Computer security company Mandiant has renewed focus on Chinese Cyber Attacks with its latest study detailing systematic attacks stemming from People’s Liberation Army facility in Shanghai. The report triggered denial’s in Beijing and raised questions as to whether the U.S. and China were heading towards some form of Cyber Conflict. The report had critics on both sides with one set disputed the conclusiveness of the link to China, while another group said it underestimates the problem.
Exposing One of China’s Cyber
Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world.
The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent
Threat” (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the
report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the
extent of its involvement.” Now, three years later, we have the evidence required to change our assessment. The details
we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based
primarily in China and that the Chinese Government is aware of them.
- aPt1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s
(GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover
Designator (MuCD) as unit 61398 (61398部队).
- aPt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has
demonstrated the capability and intent to steal from dozens of organizations simultaneously.
- aPt1 focuses on compromising organizations across a broad range of industries in English-speaking
- In over 97% of the 1,905 times Mandiant observed aPt1 intruders connecting to their attack
infrastructure, aPt1 used IP addresses registered in Shanghai and systems set to use the simplified
- the size of aPt1’s infrastructure implies a large organization with at least dozens, but potentially
hundreds of human operators.
Mandiant on PBS News Hour
Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.
The Mandiant Report was able to trace the hacks via Facebook accounts of some of the hackers when they forgot to log out before going on the social network.
National Journal’s Brian Fung makes a great point. He writes, “It’s no small irony the everyday shortcuts users take, and which subsequently open them up to hackers like DOTA and UglyGorilla, are the same traps that the two hackers fell into.” It really is the Wild West out there.
The culture of no-holds-barred spying that seems to have pervaded Chinese officialdom might also inform why some of those same officials have seemed so aggressive about spying on others — including foreigners. The Chinese government famously spies on its citizens in vast numbers. And it is suspected of widespread spying on foreign news organizations that cover the country, a possible campaign that may have included the recent hacking attacks on several major U.S. news organizations.
. . . Frank Langfitt, the NPR reporter who talked to Qi Hong, bought his own basic, $35 bug detector (more elaborate models, he says, can go for $1,600) to try at a friend’s office. “In just five minutes,” he writes, “I detected bugs in a lamp, several phones and two fax machines.”
Schmidt and Cohen write that China is the world’s “most sophisticated and prolific” hacker, according to Gara. Their book reads, ”It’s fair to say we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it.” But their predictions for where that might lead the Internet, according to the Journal’s report, include the dark possibility that it could split apart entirely.
The biggest problem, as I wrote in my blog, is that Mandiant’s conclusions do not exclude other threat actors besides China. Nor do they eliminate the possibility that other foreign intelligence services are using China as a false flag to disguise their own cyber espionage operations. All they need to do is set up a business in Shanghai.
China refutes report by cybersecurity firm that ties attacks to building in Shanghai
Kevin Coleman, a senior fellow with the Technolytics Institute, says that the Mandiant report is the “same ol’, same ol'” and doesn’t change the cyber security landscape for those in the industry, who already knew that China was a major player in cyber warfare.
“I don’t think the report comes close to quantifying the problem—it’s all based on unclassified information. To have any idea, we’d have to know the classified portion of this,” he says. “I think if you take what information is covered publicly and multiply it by five, that’s how bad it is.”