by Thor Olavsrud

Chinese Government’s Link to Cyber Espionage Clearer Than Ever

Feb 20, 20138 mins
CybercrimeData BreachIntellectual Property

It's a common belief in the information security world that the Chinese government is behind many of the advanced persistent threats that target companies around the world in an effort to steal their IP and trade secrets. Now one security firm has come forward with years of evidence to link a prolific APT group to a unit inside the Chinese government.

It has become an article of faith in the information security world that the Chinese government is behind many advanced persistent threats (APTs)—sophisticated, long-term cyber-attacks that target companies for their intellectual property and trade secrets. Expressing the belief is easy, but proving it has been another matter. But one security firm may have the proof.

[Slideshow: Did China’s Army Hack U.S. Companies?]

“It’s very difficult to identify the extent of the risk,” says Peter Toren, a former federal prosecutor in the Computer Crimes & Intellectual Property Section of the U.S. Department of Justice; Toren is now an IP and computer crimes expert with Weisbrod Matteis & Copley and author of Intellectual Property and Computer Crimes.

“In computer hacking, you really only learn about the successful hacks, and even then it’s only the proverbial tip of the iceberg,” Toren says. “Many companies are reluctant for a variety of reasons to report a breach.”

“It’s also very difficult, especially with China, to identify who’s sponsoring the attacks,” Toren adds. “In China, the line between the private enterprise and the state-owned enterprise can be very muddy and blurred. It’s very difficult to distinguish between the two.”

However, Toren notes that about 30 percent of the cases the U.S. government has brought under the Economic Espionage Act of 1996 have had some sort of Chinese connection. The first trial conviction under the act involved Dongfan Chung, a Chinese native working as an engineer at Boeing. Chung spent 30 years providing U.S. aerospace technologies to China, including details on the U.S. Space Shuttle Program and Delta IV rocket. He was sentenced to 16 years in prison in February 2010.

U.S., Allies Must Pressure China to Stop Cyber Espionage

“There is a rich history over the centuries of governments and militaries conducting espionage on each other to better understand each other’s plans, intentions and capabilities,” U.S. Rep. Mike Rogers, chairman of the House Intelligence Committee, said in the opening statement of a hearing on cyber threats in 2011.

“These espionage activities over the years, however, have largely been focused on collecting intelligence on foreign governments and militaries, not on brazen and wide-scale theft of intellectual property from foreign commercial competitors,” he added. “You don’t have to look far these days to find a press report about another firm, like Google, whose networks have been penetrated by Chinese cyber espionage and have lost valuable corporate intellectual property.”

Rogers noted that many targets of these attacks won’t talk about it in the press.

“When you talk to these companies behind closed doors, however, they describe attacks that originate in China and have a level of sophistication and are clearly supported by a level of resources that can only be a nation-state entity,” Rogers said. “Attributing this espionage isn’t easy, but talk to any private sector cyber analyst, and they will tell you there is little doubt that this is a massive campaign being conducted by the Chinese government.”

“China’s economic espionage has reached an intolerable level, and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy,” Rogers said. “Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop. Combined, the United States and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge.”

While proving Chinese government involvement with the large number of APTs that appear to originate in China has been difficult, security firm Mandiant on Tuesday issued a detailed report with evidence that links one of the largest APT groups in the world—which it calls APT1—directly to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department Military Unit Cover Designator 61398 (or Unit 61398 for short).

The report details how Unit 61398 has allegedly systematically stolen confidential data from at least 141 organizations across multiple industries—mostly in the English-speaking world.

“The scale and impact of APT1’s operations compelled us to write this report,” Dan Mcwhorter, Mandiant’s managing director of Threat Intelligence, writes in a recent blog post.

“The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a ‘what if’ discussion about our traditional nondisclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular APT group,” Mcwhorter adds.

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively,” Mcwhorter writes. “The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”

The picture painted by Mandiant’s evidence is not of an uncoordinated organization with limited scope. According to Mandiant, APT1 is just one of more than 20 APT groups with origins in China, but it is one of the most prolific cyber espionage groups in terms of the quantity of information stolen.

APT1 Has Stolen Hundreds of Terabytes of Data

“The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted,” the report notes. “Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control and modus operandi (tools, tactics and procedures).”

According to Mandiant, APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations spanning 20 major industries, and even has the capability to steal from dozens of organizations simultaneously. Mandiant said it observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a 10-month time period.

Once APT1 has established access, it will periodically revisit the target’s network over months or years to steal broad categories of IP, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from the target’s leadership. It maintains access to victim networks for an average of 365 days; the longest time period was four years and 10 months.

Of the 141 victims known to Mandiant, 87 percent are headquartered in countries where English is the native language. Additionally, the industries targeted by APT1 match the industries China has identified as strategic to its growth.

Cyber Espionage Unit Could Have Thousands of Workers

Mandiant says its evidence has led it to connect APT1 to Unit 61398. Unit 61398’s work is considered to be a state secret in China, but Mandiant believes it engages in harmful “Computer Network Operations.” Mandiant notes that Unit 61398 requires its personnel be trained in computer security and computer network operations. It also requires its personnel to be proficient in English.

The group has a compound in the Pudong New Area of Shanghai. The central building of the compound is a 12-story, 130,663 square foot facility provided with special fiber optic communications infrastructure by China Telecom in the name of national defense. Based on the size of Unit 61398’s physical infrastructure, Mandiant estimates it is staffed by hundreds and possibly thousands of people.

“Given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators and people who then transmit stolen information to the requestors,” the report notes. “APT1 would also need a sizable IT staff dedicated to acquiring and maintain computer equipment, people who handle finances, facility management and logistics (e.g., shipping).”

“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group in China leaves little doubt about the organization behind APT1,” the report says. “We believe the totality of evidence we provide in this document bolsters the claim that APT1 is Unit 61398. However, we admit there is one other unlikely possibility: A secret, resourced organization full of mainland Chinese speakers with direct access to Shangha-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

As part of the report, Mandiant released more than 3,000 APT1 indicators, including domain names, IP addresses and MD5 hashes of malware. It also released Sample Indicators of Compromise (IOCs) and detailed descriptions of more than 40 families of malware in APT1’s arsenal as well as 13 X.509 encryption certificates used by the group. It also released compilation videos showing actual attacker sessions and their intrusion activities.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at