No Asia-based conspiracy theory-oriented blog can ignore the People’s Liberation Army unit #61398, the Shanghai-based cyber warfare unit that targets western governments and corporations. Every Fortune International top company knows about #61398, as their networks have either been hacked or under attack by what US-based security firm Mandiant dubbed ““Advanced Persistent Threat 1”. In a blockbuster study released on 18 February 2013, Mandiant’s APT1 Exposing One of China’s Cyber Espionage Units brought this state-sponsored cyber terrorism organization into the public’s eye. Mandiant followed up in March 2014 with Beyond the Breach and those two articles are the principal sources for this blog, supplemented by various Financial Times, Foreign Policy and New York Times articles. But the one-stop reference point this week is found at http://intelreport.mandiant.com/ for Mandiant’s two reports on PLA Unit #61398. Mandiant undertook a multi-man year investigation to determine what “APT1” was and who was behind it. It doesn’t take a big leap of imagination to guess that the US intelligence community was helping Mandiant along the way, hoping that the report might result in China behaving more responsibly. This was in the pre-Snowden era when the US could still claim to be an ethical spying nation. Post Stuxnet, post-Snowden that seems to be a tenuous position.
Sea of Lies features Rear Admiral Zhao Zhiyuan, a fictionalized head of Unit #61398 who plays a prominent role in linking Iran and China in one of the main plot lines. The imagined collaboration of these unlikely bedfellows in a nefarious Distributed Denial of Service plot against the National Geospatial-Intelligence Agency (“NGA”) is yet another reason I’m unlikely to be visiting either Teheran or Shanghai any time soon.
As a footnote, peer computer security company FireEye bought Mandiant for $1bn in early 2014. I suspect that Mandiant’s exposé on PLA Unit #61398 boosted its value. I’m not quite as optimistic as to what True Lies might someday fetch at auction.
As per the rest of July, today’s blog lacks photos and more detailed sources. Next week I’m out of the North Woods.
Bradley West, British Columbia, 26 July 2015
China, no bastion of human freedom or respecter of others’ property
China is the world’s newest superpower and history’s most sophisticated and longstanding suppressor of human expression. Recall that the first emperor Qin Shi Huangdi oversaw the burning of Confucian texts in 213 B.C. China valued censorship then as it does now. The flip side is that China is equally committed to stealing military, political, economic and industrial secrets of friends and rivals alike.
The mission of People’s Liberation Army Unit #61398 is steal intellectual property from Western nations, especially in strategic industries, while the Ministry of State Security (the CIA’s counterpart) undertakes more traditional intelligence gathering and analysis.
There are about twenty military and paramilitary cyber-attack groups throughout China. Unit #61398 is the largest and most prominent. It’s government-funded with specific objectives assigned by target company and area. Military-grade computer networks provide the IT backbone.
Since 2006 #61398 has stolen terabytes of data from over one hundred forty organizations in twenty industries worldwide. At least dozens, but probably hundreds, of operators and hundreds more support people work in the headquarters building located in Shanghai’s Pudong district. While the unit’s work is sophisticated on certain levels, on others it’s amateurish. For example, most malware designed by the unit defaults into Simplified Chinese language settings.
Unit #61398: hidden in the PLA bureaucracy
The General Staff Department (GSD) within the PLA is the most senior unit, akin to the Joint Chiefs of Staff in the US. The GSD establishes doctrine and provides operational guidance to the PLA. Within the GSD, the 3rd Department focuses on signal intelligence, foreign language proficiency and defense information systems. The 3rd Department’s mission is a blend of the US National Security Agency, the Defense Language Institute and parts of the Defense Information Systems Agency. There are 130,000 personnel within the PLA, divided among 12 bureaus. The 2nd Bureau is #61398, so named because that’s its Military Unit Cover Designator (MUCD). (All China military units have MUCDs of five digits as a shorthand disguise.)
