The Shanghai offices of People's Liberation Army Unit 61398, the apparent home of a Chinese hacking group that has bedeviled U.S. companies for seven years.
(Credit: Reuters via BBC) The most remarkable aspect of a new and deeply troubling report about network intrusions originating in China is how commonplace they've become. They're no longer a rare occurrence: A single Shanghai-based hacking organization has reportedly compromised at least 141 companies across 20 industries. Those figures come from a new report from security firm Mandiant, which revealed the global accomplishments of a group of professional hackers dubbed APT1. Mandiant has assembled convincing evidence that APT1 is actually part of People's Liberation Army Unit 61398, an organization so far uninterested in defacing or deleting data from U.S.-based companies -- but keenly interested in stealing it.
APT1 may not have a fixed street address, but PLA Unit 61398 does. It's located in a 12-story office building along Datong Road in Shanghai that's not exactly open to public inspection: Authorities briefly detained a BBC reporter who tried to investigate earlier today.
To try to put APT1's activities -- and the new normal of state-backed intruders trying to gain access to major companies and news organizations -- in perspective, CNET has assembled the following list of frequently asked questions.
Q: What evidence links APT1 and the Chinese military?
It's public record that PLA Unit 61398 is part of the PLA's General Staff Department's third department (second bureau). Unit 61398 is, according to (PDF) the Project 2049 Institute, a think tank with close ties to U.S. conservatives, China's "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence." That would give it partly same role that the National Security Agency serves for the United States.
Mandiant has highlighted a series of connections offering persuasive evidence that APT1 is part of Unit 61398 -- though, of course, reading its report (PDF) is the best way to draw your own conclusions. Those include use of network addresses in the same vicinity, Unit 61398's focus on English language requirements and operating system internals, and public disclosures made by members of APT1. APT stands for Advanced Persistent Threat; Mandiant says it tracks more than 20 APT groups originating in China.
Q: How does APT1 -- or PLA Unit 61398 -- gain access to the networks of companies?
Through targeted attacks and social engineering. One approach is to e-mail an infected .zip file with a From: line that resembles that of a correspondent known to the recipient. If your boss is John Doe, for instance, you might get an e-mail from john.doe@gmail.com asking you to open a file.
"They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China -- before beginning the cycle again," Mandiant says. "They employ good English -- with acceptable slang -- in their socially engineered e-mails. They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships."
More Details Click Here