If you read one story today (besides this one, of course!) it should be The New York Times’ write-up of a just-released, 60-page report (PDF) on a Chinese hacking group known as APT1 by the security firm Mandiant.
At a one level, the report doesn’t tell us anything we didn’t already know: APT1 is a professional, hacking crew that operates from within China and with the full knowledge and support of the Chinese Government. Most of us already suspected that. The report is worth reading for the depths of Mandiant’s research into APT \1 and the revelations of just how close the ties are to the Chinese government and, particularly, the People’s Liberation Army (PLA).
Specifically: Mandiant is able to parse the findings of around 150 intrusions it has analyzed that are attributable to APT 1 – which is probably some small fraction of all the attacks the group has carried out. With that data, the company is able to say, with some confidence, that APT 1 is actually a military “Network Operations” unit of the PLA known as “Unit 61398” and that it operates out of a 130,000 square foot, 12 storie office building on Datong Road in Gaoqiaozhen in the Pudong New Area of Shanghai.
Now that’s pretty specific! But there’s more: Mandiant was able to map APT1’s attack infrastructure of over 1,000 servers and estimate the number of human beings (linguists, open source researchers, malware authors and others) who support it. The company said that Unit 61398 may number in the hundreds or thousands of individuals.
In some cases, Mandiant has even been able to profile specific staff members behind attacks, including a hacker known as “UglyGorilla”, who has been active in computer network operations since October 2004 registering attack domains and creating custom malware for use in attacks. Other hackers with names like “DOTA” and “SuperHard” engaged in similar activities: setting up email accounts or web domains for use in targeted attacks, or creating malware.
Given the volume of attacks (Mandiant estimates that APT 1 has been behind thousands of them in recent years) and China’s top-down management of its Internet infrastructure, Mandiant concludes that APT1 operates with the blessing of the Chinese Government and Military and, in all likelihood, is a formal part of the PLA.
The company says that its going public with its analysis in an effort to “arm and prepare security professionals to combat that threat effectively.”
“The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage,” Mandiant says. “We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”
Officials within the U.S. government and military are speaking in clearer terms about the threat of Chinese espionage, after ducking the question of attribution for much of the last decade. (The term “APT” was invented as a way of talking about the organizations behind these sophisticated attacks without directly attributing them to a specific country.) Just last week, The Washington Post reported that the latest National Intelligence Estimate concludes that the United States is the target of a “massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness.” The report, which cited unnamed individuals familiar with the NIE said it identifies China as the country “most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” That followed a 2011 report from the Office of the National Counterintelligence Executive that reached similar conclusions about the extent of foreign, state-sponsored cyber espionage against U.S. companies.
Mandiant specializes in investigations of APT attacks. The firm was called in last month to investigate an attack on The New York Times. That targeted operation appears to be aimed at reporters who cover China and gained access to confidential reporter email accounts and correspondence with sources within China.