Security firm Mandiant delivers compelling evidence that the Chinese military is behind a torrent of intrusions targeting the networks of U.S.-based companies. Here's what happens next.
The most remarkable aspect of a new and deeply troubling report about network intrusions originating in China is how commonplace they've become. They're no longer a rare occurrence: A single Shanghai-based hacking organization has reportedly compromised at least 141 companies across 20 industries.
Those figures come from a new report from security firm Mandiant, which revealed the global accomplishments of a group of professional hackers dubbed APT1. Mandiant has assembled convincing evidence that APT1 is actually part of People's Liberation Army Unit 61398, an organization so far uninterested in defacing or deleting data from U.S.-based companies -- but keenly interested in stealing it.
APT1 may not have a fixed street address, but PLA Unit 61398 does. It's located in a 12-story office building along Datong Road in Shanghai that's not exactly open to public inspection: Authorities briefly detained a BBC reporter who tried to investigate earlier today.
To try to put APT1's activities -- and the new normal of state-backed intruders trying to gain access to major companies and news organizations -- in perspective, CNET has assembled the following list of frequently asked questions.
Q: What evidence links APT1 and the Chinese military?
It's public record that PLA Unit 61398 is part of the PLA's General Staff Department's third department (second bureau). Unit 61398 is, according to (PDF) the Project 2049 Institute, a think tank with close ties to U.S. conservatives, China's "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence." That would give it partly same role that the National Security Agency serves for the United States.
Mandiant has highlighted a series of connections offering persuasive evidence that APT1 is part of Unit 61398 -- though, of course, reading its report (PDF) is the best way to draw your own conclusions. Those include use of network addresses in the same vicinity, Unit 61398's focus on English language requirements and operating system internals, and public disclosures made by members of APT1. APT stands for Advanced Persistent Threat; Mandiant says it tracks more than 20 APT groups originating in China.
Q: How does APT1 -- or PLA Unit 61398 -- gain access to the networks of companies?
Through targeted attacks and social engineering. One approach is to e-mail an infected .zip file with a From: line that resembles that of a correspondent known to the recipient. If your boss is John Doe, for instance, you might get an e-mail from firstname.lastname@example.org asking you to open a file.
"They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China -- before beginning the cycle again," Mandiant says. "They employ good English -- with acceptable slang -- in their socially engineered e-mails. They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships."
Q: How long has APT1 been active?
For at least seven years. A 2006 Symantec report mentions malware with a hostname -- sb.hugesoft.org -- registered to an APT1 member who goes by the moniker "Ugly Gorilla."
Q: What U.S. companies have been targeted?
Google may have been the first major U.S.-headquartered company to disclose the breadth and persistence of attacks originating in China. Intruders managed to compromise the Gmail accounts of human rights workers and foreign journalists working in Beijing. Google's disclosure came in a January 2010 blog post, with reports soon following that said Adobe, Yahoo, Juniper Networks, Symantec, Northrop Grumman, and Dow Chemical had also been among the 34 companies targeted.
More than three years later, China-originating attacks are continuing. In December 2011, the U.S. Chamber of Commerce was successfully hit. Last September, Symantec researchers said the intruders were taking advantage of previously unknown security holes in software including Adobe Flash Player, Internet Explorer, and Microsoft XML Core Services.
A Bloomberg article last summer traced APT1 from one company to the next, including oilfield services firm Halliburton, the Wiley Rein law firm, DuPont, and India-based ITC. A special unit within the Air Force's Office of Special Investigations was reportedly established to track the Chinese hackers.
Q: Was APT1 responsible for all those attacks?
Probably not. Mandiant says APT1 represents the groups known as "Comment Crew" and "Comment Group" and possibly "Shady Rat," but not "Aurora." Aurora, a different China-based APT group, is what McAfee dubbed another APT group responsible for the attacks on Google's infrastructure over three years ago.
Q: What U.S. media organizations have been the subject of intrusions from China?
A: The New York Times, the Wall Street Journal, and the Washington Post confirmed over the last few weeks that their internal networks were compromised by intruders with suspected ties to the Chinese government.
The Journal reported that the intruders infiltrated its network "in part through computers in the Beijing office" and that "among the targets were a handful of journalists in the Beijing bureau." The Times' account published January 30 said that "for the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees." The Post acknowledged similar experiences.
Q: Have any U.S. infrastructure companies have had their computers infiltrated?
There's evidence that these Chinese hacking groups have infiltrated companies providing U.S. critical infrastructure. DigitalBond, a SCADA security company, last summer disclosed an e-mail phishing attempt aimed at one of its employees. A subsequent third-party analysis found links to APT1.
A Wall Street Journal report from as far back as 2009 said the electrical grid had been penetrated by Chinese hackers, and warned water, sewage, and other infrastructure systems were at risk as well. McAfee said in 2011 that five multinational oil and gas companies had been the victims of successful intrusions by China-based hackers.
An energy industry monitoring company, Telvent Canada, blamed Chinese hackers for stealing sensitive software from its network last year. The Bloomberg article reported that a senior nuclear planner for PG&E, which operates California's Diablo Canyon nuclear power plant, "was at least partly under the control of the hackers" and that the intruders were trying to identify the operations, organizations, and security of U.S. nuclear power-generation facilities.
Q: Have the hackers tried to sabotage anything?
So far, apparently not. APT1's goal appears to be to steal data, including intellectual property, sensitive corporate or business information, executives' e-mail correspondence, and so on.
But once the door is open, intruders can delete data or worse, as the governments of the United States and Israel demonstrated with the Stuxnet worm they aimed at Iran. The Chinese hackers who entered the networks of U.S. electrical companies have reportedly left software tools behind that could be used to destroy infrastructure components.
Q: What has the Chinese government's response been?
It has reiterated its longstanding response that the allegations are false. "To make groundless accusations based on some rough material is neither responsible nor professional," Foreign Ministry spokesman Hong Lei said today in response to the Mandiant report.
Q: What has the State Department's response been?
State Department spokeswoman Victoria Nuland said today that the United States has expressed its concerns "at the highest level" to the Chinese government:
We are working in an interagency way led by the White House to strengthen the defense of U.S. government networks and to protect our critical infrastructure such as the issuance of the president's new executive order.
We're also trying to strengthen the ability of our private sector to defend against cyberintrusions by releasing more technical data to help them to understand what's going on and how they can protect themselves, and working to coordinate protection of intellectual property.
We've also regularly and repeatedly raised our concerns at the highest level with the Chinese government about cybertheft, including with senior Chinese officials and the military. We'll continue to do that. It comes up in virtually every meeting we have with Chinese officials. And I think you know that we have also, in the context of the Strategic Security Dialogue that Deputy Secretary [William] Burns runs with his Chinese counterpart, established a conversation on cybersecurity.
President Obama's executive order signed last week expands "real-time sharing of cyberthreat information" to companies that operate critical infrastructure, asks NIST to devise cybersecurity standards, and proposes a "review of existing cybersecurity regulation."
Q: And the White House's response?
It's "eyeing fines, penalties and other trade restrictions" that could be imposed upon China, according to an Associated Press report today.
"We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so," said Caitlin Hayden, spokeswoman for the White House's National Security Council. "The United States and China are among the world's largest cyber actors, and it is vital that we continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."