04:14 PM
Connect Directly

Chinese Military Tied To Major Cyberespionage Operation

Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the "Comment Crew," "Comment Group"

The group uses a couple of trademark tools of its own for stealing emails, GETMAIL and MAPIGET, and its server infrastructure encompasses more than 1,000 servers. Mandiant estimates that the group could have hundreds or thousands of operatives, and that require support from linguists, open source researchers, malware writers, and experts who ship stolen information to the requestors.

Mandiant found that China Telecom had installed a special fiber optic network for Unit 61398 for national defense purposes, and like most APTs, APT1 starts most of its targeted attacks with a convincing-looking spearphishing email that includes an infected attachment.

The company today released more than 3,000 telltale indicators of APT1 infections—domain names, IP addresses, and MD5 hashes of malware, as well as sample indicators of compromise that include more than 40 malware families, 13 encryption certificates used the group, and a videos showing some real attacks by the group.

Mandiant also revealed details on three members of APT1, including one who writes malware for unit who appears to be a big Harry Potter fan based on his authentication security questions, and another who goes by "Ugly Gorilla" and has a penchant for signing his malware with his trademark hacker handle. Another hacker who goes by "SuperHard” revealed his physical location was the Pudong New Area of Shanghai.

chart: Industries Compromised by APT 1
click image for a larger version

Source: Mandiant

Given China's heavy monitoring of Internet use, it's "highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai," the Mandiant report says. "Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1."

The "APT1: Exposing One of China's Cyber Espionage Units" report is available Website here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Larry Seltzer - UBM Tech
Larry Seltzer - UBM Tech,
User Rank: Apprentice
2/19/2013 | 11:29:18 PM
re: Chinese Military Tied To Major Cyberespionage Operation
For some time now I've thought that there's no defense to this that can be effective and deniability is always plausible enough for public consumption. The only thing you can do is counter-attack. This is just a new form of espionage and if they're going to do it to us we need to do it to them and I'm sure we can hide ourselves at least as well as they do.

I don't know if our government is doing this sort of thing, but I hope they are.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.