Chinese Military Tied To Major Cyberespionage Operation

Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/aka the "Comment Crew," "Comment Group"
The group uses a couple of trademark tools of its own for stealing emails, GETMAIL and MAPIGET, and its server infrastructure encompasses more than 1,000 servers. Mandiant estimates that the group could have hundreds or thousands of operatives, and that require support from linguists, open source researchers, malware writers, and experts who ship stolen information to the requestors.

Mandiant found that China Telecom had installed a special fiber optic network for Unit 61398 for national defense purposes, and like most APTs, APT1 starts most of its targeted attacks with a convincing-looking spearphishing email that includes an infected attachment.

The company today released more than 3,000 telltale indicators of APT1 infections—domain names, IP addresses, and MD5 hashes of malware, as well as sample indicators of compromise that include more than 40 malware families, 13 encryption certificates used the group, and a videos showing some real attacks by the group.

Mandiant also revealed details on three members of APT1, including one who writes malware for unit who appears to be a big Harry Potter fan based on his authentication security questions, and another who goes by "Ugly Gorilla" and has a penchant for signing his malware with his trademark hacker handle. Another hacker who goes by "SuperHard” revealed his physical location was the Pudong New Area of Shanghai.

chart: Industries Compromised by APT 1
click image for a larger version

Source: Mandiant

Given China's heavy monitoring of Internet use, it's "highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai," the Mandiant report says. "Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1."

The "APT1: Exposing One of China's Cyber Espionage Units" report is available Website here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.