Unit head Rear Admiral Zhang Zhaozhong was a professor who helped shape the future of China’s information warfare strategy once he moved across and became a Rear Admiral in the Navy. He is the author of Network Warfare and Winning the Information War. He became the director of the Military Technology and Equipment Department.
The Unit’s 12-story Pudong office building at 208 Datong Rd is 130 ft2, indicating a capacity of two thousand staff. Unit #61398 has even larger buildings, but this is the most prominent one involved in the cyberattacks. The adjacent support units (e.g. clinic, kindergarten, guest houses) suggest high ranking military units are also nearby.
Unit employees demonstrate strong English language proficiency, but they remain non-native speakers. Mostly they author malware and try to hack computer networks. Recruitment advertisements for the unit emphasize strong English plus computer programming capabilities, or digital signal processing and/or stenography skills.
Two of the Unit’s four home IPs addresses are located in the Pudong New Area. China Unicom is the Unit’s principal telecoms provider, backed up by China Telecom.
Lots of Shenanigans through the 2013 report date
Of the 141 victims identified by Mandiant, 87% of them were headquartered in an English native language country. In 2011-2012, #61398 set up 937 Command and Control (C2) servers hosted on 849 IP addresses in 13 countries, with China (709) and US (109) the predominate homes. Mandiant observed the Unit’s attack infrastructure 1905 times, with 97% of these instances originating from Shanghai using systems set to simplified Chinese characters.
As of 2014, China Telecom and Unit #61398 were co-building computer network operations infrastructure including fiber optic lines and described as “national defense construction”.
China said in 2013 via a PLA newspaper that a “Blue Team” had been created to defend against cyber-attacks, so the Unit was already in the NSA’s crosshairs.
Listed from the first year in which Mandiant traced an attack (with the cumulative number of targets in parentheses):
2006: IT (19), Transportation, High Tech electronics
2007: Financial Services, Navigation, Legal Services
2008: Engineering Services, Media, Advertising and Entertainment, Food and Agriculture, Satellites and Telecoms (12), Chemicals
2009: Energy International Organizations, Scientific Research and Consulting (11), Public Administration (12), Construction, Aerospace (16)
2010+: Education, Healthcare, Metals and Mining
Data theft techniques: the pointy end of the stick
Aggressive spear phishing is the core technique which opens up target networks to exploitation by custom digital weapons which end up exporting compressed bundles of files to China. The Unit #61398 scammers use good English with acceptable slang. Over the seven years they Unit has been active, they’ve upgraded their capabilities.
The initial spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line of the email and text are totally relevant to the target (hence “spear phishing”).
Unit #61398 creates webmail accounts using real people’s names. If you are duped and click on [ABC Press] Release you would have unleashed a custom backdoor that would have milked the files on the corporate server.
Most of the malignant files are in ZIP format. Some others are “.pdf” in appearance, but there are “…” (Ellipses) after the file appendix. This is a DANGER SIGNAL. The actual file appendix is a ‘.exe’ but this is visible only after 119 blank spaces have been inserted!
Specific backdoors created and maintained by Unit #61398 include:
- Hacksfase
- Greencate
- Googles
- RAVE
- BANGAT
- LONGRUN
- LIGHTBOLT
Unit #61398 hops around from IP addresses using FTP and Remote Desktop approaches.
Fake websites registered to the PLA and showing up in Mandiant’s investigations include:
- AOLDaily.com
- CNNDaily.com
- Defenceonline.net
- MyYahooNews.com
- NYTimesNews.net
- TodayUSA.org
Beyond the Breach, Mandiant’s April 2014 update
Attackers live in a victim’s network about 230 days before being discovered.
Only 33% of organizations find the intruders themselves.
44% of phishing emails had IT-themes and 93% came on weekdays. With a hit rate of 0.04%, these emails were still quite successful.
After the Feb 2013 Mandiant report publication, Unit #61398 delayed its restart by several months, and they moved their operational infrastructure. The unit didn’t get back to full operations for 81 days, and then took another 70 more days to resume pre-disclosure attack levels. The Unit changed more than 3000 indicators following the publication of the report, a large amount of it operational architecture. So if the US intelligence agencies were helping Mandiant with its report, they earned a return on their investment.
