11:25 AM
Connect Directly

China Denies U.S. Hacking Accusations: 6 Facts

Mandiant report says that an elite Chinese military hacking unit is responsible for launching APT attacks against U.S. businesses. Chinese government cries foul.

Security firm Mandiant this week published evidence that it said ties the Chinese government to a six-year campaign of hack attacks that have compromised 141 businesses across 20 industries. Washington-based Mandiant's 74-page report covers only one of the dozens of cyber-espionage groups around the world, including more than 20 in China, that the company said use advanced persistent threats (APTs) -- including spear-phishing attacks -- to compromise their targets. Mandiant refers to the group in its report as "APT1."

"From our observations, it is one of the most prolific cyber-espionage groups in terms of the sheer quantity of information stolen," according to Mandiant's report. "The scale and impact of APT1's operations compelled us to write this."

[ Want more on U.S. cybersecurity defense? Read White House Cybersecurity Executive Order: What It Means. ]

Based on Mandiant's research, as well as reaction from security experts and the Chinese government, here's what's known -- and what remains in question -- about the activities of the APT1 hacking group:

1. Mandiant Traces APT1 Attacks To Shanghai

Mandiant's report wasn't notable for the fact that it accused the Chinese government of supporting APT attacks at U.S. businesses, but rather for the volume of evidence -- albeit circumstantial -- that it presented. Furthermore, Mandiant accused APT1 of not just being supported by the Chinese government, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit.

Mandiant's conclusions come in part from tracing IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai, where Mandiant found that China Telecom had "provided a special fiber optic communications infrastructure." Mandiant also cited documents from China Telecom noting that the facility had been built together with Unit 61398, which the documents also referred to as "GSD 3rd Department, 2nd Bureau," which refers to the PLA General Staff Department's 3rd Department, which is -- again -- also known as PLA Unit 61398.

Adding to the intrigue, a BBC correspondent reported that he'd been briefly detained Tuesday after attempting to visit the building.

2. Symantec Says Attacks Began In 2006

Security software vendor Symantec said that the activities of the APT1 group, which it calls the Comment Crew -- because the group has hidden attack commands inside HTML comments -- began more than six years ago. "The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec," according to a blog post from Symantec Security Response. "We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks."

According to Symantec, APT1's attacks often involve spear-phishing emails with such subject lines as "U.S. Stocks Reverse Loss as Consumer Staples, Energy" and "New contact sheet of the AN-UYQ-100 contractors.pdf." The attacks have targeted businesses in numerous industries, "including finance, information technology, aerospace, energy, telecommunications, manufacturing, transportation, media and public services," it said.

The Mandiant report, however, didn't break any new ground in the Comment Crew discussion. "There really wasn't much new that came out of that Mandiant report, except for them identifying a specific building and putting all these details on that in there," said former Gartner Group analyst John Pescatore, who last month became the director of emerging security trends at the SANS Institute, speaking by phone.

3. Chinese Government: Allegations Are "Baseless"

The Chinese government has dismissed Mandiant's allegations. In particular, the Xinhua News Agency -- which is the Chinese government's official press agency -- published a "commentary" Wednesday that dismissed the Mandiant report as "amateurish," saying its conclusions were "baseless and revealing," including its tying of Shanghai IP addresses to a specific Chinese government military unit, although it offered no evidence to refute the allegations.

"One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers," according to the commentary. "Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located."

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Lee Hu
Lee Hu,
User Rank: Apprentice
4/25/2013 | 12:05:04 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
The Chinese government would steal your wallet right in front of you, then say, "we didn't do that." Of course they are not going to admit it, what else would they say? One after another, Internet security groups are finding the same thing: the Chinese government, through the PLA, is behind the shameless theft and rampant espionage.
User Rank: Apprentice
2/26/2013 | 4:09:57 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
Guess who else engages in massive cyber espionage? Perhaps the government that created the internet? While I have no doubt that the Chinese government is participating (as is the US government, and the UK, and...) - saying that you have pinpointed an attack is ludicrous. With the proliferation of botnets these days, there's just no way to know who's behind what attacks.
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
2/24/2013 | 2:45:22 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
One of the things that comes into play here with the deployment of "poison pills" is that if it gets revealed that you really are going after a military or governmental organization, that could have diplomatic ramifications. Although, you'd have to think that someone at one of those Federal agencies that doesn't exist would have come up with the idea of watching all traffic leaving the country through a PoP destined for China by now.

A site that I'm familiar with has been noticing that they were getting scraped by 61398 every morning in the wee earlies (EST), by bots sending random HTTP requests. While it's possible to drop all of the traffic to that IP block, they decided to throttle everything down to 1kbps of throughput so that everything could be documented in the event that there was ever a need to take further action.

I'm somewhat surprised that you get good response from China and Russia - back when I was in a position to report offenders to ISPs, the worst response that I got came from the African region, followed by China and Russia.

What's making this more "interesting" is the different tools that these organizations are using. Sure, it's great to take over someone's PC and use it as part of a Botnet, but what about taking over their mobile phone? Drive up their data costs while waging war and being a mobile target at the same time - talk about a serious misdirection play, and something that very few people would ever have the skills to catch on their own. Yet another reason why I'm against BYOD, but that's an entirely different story.

Andrew Hornback
InformationWeek Contributor
User Rank: Moderator
2/23/2013 | 8:24:04 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
Don't think that it hadn't crossed my mind, but you can't do that. Among the zombies was a server at an airport, another at a hospital, and several in education networks. It might have been very dangerous.
We just report the IP address to the ISP, who then disinfects the server. For what it's worth, we've had good cooperation from ISP's in China, Romania, Russia, Brazil and everywhere except Turkey.
User Rank: Apprentice
2/22/2013 | 7:21:24 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
Shouldn't be that hard send a program back with the information that will take out everyone involved. Send it with the information they are accessing. When they open the file there goes every computer connected. Seems simple enough and if it's not them it will take out the one who is doing it.
User Rank: Moderator
2/22/2013 | 12:06:37 AM
re: China Denies U.S. Hacking Accusations: 6 Facts
We've been fighting a botnet since December 2012. We get hack attempts, using a limited number of identical scripts, from servers in (so far) 25 countries, including China. It should be fairly obvious that, as mentioned in the last paragraph, the attacks are not coming from those individual countries, but from the creep controlling the botnet. Get real, Mandiant. (Or, maybe, you'd like to help us out, here - we've destroyed 1350 zombies so far, but they keep on coming...)
User Rank: Apprentice
2/21/2013 | 5:29:17 PM
re: China Denies U.S. Hacking Accusations: 6 Facts
The report essentially implying "how "elite" can this Unit 61398 military hacking unit be if it doesn't know not to let Mandiant trace all the "IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai" raises more questions than it answers. Seems like Mandiant should have spent more time on firm attribution. Lorna Garey, IW Reports
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 2014-10-24 in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) and (2), which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.