China’s army may be behind a computer-hacking group that has attacked at least 141 companies worldwide since 2006, according to a report by a U.S. security firm.
The attacks, mainly directed at U.S. companies, were carried out by a group that is “likely government sponsored” and is similar “in its mission, capabilities, and resources” to a unit of the People’s Liberation Army, Mandiant Corp. said in a report today.
Mandiant said it traced the group, labeled Advanced Persistent Threat 1, to four large computer networks in Shanghai. Two of the networks serve the Pudong New Area district, where a secret army unit called 61398 is based, the report said. Corporations and government agencies are increasingly finding themselves under attack from sophisticated adversaries, many of them from China.
“It is time to acknowledge the threat is originating in China,” Alexandria, Virginia-based Mandiant said. “Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army to commit systematic cyber espionage and data theft against organizations around the world.”
A recently prepared U.S. secret intelligence assessment, described Feb. 11 in the Washington Post, said the country’s economy is endangered by a massive and prolonged computer-espionage campaign from China.
Publishing detailed information about the hacking group, including the Internet Protocol addresses of its servers, will make it harder for the intruders to escape detection, said Dan McWhorter, managing director of Mandiant’s intelligence unit. It could take weeks or months for them to set up new servers and write new malicious software, McWhorter said.
“They’ll have to go back to the drawing board,” he said. “My guess is the group will go very dark for a while.”
The details Mandiant disclosed can help corporations spot hackers in their own networks, ahead of similar government actions that would happen under an executive order signed Feb. 12 by President Barack Obama.
The order calls for sharing of secret government information on the operations of Chinese hackers and other cyber threats. It directs the government to develop voluntary cybersecurity standards for companies operating the nation’s vital infrastructure, such as power grids and air traffic control systems.
The attack Mandiant described is comparable in size and sophistication to the one that hit Google Inc. and dozens of other companies in 2009, said Alan Paller, director of research for the SANS Institute, a Bethesda, Maryland-based computer-security research and training organization.
Attacks from China often bear different hallmarks than those from other countries, Paller said.
“The Chinese have a technique called 1,000 grains of sand -- these guys in China go grab everything that you have and then sort it out back home,” he said. “Because the Chinese get so much, and they really don’t seem to worry about getting outed. They’re noisier. Whereas the tradecraft of the other guys is very much like the tradecraft of the U.S. -- getting caught is equivalent to failure -- the Chinese don’t seem to care about being caught.”
The New York Times last month reported that its computer systems were breached by Chinese hackers, a claim China has denied. The Wall Street Journal outlined similar attacks on its systems, while Bloomberg LP, the parent of Bloomberg News, said there have been unsuccessful attempts to infiltrate its network.
China’s Foreign Ministry said today the country opposes computer hacking and that it is a victim of attacks. The U.S. is the biggest attacker of China’s Internet, said Hong Lei, a spokesman for the ministry. Making “unfounded accusations” is not conducive to resolving the issue, Hong said when asked about the report at a regular briefing today.
“It’s inaccurate and unprofessional to accuse the Chinese military of Internet attacks,” the Ministry of Defense said by fax today in response to a Bloomberg News request for comment on the Mandiant report. “China’s military has never supported hacking and the country has always cracked down on relevant criminals.”
A spokesman for President Obama’s National Security Council said the U.S. has “substantial and growing concerns” about cyber threats, and the administration is aware of the Mandiant report and its contents.
“We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so,” the spokesman, Tommy Vietor, said in an e-mail.
Vietor didn’t draw a specific link between China and hacking attacks. “The U.S. and China are among the world’s largest cyber actors and it is vital that we continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace,” he said.
Obama has direct experience with the hacking group described in Mandiant’s report. Bloomberg News reported in July that the hacking team stole policy briefs and other information from his 2008 presidential campaign, as well as the campaign of Senator John McCain, an Arizona Republican.
In the summer of 2011, the group hacked the president of the European Union Council, a Washington law firm working on an anti-dumping case involving China, an immigration magistrate in Canada and a nonprofit group working on democracy issues in China, Bloomberg News reported.
Bloomberg News also reported in November that hackers from China broke into computer systems at Coca-Cola Co. in 2009 and pilfered sensitive files about Coca-Cola’s attempted $2.4 billion acquisition of the China Huiyuan Juice Group.
Investigators at dozens of commercial security companies suspect many Chinese hackers are either with the military or take their orders from some of China’s intelligence or surveillance organizations, Bloomberg Businessweek reported this month.
APT1, the Chinese group, has attacked companies in 20 major industries, and 87 percent of the targets are based in countries where English is the first language, according to the Mandiant report. Targets were based in countries including the U.S., Canada, the U.K., India and Singapore. Mandiant’s research was reported earlier by the New York Times.