A damning, 60-page report released by American computer security firm Mandiant reveals that a 12-story building on the outskirts of Shanghai is most likely the epicenter of ongoing cyber attacks perpetrated against a number of American corporations and government agencies, as well as entities such as power grids, gas lines and water works. The building, located in a run-down section of the city, is the headquarters of the People’s Liberation Army (PLA) Unit 61398. A 2010 report by Mandiant questioned whether the Chinese government was directly involved in such hacking. No longer. “The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them,” the report states.
The report further notes that “Mandiant continues to track dozens of APT (Advanced Persistent Threat) groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as ‘APT1′ and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.”
The units involved in the hacking from APT1 are known as the “Comment Crew” or “Shanghai Group” by those they have victimized in the U.S. And while Mandiant cannot determine with absolute certainty that the attacks are coming from the building itself, they insist that the high volume of hacking attacks originating from such a small area offers no other plausible explanation. “Either they are coming from inside Unit 61398,” said Kevin Mandia, CEO and founder of Mandiant, in a recent interview, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
The base, well-known to those who live in the area, is guarded by men in PLA uniforms. Although there is no sign identifying the building, orders printed in English and Chinese have been posted outside: “Restricted military area. No photographing or filming.” According to Mandiant, the army of cyberwarriors operating out of the Shanghai headquarters has “systematically stolen hundreds of terabytes of data from at least 141 organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.” Such thefts include “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”
The increase in thefts has apparently forced President Obama’s hand. Yesterday, the Associated Press reported that the White House is considering fines and/or other trade penalties as a means of blunting the ongoing cyber espionage, according to officials who spoke on condition of anonymity because they were not authorized to speak publicly about the issue.
U.S. officials also refused to comment directly on Mandiant’s report. But they did reveal that cyber-defenses are being strengthened, and that such strengthening is underscored by an executive order aimed at improving them. Also as a result of that order, signed by the president last week, the government will begin sharing with U.S. Internet providers information regarding the unique “digital signatures” of the largest APT groups, including Comment Crew and others, emanating from the vicinity where PLA Unit 61398 is based. Yet due to diplomatic sensitivities, the attacks will not be specifically linked to the Chinese army. Whether the attackers themselves will be publicly named–and accused of stealing–is currently under debate. However, administration officials have revealed China will be notified that the ongoing volume and sophistication of the attacks threatens the “fundamental relationship” between the two nations.
State Department spokeswoman Victoria Nuland and White House Press Secretary Jay Carney confirmed on Monday that a dialogue with the “highest levels” of the Chinese government, including with “officials in the military,” has been initiated. “It is a major challenge for us in the national security arena,” Carney added.
On Tuesday, White House spokeswoman Caitlin Hayden, who noted that the administration was aware of Mandiant’s report, echoed those concerns. The United States “has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information,” she said.
The potential consequences of such attacks cannot be underestimated. For example, Mandiant revealed that one of the targets of these attacks, initiated by Comment Crew, was the Canadian arm of Televent, a company that maintains access to over 60 percent of the oil and gas pipelines in North America. Project files were stolen, but access was cut off before the intruders could gain system control. Another target was RSA, a computer security firm whose protective codes are used by corporate and government databases. Furthermore, most of the attacks by APT1 are sustained for considerable periods of time. The report reveals that “APT1 maintained access to victim networks for an average of 356 days,” and that access to one victim was maintained for “1764 days, or four years and ten months.”
None of this cyber warfare is new. In 2008, a Congressional panel comprised of six Democrats and six Republicans issued a report in which they unanimously agreed that China was regularly targeting databases used by the United States government and American defense contractors. “China is aggressively pursuing cyber warfare capabilities that may provide it with an asymmetric advantage against the United States,” the commission warned. What is new is that the release of the Mandiant report has brought additional pressure to bear, and administration officials now believe more forceful action is necessary.
“If the Chinese government flew planes into our airspace, our planes would escort them away,” said Shawn Henry, former assistant director of the FBI. “If it happened two, three or four times, the president would be on the phone and there would be threats of retaliation. This is happening thousands of times a day. There needs to be some definition of where the red line is and what the repercussions would be.” James Lewis, a cyber-security expert at the Center for Strategic and International Studies, believes the White House is serious about dealing with the issue, but it won’t be easy. “This will be the year they will put more pressure on, even while realizing it will be hard for the Chinese to change. There’s not an on-off switch,” Lewis warned.
On Monday, Chinese of Foreign Affairs spokesman Hong Lei insisted there was no government involvement in these attacks. ‘‘China resolutely opposes hacking actions and has established relevant laws and regulations and taken strict law enforcement measures to defend against online hacking activities,’’ he said.
Yesterday, the Chinese Defense Ministry doubled down, claiming Mandiant’s analyses are scientifically flawed, making them unreliable. “The report, in only relying on linking IP address (sic) to reach a conclusion the hacking attacks originated from China, lacks technical proof,” the ministry said in a statement on its website. “Everyone knows that the use of usurped IP addresses to carry out hacking attacks happens on an almost daily basis. Second, there is still no internationally clear, unified definition of what consists of a ‘hacking attack.’ There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying,” it added.
Mandiant concludes otherwise:
In a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed and documented in this report. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1.
China claims that it too is a victim of cyber attacks citing figures that reveal a “considerable number of attacks against them have originated in America. But we don’t use this as a reason to criticize the United States,” the ministry said.
The Mandiant report renders such diplomatic niceties obsolete, and so far, the president has talked the right talk. “Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems,” he said during his State of the Union speech. “We cannot look back years from now and wonder why we did nothing.” As the detailed report so chillingly emphasizes, doing nothing is no longer an option.
Freedom Center pamphlets now available on Kindle: Click here.