Firm says it traced advanced persistent threats to Chinese military unit


Cybersecurity firm Mandiant says in a Feb. 19 report it's traced the source of some advanced persistent threats to a Chinese military unit located in an office building in metro Shanghai.

The Alexandria, Va.-based company says in the report (.pdf) that it observed the organization, most commonly known as Unit 61398, compromise 141 companies across 20 major industries since 2006.

Although in cybersecurity, correctly attributing the source of an attack can be difficult or impossible, Mandiant says the only, unlikely, alternative source besides the Chinese military as the originator of the attacks it attributes to Unit 61398 is a well-resourced, secret organization also with direct access to Shanghai-based telecommunications infrastructure "engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398's gates."

There's little doubt that the attacks Mandiant attributes to the Chinese military originate from mainland China, since according to the report, in 1,849 of the 1,905 Remote Desktop sessions Mandiant cybersecurity researchers saw hackers using as a way to hop from one server to another in an effort to disguise their origin, they also saw that the keyboard layout setting was set to Simplified Chinese characters. Microsoft's Remote Desktop client configures the keyboard layout automatically based on the language of the client system, researchers note--and in Taiwan and Hong Kong, users prefer Traditional Chinese character sets, the report says.

The Internet protocol addresses associated with 817 of the 832 IP addresses that logged into hacker-controlled command and control servers using Remote Desktop resolved back to China, researchers say--and resolved predominantly to four large net blocks in Shanghai.

A conservative estimate of the unit's attack infrastructure would include more than 1,000 servers, researchers say, and given the volume, duration and type of attack activity, would require the support of "linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors."

Researchers appear to have pinpointed the unit's office building through "public sources," including a notice that a construction company completed work of the building in 2007, and that it was explicitly for Unit 61398. They say they found an internal China Telecom document discussing telecommunication infrastructure for Unit 61398.

The unit's primary vector for penetrating networks is through spear-phishing, Mandiant says. After it's convinced a victim to download malware through an email made to look, at first glance, as if it came from a trusted source, it establishes a foothold, escalates privileges, and starts to look for data to exfiltrate.

It primarily targets advanced industry sectors such as information technology, aerospace, telecommunications and scientific research and consulting, but public administration is also high among its most frequent targets, Mandiant says.

For more:
- download the report, "APT1: Exposing One of China's Cyber Espionage Units" (.pdf)

Related Articles:
Lewis: U.S. should go to WTO over Chinese espionage
HSI collars Chinese national in $100 million software copyright infringement case
Chinese telecom officials say spying would undermine business