February 20, 2013

In a drab Shanghai office block, Unit 61398, China’s cyberwarriors, hack heart of the West

On one side of the little street on the outskirts of Shanghai are three shops selling lighting fixtures, sweets and wall clocks. On the other is a 12-storey tower that may have become the most valuable military target on the planet.

For within this drab compound of the People’s Liberation Army (PLA), lies Unit 61398, the heart of China’s cyber-espionage programme and one of the most aggressive hacking groups in the world.

According to a report by Mandiant, the US computer security company, the “Shanghai Group” operates under the direct orders of China’s military. It is believed to have pilfered hundreds of terabytes of sensitive data from more than 141 companies and institutions around the world. Five victims were in the UK.

Alarmingly, the most recent wave of attacks has been against US infrastructure: power grids, oil pipelines, water networks and other industries that would be significant security risks if cyber-espionage were to develop into open cyber-warfare.

The entity involved in that side of things, the report says, is known as The Comment Crew because it worms its way into corporate databases via codes and comments inserted into their websites.

The report’s identification of a specific building as the source of so much co-ordinated, state-sponsored hacking is unprecedented and is the latest evidence to incriminate Beijing in a systematic campaign of cyber-espionage.

The Chinese have consistently denied the practice. Hong Lei, a Foreign Ministry spokesman, said yesterday: “Hacking attacks are transnational and anonymous. Determining their origins is extremely difficult. We don’t know how the evidence in this so-called report can be tenable.”

But Mandiant, which traced this “advanced persistent threat” back to the block in Shanghai, believes there can be no other conclusion.

The streets around the compound are full of massage parlours, dingy hotels, convenience stores and karaoke bars — familiar furniture outside PLA bases. What is notable, say Japanese cyber-crime specialists who monitor Shanghai’s hacking activities, is that when the restaurants outside the base fill up during the lunch hour, the pace of cyber attacks slows down.

Paranoia is also evident around the base. A sales assistant working in a snack shop acknowledged that the area was teeming with PLA, and that the shop itself was owned by the wife of an officer. Asked what the soldiers of Unit 61398 did, she received a sharp elbow in the ribs from her boss: “We don’t know and we don’t care,” she said, quickly.

The testimony of tradesmen in the surrounding streets appeared to confirm Mandiant’s claim that the block was at the centre of a huge complex housing more than 1,000 computer servers and an army of linguists, researchers and other technicians working in support of the hackers.

Several years ago, when its operations were still gearing up, Unit 61398 was known to be recruiting in China’s best universities, enticing students with computer science skills through generous military scholarships.

The Mandiant report said that for six years cyber raids had been directed at corporate intellectual property, the latest technologies, manufacturing processes and sensitive government networks. Hackers working for Unit 61398 would embed themselves within the target networks for an average of a year, feeding data back to Shanghai.

Mandiant’s claim is backed up by the National Intelligence Estimate, which collates information from US intelligence agencies and which argues that many Chinese hacking groups are either run by army officers or are contractors working for commands such as Unit 61398.

A China-based executive of a US energy company that has used Mandiant said: “We know that we have been the targets of persistent cyber-attack for years and suspected that they emanated from China. The really big question is, given the sensitivity of the energy industry, whether this is simple theft or part of something strategic and military. We see this report as one in a line of smoking guns.”

Dr Irving Lachow, a cyber-security expert at the Centre for a New American Security, an independent think-tank, said that the report exposed a new trend in Chinese cyber attacks, namely the focus on critical infrastructure. “It’s one thing if they are stealing secrets from Coca-Cola, but it’s much more worrying if they are targeting information that could lead them to understand the vulnerability of our pipelines,” he said.

Tommy Vietor, a spokesman for President Obama’s National Security Council, said that the Administration had “repeatedly raised our concerns at the highest levels about cyber-theft with senior Chinese officials, including in the military”.

George Little, the Pentagon spokesman, said that the Defence Department had begun recruiting thousands of specialists for its Cyber Command organisation to counter the threat.