Security firm's report ties China’s army to hacking attempts against US

The NY Times had first dibs on a preview of the 60-page study released today by computer security firm Mandiant, which "tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as 'Comment Crew' or 'Shanghai Group' — to the doorstep of [a Chinese] military unit’s headquarters."

Those headquarters are located in the building shown above (image via Mandiant's report). You can download the report for yourself here (PDF): "APT1: Exposing One of China's Cyber Espionage Units."

Mandiant claims APT1 "has conducted a cyber espionage campaign against a broad range of victims since at least 2006." More highlights from the report:

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. The scale and impact of APT1's operations compelled us to write this report. In an attempt to bolster defenses against APT1 operations Mandiant is also releasing more than 3,000 indicators as part of the appendix to this report, which can be used with our free tools and our commercial products to search for signs of APT attack activity.

• APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
• APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
• APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
• APT1 maintains an extensive infrastructure of computer systems around the world.
• In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
• In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
• Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.


  1. Espionage is nothing new, but I wonder how long it’ll be before someone declares hacking (especially hacking the military) an act of war.

    On a flip side, I wonder how long it’ll be before companies simply start firewalling off China from their services.

    1. Or pump up (fabricate) claims of it as an excuse for provocative military or political actions. China, Iran/Israel etc…

    2. The report helpfully answers this:
      “We are frequently asked why it is an ineffective security measure to just block all IP addresses in China from connecting to your network. To put it simply, it is easy for APT1 attackers to bounce or “hop” through intermediary systems such that they almost never connect to a victim network directly from their systems in Shanghai. Using their
      immense infrastructure, they are able to make it appear to victims that an attack originates from almost any country they choose.”

  2. Wouldn’t Mandiant benefit from inflating their targeted numbers? This all feels more like a great marketing job, rather than an indictment against China. Look for yourself, it’s a building with security guards!!!

    Not saying they completely faked the data, really I’m just having a hard time trying to decide who to trust.

    By the way- remember to always ask first when receiving an attachment in a suspicious email.

    1. Are you suggesting that powerful interests might manufacture/exaggerate a threat when convenient to do something incredibly stupid, and that the media and politicians would fall right in line? That is strictly tinfoil hat-ville. Btw, can I have some of that tinfoil? I’ve got this cake over here with yellow frosting that I need to put in the fridge. I got the recipe from Judith Miller.

      1. I have the opposite reaction. I think that China could send troops to the US and kidnap citizens off the street and the US government would pretend that it wasn’t happening in order to keep our trade/ financial relations with China on good terms.

    1. And if all our infrastructure is hackable, how do we know it’s not the actual hacker who’s reporting to us that China was the source.  When it was actually Luxembourg or somesuch. 

  3. It seems pretty clear to me that Kurt Vonnegut was, in fact, a time traveler. From the Wikipedia synopsis of Vonnegut’s novel, Slapstick:

    In the meantime, Western civilization is nearing collapse as oil runs out, and the Chinese are making vast leaps forward by miniaturizing themselves and training groups of hundreds to think as one. Eventually, the miniaturization proceeds to the point that they become so small that they cause a plague among those who accidentally inhale them, ultimately destroying Western civilization beyond repair.

  4. The constitution specifically gives congress the power to authorize letters of marque and reprisal.  I think that could work for us here.  Just say that until they stop doing this (which they won’t) we won’t prosecute any Americans for hacking targets in China.  So if some kid wants to test their chops, they can do it without risking going to jail, maybe make some money selling the info they get, and if they’re impressive enough, probably get hired by the government to keep doing what they’re doing, but on the down low. 

  5. Sounds like Manidant is marketing itself very well with the cowardly giants. Just blame china for all hacking and make up stuff to sound like professional cybersecurity guards of the internet to make big sales to rich companies. Its a good marketing stratagy, but its creating a lot of fake cold war esque bullshit.

  6. Reading the report, I’ve discovered why too many of my tech toy user manuals are in incomprehensible Chinglish.  Those fluent in English must be going for the higher pay at PLA Unit 61398:

    The evidence we have collected on PLA Unit 61398’s mission and infrastructure reveals an organization that:

    » Requires personnel proficient in the English language

Comments are closed.