Chinese cyberwarfare division


By Joshua Ostrer

One single Chinese military unit has been stealing massive amounts of computer data from around the globe, dating back to 2006—allegedly.

In a report by Mandiant, a private American information security firm, the firm alleges that the Chinese government is authorizing and ordering a secret cyber-warfare unit.

According to Mandiant’s report, this unit of the Chinese army is solely responsible for stealing “hundreds of terabytes of data from at least 141 organizations.”

Not surprisingly, The People’s Republic of China denied the allegations.

Mandiant believes it has identified the Second Bureau of the People’s Liberation Army General Staff Department’s third department, or Unit 61398 to be the unit responsible.

Mandiant has labeled this unit “APT 1” which stands for Advanced Persistent Threat 1.

While APT 1 is among more than 20 APT groups in China, Mandiant has monitored APT 1 since 2006 and has yet to be convinced that their assumptions are incorrect.

In fact, Mandiant has actually become more confident not only that APT is responsible, but that the Chinese government knows exactly what they’re doing.

“We first published details about the APT in our January 2012 M-Trends report. As we stated in the report, our position was that ‘The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.’ Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and the Chinese government is aware of them,” says the Executive Summary portion of Mandiant’s report.

Part of what makes Mandiant so sure about their assessment is that in 97 percent of the 1,905 times Mandiant observed ATP 1, the computer addresses were registered in Shanghai, also where APT 1’s office is located.

How many people are in unit 61398?

While the answer remains unknown, Mandiant’s “conservative estimate” lists at least a thousand staffers within the unit.

What is unit 61398 allegedly stealing?

A lot. Mandiant has documented attacks on over 141 companies in 20 industries, claiming hundreds of terabytes (1,000 gigabytes) of data.

The attacks include 19 against Information Technology organizations, 16 Aerospace organizations, 12 Government-related organizations, 12 satellite and telecommunications organizations, 10 scientific research and consulting organizations and many more.

APT 1 has been in operation since 2006, and according to Mandiant, has stayed in many of the systems they infiltrate for extended periods of time.

In one case, APT 1 maintained access to one victim’s network for for years and 10 months. On average, APT 1 stays in a victim’s network to steal data and spy on Internet activity for 356 days.

Where are they targeting? While APT1 has targeted crucial industry, they also seem to have a geographical focus: 87 percent of victims were in countries where English is the native language and 81 percent of all victims were in the United States and a combined six percent in Canada and the United Kingdom.

Mandiant’s report is unprecedented, it is abnormal to see so much information made available to the public.

And believe it or not, Mandiant claims it did not have access to any confidential information in its observation and tracking of APT 1.

While Mandiant’s report is unproven, it would not be the biggest surprise if they were right about APT 1.

Countries like the United States have already assembled cyber armies that have allegedly carried out attacks; the idea that China is doing the same thing does not seem out of the question.



Leave a Reply