A detailed new report has found that many members of China's most sophisticated hacking groups are likely run by army officers or contract workers.
February 19, 2013

China's Army might be training the country's next crop of cyberhackers. An investigation by Mandiant, a U.S.-based computer security firm, found that many of the attacks on American corporations and government agencies are coming from a clandestine People’s Liberation Army base on the outskirts of Shanghai. The report found that many members of China's most sophisticated hacking groups are working from around that area, and it's likely that they are run by army officers or contract workers.


The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.

An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.

Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.

What makes these cyber attacks especially troubling are their focus -- not just on stealing information -- but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities:

- Our electrical power grid.

- Our gas lines.

- Our waterworks.

- Another target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.

- The same unit is also responsible for an attack on the computer security firm RSA, whose computer codes protect confidential corporate and government databases.

Officials at the Chinese embassy on Monday said that their government does not engage in hacking.

A classified State Department cable written the day before Obama was elected President in 2008 "described at length American concerns about the group’s attacks on government sites. (At the time American intelligence agencies called the unit “Byzantine Candor,” a code word dropped after the cable was published by WikiLeaks.)"

Obama spoke of the concern over cyber attacks on the U.S. in his State of the Union address, without mentioning China by name, “We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”

Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, said “Right now there is no incentive for the Chinese to stop doing this. If we don’t create a high price, it’s only going to keep accelerating.”

Intelligence blogger Jeffrey Carr of Digital Dao was critical of the report:

My problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

Can you help us out?

For nearly 20 years we have been exposing Washington lies and untangling media deceit, but now Facebook is drowning us in an ocean of right wing lies. Please give a one-time or recurring donation, or buy a year's subscription for an ad-free experience. Thank you.


We welcome relevant, respectful comments. Any comments that are sexist or in any other way deemed hateful by our staff will be deleted and constitute grounds for a ban from posting on the site. Please refer to our Terms of Service for information on our posting policy.