Attacks/Breaches
2/21/2013
11:25 AM
Connect Directly
RSS
E-Mail
50%
50%

China Denies U.S. Hacking Accusations: 6 Facts

Mandiant report says that an elite Chinese military hacking unit is responsible for launching APT attacks against U.S. businesses. Chinese government cries foul.

Security firm Mandiant this week published evidence that it said ties the Chinese government to a six-year campaign of hack attacks that have compromised 141 businesses across 20 industries. Washington-based Mandiant's 74-page report covers only one of the dozens of cyber-espionage groups around the world, including more than 20 in China, that the company said use advanced persistent threats (APTs) -- including spear-phishing attacks -- to compromise their targets. Mandiant refers to the group in its report as "APT1."

"From our observations, it is one of the most prolific cyber-espionage groups in terms of the sheer quantity of information stolen," according to Mandiant's report. "The scale and impact of APT1's operations compelled us to write this."

[ Want more on U.S. cybersecurity defense? Read White House Cybersecurity Executive Order: What It Means. ]

Based on Mandiant's research, as well as reaction from security experts and the Chinese government, here's what's known -- and what remains in question -- about the activities of the APT1 hacking group:

1. Mandiant Traces APT1 Attacks To Shanghai

Mandiant's report wasn't notable for the fact that it accused the Chinese government of supporting APT attacks at U.S. businesses, but rather for the volume of evidence -- albeit circumstantial -- that it presented. Furthermore, Mandiant accused APT1 of not just being supported by the Chinese government, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit.

Mandiant's conclusions come in part from tracing IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai, where Mandiant found that China Telecom had "provided a special fiber optic communications infrastructure." Mandiant also cited documents from China Telecom noting that the facility had been built together with Unit 61398, which the documents also referred to as "GSD 3rd Department, 2nd Bureau," which refers to the PLA General Staff Department's 3rd Department, which is -- again -- also known as PLA Unit 61398.

Adding to the intrigue, a BBC correspondent reported that he'd been briefly detained Tuesday after attempting to visit the building.

2. Symantec Says Attacks Began In 2006

Security software vendor Symantec said that the activities of the APT1 group, which it calls the Comment Crew -- because the group has hidden attack commands inside HTML comments -- began more than six years ago. "The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec," according to a blog post from Symantec Security Response. "We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks."

According to Symantec, APT1's attacks often involve spear-phishing emails with such subject lines as "U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip" and "New contact sheet of the AN-UYQ-100 contractors.pdf." The attacks have targeted businesses in numerous industries, "including finance, information technology, aerospace, energy, telecommunications, manufacturing, transportation, media and public services," it said.

The Mandiant report, however, didn't break any new ground in the Comment Crew discussion. "There really wasn't much new that came out of that Mandiant report, except for them identifying a specific building and putting all these details on that in there," said former Gartner Group analyst John Pescatore, who last month became the director of emerging security trends at the SANS Institute, speaking by phone.

3. Chinese Government: Allegations Are "Baseless"

The Chinese government has dismissed Mandiant's allegations. In particular, the Xinhua News Agency -- which is the Chinese government's official press agency -- published a "commentary" Wednesday that dismissed the Mandiant report as "amateurish," saying its conclusions were "baseless and revealing," including its tying of Shanghai IP addresses to a specific Chinese government military unit, although it offered no evidence to refute the allegations.

"One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers," according to the commentary. "Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lee Hu
50%
50%
Lee Hu,
User Rank: Apprentice
4/25/2013 | 12:05:04 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
The Chinese government would steal your wallet right in front of you, then say, "we didn't do that." Of course they are not going to admit it, what else would they say? One after another, Internet security groups are finding the same thing: the Chinese government, through the PLA, is behind the shameless theft and rampant espionage.
burn0050bb
50%
50%
burn0050bb,
User Rank: Apprentice
2/26/2013 | 4:09:57 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
Guess who else engages in massive cyber espionage? Perhaps the government that created the internet? While I have no doubt that the Chinese government is participating (as is the US government, and the UK, and...) - saying that you have pinpointed an attack is ludicrous. With the proliferation of botnets these days, there's just no way to know who's behind what attacks.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
2/24/2013 | 2:45:22 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
One of the things that comes into play here with the deployment of "poison pills" is that if it gets revealed that you really are going after a military or governmental organization, that could have diplomatic ramifications. Although, you'd have to think that someone at one of those Federal agencies that doesn't exist would have come up with the idea of watching all traffic leaving the country through a PoP destined for China by now.

A site that I'm familiar with has been noticing that they were getting scraped by 61398 every morning in the wee earlies (EST), by bots sending random HTTP requests. While it's possible to drop all of the traffic to that IP block, they decided to throttle everything down to 1kbps of throughput so that everything could be documented in the event that there was ever a need to take further action.

I'm somewhat surprised that you get good response from China and Russia - back when I was in a position to report offenders to ISPs, the worst response that I got came from the African region, followed by China and Russia.

What's making this more "interesting" is the different tools that these organizations are using. Sure, it's great to take over someone's PC and use it as part of a Botnet, but what about taking over their mobile phone? Drive up their data costs while waging war and being a mobile target at the same time - talk about a serious misdirection play, and something that very few people would ever have the skills to catch on their own. Yet another reason why I'm against BYOD, but that's an entirely different story.

Andrew Hornback
InformationWeek Contributor
Mark Sitkowski
50%
50%
Mark Sitkowski,
User Rank: Apprentice
2/23/2013 | 8:24:04 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
Don't think that it hadn't crossed my mind, but you can't do that. Among the zombies was a server at an airport, another at a hospital, and several in education networks. It might have been very dangerous.
We just report the IP address to the ISP, who then disinfects the server. For what it's worth, we've had good cooperation from ISP's in China, Romania, Russia, Brazil and everywhere except Turkey.
garye
50%
50%
garye,
User Rank: Apprentice
2/22/2013 | 7:21:24 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
Shouldn't be that hard send a program back with the information that will take out everyone involved. Send it with the information they are accessing. When they open the file there goes every computer connected. Seems simple enough and if it's not them it will take out the one who is doing it.
Mark Sitkowski
50%
50%
Mark Sitkowski,
User Rank: Apprentice
2/22/2013 | 12:06:37 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
We've been fighting a botnet since December 2012. We get hack attempts, using a limited number of identical scripts, from servers in (so far) 25 countries, including China. It should be fairly obvious that, as mentioned in the last paragraph, the attacks are not coming from those individual countries, but from the creep controlling the botnet. Get real, Mandiant. (Or, maybe, you'd like to help us out, here - we've destroyed 1350 zombies so far, but they keep on coming...)
lgarey@techweb.com
50%
50%
lgarey@techweb.com,
User Rank: Apprentice
2/21/2013 | 5:29:17 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
The report essentially implying "how "elite" can this Unit 61398 military hacking unit be if it doesn't know not to let Mandiant trace all the "IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai" raises more questions than it answers. Seems like Mandiant should have spent more time on firm attribution. Lorna Garey, IW Reports
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.