Mandiant report says that an elite Chinese military hacking unit is responsible for launching APT attacks against U.S. businesses. Chinese government cries foul.

Mathew J. Schwartz, Contributor

February 21, 2013

7 Min Read

Security firm Mandiant this week published evidence that it said ties the Chinese government to a six-year campaign of hack attacks that have compromised 141 businesses across 20 industries. Washington-based Mandiant's 74-page report covers only one of the dozens of cyber-espionage groups around the world, including more than 20 in China, that the company said use advanced persistent threats (APTs) -- including spear-phishing attacks -- to compromise their targets. Mandiant refers to the group in its report as "APT1."

"From our observations, it is one of the most prolific cyber-espionage groups in terms of the sheer quantity of information stolen," according to Mandiant's report. "The scale and impact of APT1's operations compelled us to write this."

[ Want more on U.S. cybersecurity defense? Read White House Cybersecurity Executive Order: What It Means. ]

Based on Mandiant's research, as well as reaction from security experts and the Chinese government, here's what's known -- and what remains in question -- about the activities of the APT1 hacking group:

1. Mandiant Traces APT1 Attacks To Shanghai

Mandiant's report wasn't notable for the fact that it accused the Chinese government of supporting APT attacks at U.S. businesses, but rather for the volume of evidence -- albeit circumstantial -- that it presented. Furthermore, Mandiant accused APT1 of not just being supported by the Chinese government, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit.

Mandiant's conclusions come in part from tracing IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai, where Mandiant found that China Telecom had "provided a special fiber optic communications infrastructure." Mandiant also cited documents from China Telecom noting that the facility had been built together with Unit 61398, which the documents also referred to as "GSD 3rd Department, 2nd Bureau," which refers to the PLA General Staff Department's 3rd Department, which is -- again -- also known as PLA Unit 61398.

Adding to the intrigue, a BBC correspondent reported that he'd been briefly detained Tuesday after attempting to visit the building.

2. Symantec Says Attacks Began In 2006

Security software vendor Symantec said that the activities of the APT1 group, which it calls the Comment Crew -- because the group has hidden attack commands inside HTML comments -- began more than six years ago. "The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec," according to a blog post from Symantec Security Response. "We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks."

According to Symantec, APT1's attacks often involve spear-phishing emails with such subject lines as "U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip" and "New contact sheet of the AN-UYQ-100 contractors.pdf." The attacks have targeted businesses in numerous industries, "including finance, information technology, aerospace, energy, telecommunications, manufacturing, transportation, media and public services," it said.

The Mandiant report, however, didn't break any new ground in the Comment Crew discussion. "There really wasn't much new that came out of that Mandiant report, except for them identifying a specific building and putting all these details on that in there," said former Gartner Group analyst John Pescatore, who last month became the director of emerging security trends at the SANS Institute, speaking by phone.

3. Chinese Government: Allegations Are "Baseless"

The Chinese government has dismissed Mandiant's allegations. In particular, the Xinhua News Agency -- which is the Chinese government's official press agency -- published a "commentary" Wednesday that dismissed the Mandiant report as "amateurish," saying its conclusions were "baseless and revealing," including its tying of Shanghai IP addresses to a specific Chinese government military unit, although it offered no evidence to refute the allegations.

"One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers," according to the commentary. "Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located." The story further suggested that the report was little more than a "commercial stunt" by Mandiant CEO Kevin Mandia, and representative of a broader push by the U.S. cybersecurity lobby to sell more products and services. "Next time, the CEO could simply say: 'See the Chinese hackers? Hurry up, come and buy our cybersecurity services,'" according to the Xinhua commentary.

4. Security Expert: Mandiant Failed At Attribution

Criticism of Mandiant's conclusions has also come from information security circles. "My problem with this report is not that I don't believe that China engages in massive amounts of cyber-espionage. I know that they do -- especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room," said Jeffrey Carr, CEO of Taia Global, in a blog post.

Carr also recently criticized Mandiant's report that Chinese attackers hacked into The New York Times, and said that if the group's APT1 evidence had been submitted to a "professional intelligence analyst," for example at the CIA, a more rigorous analysis -- for example by using the Analysis of Competing Hypotheses (ACH) vetting process -- would likely have failed to prove attribution.

"My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges -- that there are multiple states engaging in this activity; not just China," Carr said. "And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew."

5. U.S. Considers The Diplomacy Angle

After the Mandiant report went public, reporters began pressing U.S. government officials about what they planned to do about the perceived threat. On that front, the White House this week unveiled a new strategy aimed at combating the theft of U.S. trade secrets by hackers.

That strategy includes diplomatic efforts, which are already underway. "We've raised our concern at the highest level about cyberthreats from China, including the involvement of the military," said U.S. Department of State spokeswoman Victoria Nuland in a Tuesday media briefing, without commenting on whether the government sees the Chinese government as being behind the APT1 attacks. "Without getting too deeply into the details of private diplomatic discussions we're having, what we have been involved with is making clear that we consider this kind of activity a threat not only to our national security but also to our economic interests, and laying out our concerns specifically so that we can see if there's a path forward."

6. Follow The Money

Mandiant said that APT1 alone has stolen terabytes of data from at least 140 different businesses. But to what end? Furthermore, some commentators have asked why this potentially incendiary information security data is coming from a firm that sells information security services, rather than from the U.S. government? "Shouldn't a military intelligence report about APT1 come from the government instead of an IT consultancy? Dodgy," tweeted Australia-based security engineer Vitaly Osipov.

Likewise, others have questioned whether a Chinese military agency would commit the sorts of sloppy mistakes that allowed Mandiant to trace the attacks back to their supposed origin.

"Perhaps the question we should be asking isn't 'Who did it?' but rather 'Who benefits?'" said John Artman, a presenter and producer at China Radio International in Beijing, in a blog post. "So far, it appears to be U.S. policymakers bent on beefing up cybersecurity legislation using China as the go-to bogeyman. Naturally, lots of media have fallen in step, regurgitating a tired, not-at-all subtle narrative that we should know better than to accept at face value."

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights