US group takes aim at China's role in cyber wars

A senior figure working for a large European manufacturing company in China tells a story of a blueprint for an industrial process that they just could not get to work. Engineers spent weeks examining the process but found the project lacked something crucial. It was deemed unsustainable and the project was abandoned.

The executive took the abandoned project outline and put it into a heavily encrypted section of the company’s IT system to see what happened. Sure enough, within a couple of weeks, he received a call from a local client. The Chinese company had developed an industrial process, but it seemed to be lacking some crucial elements. Could he have a look at it? Perhaps see how to fix the process?

These stories are common and there are enough verified true stories of hacking and industrial espionage for China to take centre-stage in the debate about what cyber warfare is being waged, and who is the assailant. Various international newspapers say they have been targeted by Chinese hackers, such as the New York Times, the Washington Post and the Wall Street Journal, as has the Bloomberg news agency.

The attacks often coincided with sensitive stories about China, such as the New York Times exposé about Premier Wen Jiabao’s family and their billions, or Bloomberg’s piece about financial holdings by new Chinese leader Xi Jinping’s family.

At the New York Times, hackers installed malware that wasn’t detected by Symantec’s anti-virus software, they installed backdoors, obtained passwords of employees and accessed emails by New York Times correspondents David Barboza, who wrote the Wen Jiabao exposé, and former China correspondent Jim Yardley.

Unit 61398 of the People’s Liberation Army is based in Shanghai’s financial hub Pudong, in a 12-storey building in a residential area. Inside this building a secret group of hundreds, maybe thousands, of hackers form the core of China’s cyber assault against scores of corporate victims over the past seven years.

China’s hackers

The US cyber security group, Mandiant, believes the attacks involving hundreds of terabytes are state-sponsored, and as targeted as any conventional weapon.

The hackers here are the central plank of state-sponsored industrial espionage in China and are behind the specific Advanced Persistent Threat (APT) group, which Mandiant has labelled APT1. The group is known by many of its victims in the United States as “Comment Crew” or “Shanghai Group”.

“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organisation behind APT1,” Mandiant said. “We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors.”

Unit 61398’s formal name is the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. The only way that APT1 would be in a position to wage such an extensive cyber espionage campaign would be because it gets direct government support.