Update: On February 28, the Chinese military stated that almost two-thirds of the 144,000 hacking attacks on Chinese military websites in 2012 originated from the US. “According to the IP addresses, the websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the US accounted for 62.9%,” Geng Yansheng, the spokesman for the Ministry of National Defense said on the ministry’s website.
Last week, an American security firm published a study that suggests that the Chinese military is part of a sophisticated hacking group that has targeted several American companies.
On February 20, 2013, Mandiant, the American computer security firm, published a 60-page study, which tracked members of a sophisticated Chinese hacking group — known to those affected in the United States as the “Comment Crew” or “Shanghai Group”— to a neighborhood where the People’s Liberation Army Unit 61398 (P.L.A. Unit 61398) is located.
While the study could not place the hackers inside the building housing the military unit, in a New York Times interview, Kevin Mandia, founder and chief executive of Mandiant, stated: “Either they are coming from inside Unit 61398 or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
The Mandiant study notes that the cyber espionage group — known as Advanced Persistent Threat 1 (APT1) — is most likely government-sponsored: it is able to “wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”
Further, the study finds that P.L.A. Unit 61398 is similar to the cyber espionage group in its mission, capabilities, and resources and that P.L.A. Unit 61398 is located in the same area from where the APT1 activity originates.
According to the Mandiant study, P.L.A. Unit 61398 is a state secret and engages in harmful “Computer Network Operations.” The study also notes that China Telecom provided special fiber-optic communications infrastructure for the unit, and that the unit requires personnel to be both trained in computer security and network operations, in addition to having proficiency in the English language.
According to a New York Times investigation, other security firms that have tracked “Comment Crew” believe that the group is state-sponsored. As claimed by officials with knowledge of a recently classified National Intelligence Estimate, the latter makes a strong case for the cyber espionage group’s origins — that they are either run by Chinese army officers or that they are contractors for commands by the P.L.A. Unit 61398. National Intelligence Estimates are the US intelligence community’s written assessment of a specific national security issue.
Theft of intellectual property
The target of APT1’s cyber espionage activities is theft of intellectual property according to the Mandiant study: the study notes that since 2006, APT1 compromised 141 companies in 20 major industries.
Upon establishing access, APT1 periodically revisits the affected network over a period of several months, to steal intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists of an organization’s leadership.
The Mandiant study concludes that the APT1 targets match industries that China has identified in its 12th Five Year Plan, as strategic to the country’s growth.
More alarming, the New York Times investigation notes, is the implication that while the APT1 has gained access to data from companies like Coca-Cola, its focus has been on companies involved in critical infrastructure in the United States, including the electrical power grid, gas lines, and waterworks. One target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.
The Mandiant study is one of the many reports that suggest that attacks on networks of corporations originate from China. In January 2010, in a blog post, Google announced that it was the target of cyber-attacks originating from China. The blog stated: “in mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
Further, Google noted that it was not the sole target of the attack; as “at least twenty other large companies from a wide range of businesses—including the internet, finance, technology, media, and chemical sectors” had also been targeted.
Google said that it had evidence to suggest that a key goal of the attacks was to access the Gmail accounts of Chinese human rights activists.
Google advised its users to utilize reputable anti-virus and anti-spyware programs, and to update their browsers in order to avoid falling victim to such attacks.
In January 2006, Google launched Google.cn in China. Google noted that while the benefits of increased access to information in China outweighed their discomfort with agreeing to censor some results, the attacks on and limits to free speech on the web led Google to shut down Google.cn.
How will the United States respond to the Mandiant study?
In a press briefing, US Press Secretary Jay Carney said the White House is aware of the Mandiant report and cyber espionage is a major national security challenge for the White House.
This echoes President Barak Obama’s comments during his State of the Union address, when he stated: “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
However, the New York Times investigation states the government will not explicitly link APT1 to the Chinese army. “There are huge diplomatic sensitivities here,” said one intelligence official , quoted by the New York Times. The investigation notes that the Obama administration plans to discuss the matter with China in the coming weeks.
China’s criticism of the report
The Mandiant study has received substantial criticism from Chinese media, government, and policy circles.
