BEIJING — A U.S. security firm has linked China’s military to cyberattacks on more than 140 U.S. and other foreign corporations and entities, according to a report released Tuesday.
The 60-page study by investigators at the Alexandria, Va.-based Mandiant security firm presents one of the most comprehensive and detailed analyses to date tracing corporate cyber-espionage to the doorstep of Chinese military facilities. And it calls into question China’s repeated denials that its military is engaged in such activities.
The document, first reported by the New York Times, draws on data Mandiant collected from what the company said was the systematic theft of data from at least 141 organizations over seven years. Mandiant traced the attacks back to a single group it designated “Advanced Persistent Threat 1,” or “APT1,” and now has identified the group as a Chinese military unit within the 2nd Bureau of the People’s Liberation Army General Staff Department’s 3rd Department, going by the designation “Unit 61398.”
Although most of the targets were U.S. companies, a Mandiant official said APT1 also hit about a dozen entities that he described as smaller U.S. local, state and federal government agencies unable to protect themselves, as well as international governmental organizations overseas, including bodies in which China might have membership.
At the White House, press secretary Jay Carney declined to address the findings of the Mandiant report or say whether it squared with U.S. intelligence assessments. Carney told reporters: “We have repeatedly raised our concerns at highest levels about cyber-theft with senior Chinese officials, including the military, and we will continue to do so. It’s an important challenge, one the president has been working on and urging Congress to work on for quite some time. The United States and China are among the world’s largest cyber-actors, so it’s critical.”
Analysts have long linked the unit to the Chinese military’s 3rd Department, and to extensive cyber-espionage. But what Mandiant has done is connect the dots and add new ones by locating the Internet protocol addresses used in commercial cyberattacks, placing them on a map and linking that information to open-source data about people associated with the unit.
“Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries,” the firm said in its report. Of those victims, 87 percent “are headquartered in countries where English is the native language,” it said.
Mandiant did not name the victims but said 115 of them are located in the United States, two in Canada and five in Britain. Of the 19 others, all but two operate in English. The report lists three victims each in Israel and India, two each in Taiwan, Singapore and Switzerland, and one each in Norway, Belgium, France, Luxembourg, Japan, South Africa and the United Arab Emirates.
These targeted entities include “international cooperation and development agencies, foreign governments in which English is one of multiple official languages, and multinational conglomerates that primarily conduct their business in English,” the report said.
The top sectors targeted by the APT1 cyber-espionage campaign, Mandiant said, are information technology, aerospace, public administration, satellites and telecommunications and scientific research and consulting.
“We have figured things out in an unclassified way that the government has known through classified means,” said Richard Bejtlich, Mandiant chief security officer, adding that the company shared the study with U.S. intelligence agencies before it was released.
The unit is just one of dozens working for the Chinese military in cyber-espionage all over the country, analysts say. There are other units within the General Staff Department’s 2nd Department, which conducts military intelligence, and within the Ministry of State Security, which conducts internal counterintelligence and external espionage, according to analysts.
APT1, also dubbed “Comment Crew” by security companies that have studied its tactics, focuses on commercial targets overseas, which makes its work more visible to the security firms tracking the intrusions. Chinese units that focus on military and intelligence targets are less visible to the cyber-security companies.
“Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years,” Mandiant said. It said the activity it has uncovered appears to represent “only a small fraction of the cyber-espionage that APT1 has committed.”
The Chinese military has repeatedly denounced accusations that it is engaging in cyber-espionage, and did so again Tuesday.
“Similar to other countries, China faces serious threats from cyberattack and is one of the main victims of cyberattacks in the world,” the Ministry of Defense said. “The Chinese army never supported any hacking activities. The accusation that the Chinese military engaged in cyberattacks is neither professional nor in accordance with facts. “
Chinese Foreign Ministry spokesman Hong Lei on Tuesday also challenged the report’s findings. “Hacking attacks are transnational and anonymous,” and determining their origins is extremely difficult, he said. “We don’t know how the evidence in this so-called report can be tenable.”
Mandiant investigators said they based their conclusion in part by tracing an overwhelming number of cyberattacks by the APT1 group to networks serving a small area on the edges of Shanghai - the same area where Unit 61398 is believed to be operating in a 12-story building. It also found evidence that China Telecom had provided special high-speed fiber optic lines for those headquarters in the name of national defense.
The only alternative explanation to military involvement, Mandiant argues in the report, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”
The Mandiant report coincides with the completion of a classified National Intelligence Estimate by the U.S. intelligence community that concluded that China was the most aggressive perpetrator of a massive campaign of cyber-espionage against commercial targets in the United States.
It also comes days after President Barack Obama issued an executive order aimed at better securing the computer networks run by critical U.S. industries, such as transportation and energy.
“We know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union address. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
On Tuesday, White House spokeswoman Caitlin Hayden said the administration was aware of the Mandiant report. She reiterated that the United States “has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber-intrusions, including the theft of commercial information.”
Before she left office this month, Secretary of State Hillary Rodham Clinton said the United States has elevated the cyber-espionage issue to the strategic dialogue level with China. “We have to begin making it clear to the Chinese that the United States is going to have to take action to protect not only our government, but our private sector, from this kind of illegal intrusions,” Clinton said.
Other security experts have also traced cyberattacks to China in the past. In one instance, documented by Bloomberg News reporters last week, a malware expert at Dell SecureWorks and other security experts traced cyberattacks to a man named Zhang Changhe teaching at a Chinese military academy, PLA Information Engineering University.
Along with Tuesday’s report, Mandiant included lengthy descriptions of the group’s past methods and more than 3,000 indicators to help others bolster their defenses against the unit’s tactics.
The company explained its rationale, saying its leaders decided that the benefits of exposing the military unit’s activity and pinning responsibility squarely on China now outweighed the usefulness of keeping silent.
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” the report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”
Company officials, however, acknowledged that the report would likely lead to negative consequences, such as prompting Unit 61398 and other military operations to change their methods, making them harder to detect and stop. They also concluded the report by saying that Mandiant as a company was ready to face “reprisals from China as well as an onslaught of criticism.”
Details included in the new report suggest a massive operation behind the cyberattack carried out by the unit singled out by Mandiant. According to Mandiant, the unit is one of the most prolific and likely includes hundreds or even thousands of employees.
The group’s attack infrastructure uses more than 1,000 servers. In the past two years alone, the report noted, hackers logged into the same attack infrastructures 1,905 times from 832 different Internet protocol (IP) addresses. And in 97 percent of the cases, according to the report, the hacking group used IP addresses registered in Shanghai and computer systems set to Simplified Chinese language - a written form of Chinese that is unique to mainland China and not used in Taiwan and Hong Kong.
An operation of such a size, the report argues, would require a sizable dedicated IT staff as well as linguists, open source researchers, malware authors and other support staff.
The scale of the unit’s intrusions is also surprising. While Mandiant was careful not to name any targeted corporations, the report counts 147 targeted companies, spanning 20 major industries, including several sectors publicly identified by China’s government as emerging ones central to China’s strategic interests.
On average, the attackers stayed in companies’ systems almost a year, but in one case investigated by Mandiant, a company was infiltrated for almost five years. In many cases terabyte-size portions of intellectual property were siphoned off.
In an effort to illuminate the hackers behind such attacks, the report also included personal details of three operators believed to be part of the unit, tracking them using accounts associated with attacks.
In a video addendum published online with the report, the security firm showed one of the hackers using details such as a Shanghai cellphone to create a Google mail account that is later used in cyberattacks to target the email accounts of Southeast Asian military organizations in Malaysia and the Philippines.