

A building, on Datong Lu in the Pudong New District, alleged to be the headquarters of a PLA cyberwarfare team.

We reported yesterday on Bloomberg’s expose of Chinese hackers with strong ties to the People’s Liberation Army (PLA). Now Mandiant, an American computer security firm, claims (PDF) to have uncovered a veritable battalion’s worth of smoking guns.

Mandiant, which has been tracking overseas hackers for years, claims one group, APT1 (advanced persistent threat), is based here in Shanghai:

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.

In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.



The purported location of APT1 / PLA Unit 61398, according to Mandiant. Source: Baidu Maps.



The New York Times, itself a victim of alleged Chinese state sponsored hackers, reports:

Two years later, Comment Crew was one of at least three Chinese-based groups to mount a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors and many major companies. (The New York Times also uses the firm’s tokens to allow access to its e-mail and production systems remotely.) RSA has offered to replace SecurID tokens for customers and said it had added new layers of security to its products.



Geographic location of APT1’s victims. In the case of victims with a multinational presence, the location shown reflects either the branch of the organisation that APT1 compromised (when known), or else is the location of the organization’s headquarters. Source: Mandiant.



As if its 74 page report wasn’t damning enough, Mandiant also released a video showing what it claims are PLA hackers at work:



US officials have confirmed Mandiant’s findings, though they stop short of laying the blame at the Chinese government’s feet:

Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, said in an interview that the Mandiant report was “completely consistent with the type of activity the Intelligence Committee has been seeing for some time.”

The White House said it was “aware” of the Mandiant report, and Tommy Vietor, the spokesman for the National Security Council, said, “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.”

Obama administration officials say they are planning to tell China’s new leaders in coming weeks that the volume and sophistication of the attacks have become so intense that they threaten the fundamental relationship between Washington and Beijing.

Download the full Mandiant report, or read the NYT’s advance coverage of its contents.





