Mandiant, have released a report alleging that a Chinese Military Unit is one of the most prolific hacking groups in the world, and is responsible for the theft of “hundreds of terabytes” of data from foreign organisations and governments. Investigating attacks that have occurred since 2004, Mandiant claim that the group, whom they refer to as APT1 (Advanced Persistent Threat 1), targeted over 140 victims in separate attacks, and that more attacks have probably occurred.
In the report, which can be found here, Mandiant describe APT1 as just half of the operation, with significant support coming from a military unit, setup especially to coordinate cyber attacks. The report claims that this direct support is fundamental to APT1’s ability to implement and sustain the high number and sophistication of attacks mentioned in this investigation. Not only have Mandiant analysed the attacks committed by APT1, but they also claim to have located the building used by both APT1 and the Chinese military unit, in Pudong, Shanghai. An aerial photo can be found on page 13 of the report.
The direct support for APT1 is thought to come from People’s Liberation Army (PLA) Unit 61398. Many governments have long suspected Chinese organisations, with possible ties to government bodies, of targeting Western governments and businesses in a campaign of cyber espionage. Project 2049, a US think-tank focused on Asia, claimed Unit 61398 was responsible for targeting the US and Canada, specifically trying to steal political, economic and military related intelligence. This announcement came in 2011, so the idea of Chinese hackers is nothing new, Mandiant themselves claim to have been investigating different attacks since 2006.
Unit 61398, whilst supporting APT1, is also thought to be “similar to APT1 in its mission, capabilities, and resources.” There are believed to be other APT groups in China; the report estimates their to be 20 different groups all using the same style of attacks and all targeting Western organisations. The targets for their attacks are mainly corporations and government organisations, and are thought to be part of a 5-year growth plan implemented by the Chinese government. The aim of this particular operation is to steal information from industries seen as “strategically important” by the Chinese government.
The report was commissioned by the New York Times, as a direct reaction to what the NYT calls persistent hacking over a period of four months, by what it believes to be one of the APT groups based in China. APT1 was not believed to be behind the hacking attacks on the NYT, but was identified as being a major component of the Chinese government’s corporate espionage program, deployed as part of their 5 year plan. Despite being part of a 5 year plan, the first attack of which occurred in 2004, this report has identified new victims in 10 different industries in the first month of 2011 alone, suggesting that operations were ongoing after 2009, and may well be occurring to this day.
The APT1 group are accused of targeting many different victims, 141 businesses across 20 industries to be precise. Mandiant report that these attacks have been well practised, with a definitive methodology set up designed to steal as much intellectual property as possible with as little disruption as possible. The attacks analysed were so sophisticated that on average victims’ networks were infiltrated for 356 days, and in the most extreme of cases, a victims’ network was accessed for 1,764 days. In a separate instance ”6.5 terabytes of compressed data [were stolen] from a single organisation over a ten month period”.
This latest report will simply add to the already mounting suspicion that the Chinese government are involved in cyber espionage. Despite being suspicious of this for a few years, the US government are reportedly unhappy at the release of this document, as it has “huge diplomatic sensitivities“. At the time of writing, no official statement has been made by the White House in response to the report, but they will surely be aware of its implications. How and when they will react is the next big development in this intriguing story.