Study Shows Chinese Army Behind Cyber Attacks on Global Busineses

Computer security company Mandiant has renewed focus on Chinese Cyber Attacks with its latest study detailing systematic attacks stemming from People’s Liberation Army facility in Shanghai. The report triggered denial’s in Beijing and raised questions as to whether the U.S. and China were heading towards some form of Cyber Conflict.  The report had critics on both sides with one set disputed the conclusiveness of the link to China, while another group said it underestimates the problem.

Mandiant’s Report

APT1
Exposing One of China’s Cyber
Espionage Units

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world.
The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent
Threat” (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the
report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the
extent of its involvement.” Now, three years later, we have the evidence required to change our assessment. The details
we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based
primarily in China and that the Chinese Government is aware of them.

  • aPt1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s
    (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover
    Designator (MuCD) as unit 61398 (61398部队).
  • aPt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has
    demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • aPt1 focuses on compromising organizations across a broad range of industries in English-speaking
    countries.
  • In over 97% of the 1,905 times Mandiant observed aPt1 intruders connecting to their attack
    infrastructure, aPt1 used IP addresses registered in Shanghai and systems set to use the simplified
    Chinese language.
  • the size of aPt1’s infrastructure implies a large organization with at least dozens, but potentially
    hundreds of human operators.

Mandiant Example

Mandiant on PBS News Hour

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.

Chinese hackers outed themselves by logging into their personal Facebook accounts

The Mandiant Report was able to trace the hacks via Facebook accounts of some of the hackers when they forgot to log out before going on the social network.

National Journal’s Brian Fung makes a great point. He writes, “It’s no small irony the everyday shortcuts users take, and which subsequently open them up to hackers like DOTA and UglyGorilla, are the same traps that the two hackers fell into.” It really is the Wild West out there.

Chinese government officials are constantly wiretapping and spying on one another

The culture of no-holds-barred spying that seems to have pervaded Chinese officialdom might also inform why some of those same officials have seemed so aggressive about spying on others — including foreigners. The Chinese government famously spies on its citizens in vast numbers. And it is suspected of widespread spying on foreign news organizations that cover the country, a possible campaign that may have included the recent hacking attacks on several major U.S. news organizations.

. . . Frank Langfitt, the NPR reporter who talked to Qi Hong, bought his own basic, $35 bug detector (more elaborate models, he says, can go for $1,600) to try at a friend’s office. “In just five minutes,” he writes, “I detected bugs in a lamp, several phones and two fax machines.”

Eric Schmidt, in new book: China could contribute to fracturing the Internet into pieces

Schmidt and Cohen write that China is the world’s “most sophisticated and prolific” hacker, according to Gara. Their book reads, ”It’s fair to say we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it.” But their predictions for where that might lead the Internet, according to the Journal’s report, include the dark possibility that it could split apart entirely.

Sorry, But That ‘Chinese’ Hacking Report Proves Nothing

The biggest problem, as I wrote in my blog, is that Mandiant’s conclusions do not exclude other threat actors besides China. Nor do they eliminate the possibility that other foreign intelligence services are using China as a false flag to disguise their own cyber espionage operations. All they need to do is set up a business in Shanghai.

Experts: New Report Underestimates Number of Chinese Cyber Attacks

China refutes report by cybersecurity firm that ties attacks to building in Shanghai

Kevin Coleman, a senior fellow with the Technolytics Institute, says that the Mandiant report is the “same ol’, same ol'” and doesn’t change the cyber security landscape for those in the industry, who already knew that China was a major player in cyber warfare.

“I don’t think the report comes close to quantifying the problem—it’s all based on unclassified information. To have any idea, we’d have to know the classified portion of this,” he says. “I think if you take what information is covered publicly and multiply it by five, that’s how bad it is.”