Just like Fight Club, there are a few rules to observe
Media organizations reporting on the malfeasance of senior political figures or otherwise acting as fecal agitators find their staffs and their computer networks under attack. A New York Times report (25 October 2012) sensationally reported that relatives of Premier Wen Jiabao had a $2.7bn net wealth, including wife and mother. This revelation caused a frenzy in domestic social media which China’s censors failed to suppress. Retribution took the form of Unit #61398 hacking into the Times’ computer networks. The FBI suggested that the Times call in Mandiant. Such was the degree of the penetration that it took the firm two weeks to root out all the malware and spyware.
In parallel, the same group attacked the email accounts of David Barboza, NYT Shanghai Bureau chief and story author. Jim Yardley, former Beijing bureau chief, found himself subjected to the same treatment. The NYT could no longer obtain residency for its staff in China, either.
The Wall Street Journal’s computer networks were also targeted to monitor the paper’s China coverage.
Peter Ford, President of the Foreign Correspondents Club of China, said that members have had malware put on computers by hackers based in China.
In a February, 2013 CNN online report, Chad Sweet, ex-CIA and Homeland Security official was quoted as saying, “We’re essentially facing a new Cold War – a cyber-Cold War. The destructive capacity is equal to that of a nuclear warhead . . . but . . . there’s no easily identifiable plume.” He added, “The old ‘Mutually Assured Destruction’ doctrine is quite difficult to implement in the modern age.” If the US threatened China’s claim over Taiwan and its back was up against the wall, then China might “pull the trigger.” “On this, American hands are not clean.” Amen to that sentiment, Mr. Sweet.
The US certainly has given China cause to beef up its cyberwarfare capabilities
In a 20 April 2014 article, the Financial Times reported that China’s state-owned news agency Xinhua claimed that attacks from US directly controlled 1.18m computers in China in March and April 2014 alone. There were 2077 Trojan horses or botnets used in the hacks and China websites suffered 57,000 backdoor attacks from US computers.
In reply the China government now de-emphasized Microsoft software. Windows XP is still heavily used. China doesn’t trust Windows 8 though Microsoft said it’s more secure. Yes, it may be, but in my opinion Windows 8 is also almost impossible to use and a real step-down from Windows 7.
The best defense is a good offense: the US indicts five PLA Unit #61398 men
The following month in May 2014 the US Department of Justice indicted five China military hackers. Attorney General Eric Holder charged that these military officers for allegedly targeted Alcoa, Allegheny Technologies, SolarWorld, US Steel (via the steelworkers union) and Westinghouse Electric.
The US listed what had been stolen:
- SolarWorld corporation’s innovations and manufacturing metrics
- Nuclear power plant technology from Westinghouse Electric Coy
- Westinghouse’s corporate strategy, including CEO emails and bid strategies
- Data enabling China to outwit US regulators, e.g. steel industry, including the union
US said that these attacks were state-sponsored with the intent to gain commercial advantage. China denied charges as “fabrications” and a “serious breach of international norms”. The FBI tracked the hacking back to Unit #61398 in Shanghai.
Mike Rogers, Chairman of House Intelligence Committee said, “This had to be done. There has been the unmitigated rape of American IP.”
China’s US ambassador Cui Tiankai said to CNN, “It’s really amazing some people still believe they have the moral high ground and credibility to accuse others, if we consider the Snowden revelations.”
“Compared even to other countries like Russia, the quality of China hacking attacks is very poor.” Said one China cyber security expert. “For every one hundred attacks we make, the US is able to detect eighty of them, whereas for Russia it’s the opposite. For every one hundred they make, only twenty are discovered.”
Fang Binxing, the father of China’s “Great Firewall” internet censorship regime, said that China needs to elevate its cyber warfare capabilities and priorities to at least the same level as tactical nuclear warfare.
* * * * *
As the late, great Kurt Vonnegut once wrote, “And so it goes.”