Chinese military spies, holed up in ho-hum Shanghai tower blocks surrounded by restaurants and massage parlours, have siphoned hundreds of terabytes of data from computers at scores of US corporations.
We're assured that, rather than being a work of fiction, this is the conclusion of a new study by Mandiant that claims a unit of China's People's Liberation Army is masterminding a state-sponsored cyber-espionage hub.
The security consultancy published its report [PDF] today, and linked PLA unit 61398* to hackers who apparently infiltrated American businesses in sectors from high-tech to energy.
The electronic intrusions were allegedly carried out by a group dubbed an advanced persistent threat (APT) and previously codenamed by Western experts as APT1 or the Comment Crew**. Mandiant blamed APT1 for a campaign of espionage waged against 141 corporations in 20 industries since 2006, and accused the team of swiping hundreds of terabytes in data.
Mandiant doesn't name the supposedly attacked firms, but other reports suggest these include Coca-Cola, RSA Security and Telvent, a firm that supplies power grid control systems and smart meters.
"In seeking to identify the organisation behind this activity, our research found that People's Liberation Army unit 61398 is similar to APT1 in its mission, capabilities, and resources," Mandiant wrote in its report. "PLA unit 61398 is also located in precisely the same area from which APT1 activity appears to originate."
More precisely, according to Mandiant, unit 61398 is housed in a series of nondescript tower blocks on Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai, that were built in 2007. The buildings were pictured in a front-page story by the New York Times on Mandiant's research; the newspaper said China's alleged cyber-espionage hub is surrounded by diners, massage parlours and a wine importer.
According to a US intelligence agency assessment quoted by the NYT, digital-espionage agents operating in China are either handled by army officers or are contractors working for outfits such as unit 61398. The NYT hired Mandiant to investigate a high-profile breach of the paper's network security, which the consultants concluded was the work of a Chinese APT group. A US spook grilled by the NYT said Mandiant's report was consistent with the American government's own analysis.
The charges that China is carrying out international electronic espionage on an industrial scale are, of course, years old, but Mandiant's 60-page study is a fascinating read because it goes into considerable detail.
Mandiant claimed APT1 is just one of 20 computer spying crews in operation in China, and is among dozens it is tracking worldwide. APT1's handiwork is partially identifiable, we're told, because its members use distinct hacking tools, techniques and resources not used by other groups. Mandiant claimed:
Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures).
According to the security consultancy, the group's modus-operandi involves gaining access to networks using spear-phishing messages and custom-built malware. It then revisits compromised systems over time to copy intellectual property including technology blueprints, documentation of manufacturing processes, test results, business plans, partnership agreements, emails and contact lists of senior execs.
The industries APT1 targets match industries that China has identified as strategic to its growth.
A video compiled by Mandiant apparently showing APT1's attacks and intrusions as they happened can be found here or watched below:
Some of those allegedly involved in the corporate spying were personally identifiable because they skirted around the Great Firewall of China to log into Twitter and Facebook accounts.
Malware used in APT-style attacks were apparently created by a character called UglyGorilla, who first appeared on a Chinese military forum in 2004 to ask whether China was planning a response to the formation of a US cyberspace command. The user then appeared years later on IP addresses linked to unit 61398.
Another person called DOTA created email accounts that were used to plant malware from IP addresses also associated with unit 61398's network. And confirmation messages to set up those mail accounts were sent to a mobile phone number provided by a Shanghai-based operator.
A third person, who uses the nickname SuperHard, was allegedly involved in creating the AURIGA and BANGAT malware families used by APT1. According to Mandiant the trio are soldiers in a unit of dozens if not hundreds of personnel that targets the English-speaking world from IP addresses registered in Shanghai and systems configured to use the simplified Chinese language.
Mandiant also revealed domain names, IP addresses and MD5 hashes of malware associated with APT1. The release includes 13 X.509 encryption certificates used by the team.
The security consultancy concluded: "Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission, or APT1 is Unit 61398."
The Chinese government has angrily dismissed the latest charges as another round of China bashing. Officials dismissed Mandiant's APT1 report as "groundless", the Asian nation's official news agency Xinhua reported.
"Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem," said Foreign Ministry spokesman Hong Lei, adding that China has also been a victim of cyber-attacks and reiterating the need for international cooperation in addressing the problem.
Mandiant's detailed and well-written report was well received in security circles. About the only substantive criticism comes from a cogently argued blog post by Jeffrey Carr, who claimed that Mandiant failed to take into account that multiple states are engaged in this activity; not just China. Mandiant did not consider and rule out competing hypotheses on the identity of the hackers, according to Carr. ®
* Unit 61398 was otherwise known as the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. ** The Comment Crew earned its nickname from its habit of embedding hidden code or comments in web pages.