It looks just like any other office building located in suburban Shanghai, but the unassuming 12-storey white building pictured right has been identified as the possible nerve center of a global hacking operation conducted by a secret cyberwarfare unit in China’s military.
US security firm Mandiant says that it has collected extensive evidence detailing the existence of the group over the last three years, and that all the clues point to the innocuous white building in Shanghai’s Pudong district being the headquarters of China’s state-sponsored hacking operations.
Mandiant alleges that the building houses a secretive military unit known as the People’s Liberation Army Unit 61398.
As one of the top computer security firms in the US, Mandiant has carried out numerous investigations on behalf of multinational corporations that have fallen victim to professional hackers over the last three years. Using the evidence its gained from those probes, the firm has carried out a series of reverse-engineering processes to identify IP addresses and decipher codes used by the hackers.
Now, the company has issued an unusually detailed 74-page report that lays the blame for numerous high profile hacks squarely at the feet of China’s military.
“The details we have analyzed during hundreds of investigations convince us that the groups conducting these (hacking) activities are based primarily in China and that the Chinese Government is aware of them,” states the report.
The existence of the report, titled Exposing one of China’s Cyber Espionage Units, was first revealed by the New York Times. In it, Mandiant has identified 20 distinct ‘hacking units’ that it believes are based in China, groups which it has labelled Advanced Persistent Threats (APTs). For the purposes of their report, Mandiant focuses on just one of these groups – APT1 – which is thought to be headquartered in the Shanghai building.
“From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area.”
“Either they are coming from inside Unit 61398 or the people who run the most-controlled, most-monitored internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood,” stated Mandiant founder Kevin Mandia.
Mandiant says that it identified the building after carrying out a detailed study of the area in Shanghai where it believes the cyberattacks have originated from.
Highly Sophisticated Attacks on a Massive Scale
People’s Liberation Army Unit 61398 is thought to consist of “hundreds, perhaps even thousands” of personnel, according to Mandiant. Furthermore, the evidence points to those groups inside China being responsible for attacks on at least 141 different companies over the last six years, with victims including businesses involved in financial services, information technology and aerospace, together with dozens of foreign government agencies. One of the most recent victims was the New York Times, which was given early access to Mandiant’s report. Other high profile victims are believed to include security firm RSA, Coca Cola and energy firm Schneider Electric.
As well as stealing commercial secrets, the hackers are also believed to have penetrated the defenses of several companies involved in the US’s critical infrastructure, meaning that they could potentially cause damage to water supplies and power grids in the country.
China: Accusations are “Groundless”
As expected, China has moved quickly to deny the accusations against it. Foreign Ministry spokesman Hong Lei responded to the report by saying that Mandiant’s claims are “groundless”, and doubting whether or not the firm’s evidence would stand up to scrutiny.
“To make groundless accusations based on some rough material is neither responsible nor professional,” insisted Hong Lei.
Mr. Lei’s comments follow a pattern of similar rebuttals from Chinese officials against accusations that the country is involved in high-level cyberwarfare against other nations. A spokesperson for China’s Foreign Ministry previously called claims that it was involved in the New York Times hack were “totally irresponsible”.
China’s official line is that hacking is strictly outlawed in the country, and insists that it too has fallen victim to many cybercrimes.
It’s highly unlikely that the evidence detailed in the report will be enough to identify specific individuals involved in the attacks, but Mandiant says that the exposure may at least “impede their progress” cause China to scale down its cyber operations temporarily.