‘‘Making unfounded accusations based on preliminary results is both irresponsible and unprofessional, and is not helpful for the resolution of the relevant problem,’’ Hong Lei, a ministry spokesman was quoted as saying by the New York Times. ‘‘China resolutely opposes hacking actions and has established relevant laws and regulations and taken strict law enforcement measures to defend against online hacking activities,” added Lei.
The spokesman for the Ministry of National Defense, who was quoted by The Global Times, a Chinese newspaper, said: “the Chinese military has never backed any hacking actions.”
Geng also stated that Chinese military users connected to the Internet have come under cyber-attack from abroad. Further, Geng noted that the IP addresses of the attackers suggest that the majority of the attacks on China originate from the US, “but we do not point fingers at the US based on the aforementioned findings, and every country should deal with cyber security in a professional and responsible manner.”
The Mandiant report has also raised debates in policy circles about how the US will respond to alleged cyber-attacks on American corporations by the Chinese military. Shen Dingli, the director of the Centre for American Studies at the Fudan University, told The Global Times that the Obama administration might take punitive measures such as issuing visa bans on Chinese military personnel, which would exert limited influence on China-US relations.
Da Wei, an American studies expert at the China Institute of Contemporary International Relations, told The Global Times that in the face of potential retaliatory measures, China should be concerned about changes in the United States’ cyber security strategy.
Some Chinese analysts claim that players like Mandiant and the US are trying to raise the profile of their cyber security activities. The People’s Daily noted that the Mandiant study’s allegations against the Chinese military are an excuse for the US government to expand its cyber security activities and to impose additional technology restrictions on China.He Hui, vice director of the Public Relations and Public Opinion Institute of Communication University of China, told the Global Times: “The US media has been sensationalizing the so-called Chinese cyber-attack to increase the world’s unnecessary wariness against China and it would also give its [American] military forces excuses to invest more in its own cyber espionage technology.”
Other criticisms of the Mandiant study
China is not alone in its criticism of the Mandiant study. In a blog post, Jeffery Carr, the founder and CEO of cyber security firm, Taia Global Inc., argued that the Mandiant report has critical analytical flaws, and that alternative explanations for why the attacks originated from the neighbourhood, where P.L.A. Unit 61398 is housed, have not been fully investigated.
In an email to the Business Insider, Carr explained “the biggest problem, as I wrote in my blog, is that Mandiant’s conclusions do not exclude other threat actors besides China. Nor do they eliminate the possibility that other foreign intelligence services are using China as a false flag to disguise their own cyber espionage operations. All they need to do is set up a business in Shanghai.” He also emphasized that the IP addresses were traced to the neighborhood where P.L.A Unit 61398 resides, not the building itself.
Why did Mandiant publish its study?
According a report in the San Francisco Chronicle, security firms like Mandiant have a huge financial incentive and confidentiality agreements to keep names of clients secret. Mandiant states that it decided to publicize the study’s results because it wanted to call on China’s systemic hacking and to help security professionals. The San Fransisco Chronicle report states that Mandiant has an obvious commercial interest in releasing such a sensitive report. While existing customers are already protected against cyber espionage from China, it has offered a free software tool, that detects suspicious activity, to companies and organizations. A New York Magazine article also notes that most of security firms contacted by the magazine report an influx in new client request since the New York Times investigation was published.
The San Fransisco Chronicle report also highlights that the Mandiant published its report at a time when cyber-security is at the forefront of national debate in the US. As noted earlier, in his State of the Union address, President Obama suggested that his administration will take strong measure against cyber espionage of American corporations.
However, it is unclear whether commercial interests motivated Mandiant to link the Chinese military to the cyber attacks on American corporations emerging from China.
The Mandiant study and the consequent criticism raises an important point: despite each country’s attempt to control the Internet, it remains a lawless frontier. This makes it a challenge for governments and security firms alike to pinpoint the exact location of hacking activities. While it is unclear whether the Chinese military is linked to the cyber-attacks on American companies, the Mandiant study and the larger debate surrounding cyber-attacks allegedly originating from China will influence how corporations and the Obama administration develop their cyber security strategy.