Chinese army likely behind cyber attacks, U.S. security firm says

Daily News Article   —   Posted on February 20, 2013
image692

This 12-story building in Shanghai is alleged to be the home of a Chinese military-led cyber warfare group.

(by Michael Muskal, Los Angeles Times) – Computer-hackers tied to the Chinese military have stolen massive quantities of data from at least 140 organizations in 20 major industries since 2006, a U.S. computer security firm said in an extensive report released Tuesday.

The 74-page report, prepared by Mandiant Corp., comes as the United States has toughened its stand against computer hacking by China and is expected to seek to do more to protect both commercial and national security information. Just last week, President Obama signed an executive order to improve protection of the American computer assets.

The Mandiant report also comes after a growing concern in many U.S. businesses, including media companies, that China has stepped up its computer invasion. The Chinese government has repeatedly denied such charges and has insisted it has been the target of computer hacking. China repeated those charges on Tuesday.

But the Mandiant report lays the blame for the increase computer hacking squarely at the official door of China, and says that a secretive military group, based in the outskirts of Shanghai, is the likely culprit for official computer activities.

“Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world,” the report reads. In earlier reports, the security group noted, “The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.

“Now, three years later, we have the evidence required to change our assessment,” the security group concluded. “The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them.”

The hacking activity was likely part of the mandate of the Unit 61398 of China’s People’s Liberation Army, identified in the report as “one of the most persistent of China’s cyber threat actors.” The unit is based in the Pudong New Area, outside of Shanghai from where the computer attacks originate.

image693Unit 61398 “has systematically stolen hundreds of terabytes of data from at least 141 organizations,” in diverse industries and mostly in the United States, said the report. “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”

According to the report, hundreds of terabytes of data, including emails, memos and blueprints have been stolen by the military group, which focused on a broad range of industries in English-speaking countries. [Fox News reports that the “secret group” has hacked U.S. information at energy, aerospace and IT and telecommunication firms and that hackers obtained access to the likes of blueprints and contact lists.]

In more than 97% of the 1,905 times intruders were observed, they used computer addresses registered in Shanghai, the report found. The hackers likely have a large organization with at least dozens, but potentially hundreds, of operators, the report said.

China’s role in the hacking industry has been a growing concern amid reports that groups including the New York Times (The Wall Street Journal, Washington Post) and the U.S. Chamber of Commerce have reported that they have been hacked from within China.

In addition to signing an executive order, President Obama noted the issue in his State of the Union speech last week. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” he said.

In an October speech, Defense Secretary Leon Panetta warned of China’s growing computer capabilities.

“In my visit to Beijing, I underscored the need to increase communication and transparency with each other so that we could avoid a misunderstanding or miscalculation in cyberspace,” Panetta said. He called for greater sharing about cyber security between private enterprise and the U.S. government.

Speaking at a daily news briefing on Tuesday, Chinese Foreign Ministry spokesman Hong Lei denied the latest accusations.  “Cyber attacks are anonymous and transnational, and it is hard to trace the origin of attacks, so I don’t know how the findings of the report are credible,” Hong said. …

In a statement to The Associated Press, China’s Defense Ministry repeated Beijing’s standard denials of any involvement in hacking, saying Chinese law forbids any activities harming Internet security. “The Chinese government has always firmly combated such activities and the Chinese military has never supported any form of hacking activity,” the ministry said. “Statements to the effect that the Chinese military takes part in Internet attacks are unprofessional and are not in accordance with the facts.”

Reprinted here for educational purposes only. May not be reproduced on other websites without permission from the Los Angeles Tmes. Visit the website at latimes.com. 



Background

Virginia-based MANDRIANT Corp.:

  • Though privately held and little known to the general public, Mandiant is one of a handful of U.S. cyber-security companies that specialize in attempting to detect, prevent and trace the most advanced hacking attacks, instead of the garden-variety viruses and criminal intrusions that befoul corporate networks on a daily basis.
  • But Mandiant does not promote its analysis in public and only rarely issues topical papers about changes in techniques or behaviors.
  • It has never before given the apparent proper names of suspected hackers or directly tied them to a military branch of the Chinese government, giving the new report special resonance.
  • The company published details of the attack programs and dummy websites used to infiltrate U.S. companies, typically via deceptive emails.
  • U.S. officials have complained in the past to China about sanctioned trade-secret theft, but have had a limited public record to point to.
  • Mandiant said it knew the PLA  [Communist Chinese People's Liberation Army] would shift tactics and programs in response to its report but concluded that the disclosure was worth it because of the scale of the harm and the ability of China to issue denials in the past and duck accountability.
  • The company traced Unit 61398's presence on the Internet - including registration data for a question-and-answer session with a Chinese professor and numeric Internet addresses within a block assigned to the PLA unit - and concluded that it was a major contributor to operations against the U.S. companies. (from chicagotribune)
  • Speaking to The New York Times for an article published Tuesday, Mandiant founder and chief executive Kevin Mandia said his company published its report to alert the U.S. public and government that, "it's not just freelance people in China doing these attacks, it's attacks directed by the government. So that means these attacks can be more advanced they can be more funded, they can be more pervasive, and they will probably continue unabated. It could be the new normal."
  • Mandia told CBS News correspondent Bob Orr earlier this month that the number and sophistication of the attacks on U.S. organizations is so daunting, it would be futile to try and prevent them all.  "These attacks are inevitable, so let's make sure we keep these attackers from our crown jewels," said Mandia.
  • To bolster the U.S. defenses against such cyberattacks on vital infrastructure and defense systems, Mandia said it was crucial that entities targeted by hackers start sharing the information on the attacks more fluidly, stressing that "everybody needs to get smarter from each breech, almost like a neighborhood watch." (from cbsnews)
  • “The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one,” said Dan McWhorter, Mandiant’s managing director for threat intelligence, referring to a special unit of China’s People’s Liberation Army (PLA) that has carried out the cyberattacks.
  • “It is time to acknowledge the [cybersecurity] threat is originating from China,” Mr. McWhorter said. “The issue of attribution has always been a missing link in the public’s understanding of the landscape of cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss [hackers’] actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.” (from washingtontimes)