Security experts in the United States claim that a 12-story office building outside of Shanghai is the headquarters of a sophisticated hacking unit within the Chinese military established to attack computer networks in America and elsewhere.
According to a report published Tuesday morning by a Northern Virginia-based information security company, an elusive squadron of Chinese cyberwarriors operating under the name Unit 61398 has engaged in countless battles with governments and entities around the globe for years under the umbrella of the People’s Liberation Army.
The group is accused of infiltrating the computers of some of the biggest businesses and agencies in the US, both public and private alike, and is assumed to still be at large.
Alexandria, Virginia’s Mandiant says they’ve been investigating PLA Unit 61398 for years now and has watched them compromise 141 companies across 20 major industries, infecting the computers at places like Coca-Cola and the Canadian arm of Telvent with malicious codes used to pilfer servers for privileged information and wreak havoc. In their report, the security experts say that they are all but certain that those attacks have originated out of an inconspicuous white office building on the outskirts of Shanghai that has been provided with a special fiber optic communications infrastructure from Chinese telecom providers in the name of national defense — but China maintains the claim that they have not engaged in any illegal hacks.
Mandiant founder Kevin Mandia begs to differ, and tells The New York Times that either those attacks are being waged by Unit 61398 out of the building in question, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
“It’s where more than 90 percent of the attacks we followed come from,” says Mr. Mandia, who adds that the unit is “chartered with hiring people that can speak English, and be able to exploit networks, and know computer security.”
“We thought that was an interesting combination, and that unit just so happens to be located in the same region of Shanghai where we’re tracking over 90 percent of the connections coming from,” he tells the Times. Additionally, his company discovered that two sets of I.P. addresses used in the attacks being studied were registered in the same neighborhood as the building assumed to be used by Unit 61398.
“The totality of the evidence” leads to the company to conclude that the building described by the Times to be in a run-down neighborhood on the outskirts of Shanghai is the originating point of the attacks.
Details of an advanced cyberwar against the US by way of China has been hinted at by members of the Obama administration since the president began his first term in office in 2009, although publically little information about the actual threat posed by Far East hackers has been officially divulged. Through documents obtained by the website WikiLeaks, however, information has emerged that only begins to discuss the intensity of the threat. US State Department diplomatic cables released in 2010 by WikiLeaks and attributed to accused whistleblower Bradley Manning discus sophisticated cyberattacks against the US waged by a Chinese unit given the codename “Byzantine Candor,” or BC. The Times reports that that moniker for Unit 61398 — formally, the Second Bureau of the People’s Liberation Army’s General Staff Department’s Third Department — was dropped by American officials following the highly publicized disclosure of the hundreds of thousands of sensitive State Department documents.
In one cable from November 2008, a State Department official writes, “hackers based in Shanghai and linked to the PRC’s People’s Liberation Army (PLA) Third Department have been using these compromised systems as part of the larger BC attack infrastructure to facilitate computer network exploitation (CNE) of U.S. and foreign information systems.”
“A October 23 DoD cable states Shanghai-based hackers associated with BC activity and linked to the PLA have successfully targeted multiple U.S. entities,” the memo continues. “In the US, the majority of the systems BC actors have targeted belong to the U.S. Army, but targets also include other DoD services as well as DoS, Department of Energy, additional USG entities and commercial systems and networks.”
But despite the State Department cables spawning an insurmountable number of media articles and remarks, the publishing of the Mandiant report presents an American audience for the first time with detailed claims about intrusions and attacks waged against countries around the globe with undoubtedly damaging repercussions. It also comes on the heels of a renewed call for federal cybersecurity legislation in the United States, which could now be sooner than ever thanks to the latest revelations regarding Unit 61398.
On Wednesday last week, Rep. Mike Rogers (R-Mich.) and Sen. Dutch Ruppersberger (D-Calif.) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that was touted as being a solution to America’s mysterious cyberwar woes when first brought up last year but was eventually stalled before it could reach a vote in the Senate. On the eve of the reintroduction, Rep. Rogers wrote an op-ed for The Detroit News in which he says, “Every morning in China, thousands of highly-trained computer engineers wake up with one mission: Steal American intellectual property that the Chinese can in turn use to compete against us in the international market.” During a formal unveiling of the rekindled CISPA, Sen. Ruppersberger claimed that the US loses around $300 billion in trade secrets annually because of foreign cyberattacks.
Now to address the latest news from Mandiant, the White House is reportedly in discussion with the Chinese to snuff any possible cyberwar before it escalates. According to Foreign Policy, a senior White House official says on condition of anonymity that the Obama administration is speaking with Chinese government officials “at the highest levels” about the attacks.
“The United States has substantial and growing concerns about the threats to US economic and national security posed by cyber intrusions, including the theft of commercial information,” the source says.
Additionally, Foreign Policy says Rep. Rogers told them in a candid interview just last week that America is in need of having “direct talks with China,” with cyber espionage being top priority for the bilateral discussions. “This is a problem of epic proportions here and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date,” he told them.
For now, though, the Chinese are refuting the claims made by Mandiant and the US government. Mandiant says the cybercrimes in question “are based primarily in China and that the Chinese Government is aware of them,” but Hong Lei, a spokesman for China’s foreign ministry, said on Tuesday that his country disavowed hacking while discrediting the report.
“Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem,” he said of the Mandiant analysis.
“Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” Lei added.
Speaking to the Times, officials at the Chinese embassy in Washington have also dismissed the allegations while noting the epidemic of international hacks originating in the US. “They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States,” the Times’ report reads.
Just last month, the Chinese Defense Ministry issued a statement saying “it is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” And while Mandiat’s report include a good number of information that suggests attacks on US entities are coming from the rumored Unit 61398 headquarters, at the same time they still lack cold hard proof.
The same could be said about the United States’ own attacks, though, after testimonies offered to The New York Times last year linked both the George W. Bush and Obama administrations to a program nicknamed ‘Olympic Games’ that was put together with Israeli allies to wage a covert cyberwar on Iranian nuclear facilities. The White House has yet to formally admit to the allegations, but former administration officials attributed attacks on Iran to the US. Meanwhile, Iranian hackers are being blamed for recent assaults on the US banking industry.
“We are in a cyberwar [but] most Americans don’t know it,” Sen. Rogers said during last week’s CISPA unveiling.
Discussing the need for cybersecurity legislation during the event, Rogers urged Congress to approve the bill he co-authored with Rep. Ruppersberger before a cyberattack of epic proportions prompts Washington to act urgently and perhaps without oversight. The senator warned of what an assault on the US infrastructure conducted by cybercriminals could mean and said, “We don’t do anything well after a significant emotional event.”
Should there be a cyberattack on America on par with the September 11, 2001 tragedy, Rep. Ruppersberger said Congress “will get all the bills passed we want.”
Should Mandiant’s assumptions prove correct, though, it would pin the blame on China for a number of high-profile hacks. Among the entities that the security experts say were targeted by Chinese hackers are defense contractors Lockheed Martin; the National Geospatial-Intelligence Agency; lobbyists the National Electrical Manufacturers Association; Coca-Cola; the Chertoff Group and Telvent. According to the Times, computers at Telvent are used to design software “that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems” in Canada. Coincidently, last month China’s state-owned CNOOC spent $15 billion to buy-out Canadian oil and gas company Nexen Inc. in China’s largest-ever foreign takeover.