Want CNET to notify you of price drops and the latest stories?

Chinese Army linked to hacks of U.S. companies, agencies

Security researcher hired by New York Times says an "overwhelming percentage" of hacks originate from a 12-story building in Shanghai associated with the Chinese military.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

An "overwhelming percentage" of cyberattacks on U.S. corporations, government agencies, and organizations originate from a 12-story office tower on the outskirts of Shanghai that's connected to the People's Liberation Army, according to an extensive New York Times report.

The newspaper cites a 60-page report by U.S. security firm Mandiant that traces the activities of a sophisticated Chinese hacking group -- known in some circles as "Comment Crew" or "Shanghai Group" -- to the headquarters of People's Liberation Army Unit 61398. The report notes that a body of digital forensic evidence led investigators to the building's doorstep but was unable to confirm that the hackers were inside the building.

However, Mandiant argues that there is a realistic explanation for the large number of attacks emanating from such a small neighborhood populated with restaurants and massage parlors.

"Either they are coming from inside Unit 61398," Kevin Mandia, the founder and chief executive of Mandiant, told the Times, "or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood."

As part of its report, Mandiant also released a highly detailed video (see below) that it says shows actual attacker sessions conducted by a hacker group in China. Mandiant calls it the Advanced Persistent Threat group 1, or APT1.

"Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors," according to Mandiant.

Chinese authorities told the NYT that its country does not engage in computer hacking.

The probe came after the newspaper revealed last month that it was the victim of a four-month cyberattack in which hackers stole the passwords of its employees in an effort to get information on sources and contacts for a story on Chinese Prime Minster Wen Jiabao. According to the Times, the methods these hackers used were similar to past attacks by the Chinese military.

The Wall Street Journal and Washington Post also reported being the victims of similar hacks. The newspaper hired Mandiant to investigate the hack but found that the Comment Crew was not responsible for the sophisticated hack.

Mandiant said it had been tracking Comment Crew for more than six years and had traced its activities to IP addresses that were registered in the same neighborhood as Unit 61398's building.

"It's where more than 90 percent of the attacks we followed come from," Mandia told the Times.

The report comes as the U.S. begins a more aggressive policy of cyberdefense against hackers like those suspected to be in China. Under a long-anticipated executive order signed last week by President Obama, companies will be allowed to share confidential information such as hackers' unique digital signatures with intelligence agencies without oversight.