating that it was not responsible for the attack on the New York Times.