“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”
According to the New York Times, this revelation lines up with a recent classified National Intelligence Estimate that “makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398.”
Here’s what you need to know about this possible Chinese cyber-army:
APT1 is likely PLA Unit 61398. Mandiant believes APT1 is the same as the 2nd Bureau of the PLA General Staff Department’s 3rd Department, commonly known by its unit distinction 61398. Unit 61398 is classified, but Chinese network security experts have mentioned it as the source of their expertise in published reports, and an internal memo from state-controlled China Telecom obtained by Mandiant details how infrastructure for their headquarters was co-built with the Unit “based on the principle that national defense construction is important.” However, there is one unlikely alternative outlined by Mandiant:
“A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”
APT1 victims are mostly in the U.S. and in industries China considers strategically important. Of the 141 breaches Mandiant has studied, 115 were U.S. based companies, and 87 percent of them were headquartered in countries where English is the primary language. English proficiency appears to be a key recruiting factor for Unit 61398. APT1’s victims include companies in four of the seven strategic emerging industries China identified as key in its 12th Five Year Plan.
The resources behind the attacks and amount of data culled are huge. Mandiant “conservatively” estimates 1,000 servers would be needed to support APT1’s current attack infrastructure with potentially hundreds of human operators. While it’s hard to put a figure on how much total data the group has lifted because of how well it covers its tracks, Mandiant witnessed them steal as much as 6.5 terabytes of compressed data from just one organization over a ten-month window.
APT1 attacks are long-term infiltrations. The attacks from the group started as far back as 2006 with an average of 356 days of access to a victim’s networks. Mandiant says APT1 maintained access to one victim’s network for at least 1,764 days — over four years.
China’s denies involvement. According to the New York Times: “Contacted Monday, officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal.”
If Mandiant is correct in its assertions about APT1 and Unit 61398, China wouldn’t be the only country engaged in aggressive cyber actions as international norms in the space are still being shaped: The U.S. has reportedly engaged in malware development targeting Iran’s nuclear facilities and President Obama signed a secret directive in October aimed at reclassifying some cyberactions previously considered offensive as defensive.
Cybersecurity has increasingly been seen as a major national and economic security threat. President Obama recently signed another directive and an executive order aimed at improving the security of privately owned critical infrastructure via information sharing and lawmakers on Capitol Hill reintroduced the controversial cybersecurity proposal from 2012 CISPA the next day.