02.19.13

This is How China Hacks America: Inside the Mandiant Report

Cybersecurity firm Mandiant released a massive and scathing report identifying a unit of the Chinese government that has hacked 115 U.S. companies. Here are the critical details.

The Chinese government just got caught with a smoking cyber gun.

Cybersecurity consultant Mandiant released a much-anticipated report Tuesday morning, offering the most detailed look to date inside the Chinese People Liberation Army’s direct involvement in hacking into American government and corporate websites.

The PLA Unit 61398 is identified by the report as the most prolific hacking group inside the Chinese government. Dedicated to infiltrating English-language sites, the unit recruits English-language proficient speakers and experts in computer security, but otherwise scrubs any mention of its organization from Chinese-language websites. Operating out of a 12-story, 130,663 square foot facility in the Pudong New Area sector of Shanghai, its building is able to contain as many as 2,000 personnel. Special high capacity fiber-optics were installed by China Telecom when the building was constructed in 2007 and the outfit utilizes over 1,000 servers.

In this three-year investigation, Mandiant documented Unit 61398 hacking into 141 companies (including 115 in the U.S.) across 20 industries, and stealing many terabytes of compressed data in sustained attacks averaging 356 days. The longest persistent attack documented by Mandiant lasted 4 years and 10 months. The largest recorded theft was 6.5 terabytes from a single company over 10 months.

The longest persistent attack documented by Mandiant lasted 4 years and 10 months.

These attacks were just a small number of the total conducted by Unit 61398 and were conducted by individual hackers with online personas such as “Ugly Gorilla”, “DOTA” and “SuperHard.” The report offers tantalizing personal details of some of these hackers, such as what appears to be initial outreach by Ugly Gorilla to a retired Chinese general and DOTA’s love for the Harry Potter novels embedded in his security prompts.

The number of attacks from PLA Unit 61398 escalated enormously since 2007 and the Mandiant report details the methods used to initially infiltrate organizations, such as spear-phishing emails and the embedding of malware that create a foothold into a company’s computer system.

Video screenshot

This video released by Mandiant shows “DOTA,” a supposed member of Unit 61398 conducting computer network espionage activities.

Given the recent attacks launched on The New York Times, The Wall Street Journal, Twitter, Facebook, and most recently Apple, it’s a good time to be a company that specializes in Chinese cybersecurity threats. Mandiant, a 9-year-old Virginia-based firm, says it took in more than $100 million in revenue in 2012, up 76% from 2011, and has 30% of the Fortune 100 as clients.

On Tuesday, the New York Times’ story on the report on Unit 61398 included a disclosure that the Times itself had used the company to investigate a sophisticated attack on the company that originated from China. The company concluded that the Times’ attack was perpetrated by a different group within China.

While the PLA has long been implicated in cyber-attacks on the U.S. government and corporations, the Mandiant report is the first detailed public analysis of the unit and its methods. The extent to which Unit 61398 focuses its attacks on U.S. government entities is not clear in the report; phone calls and emails to Mandiant to clarify this point were not immediately returned.

“State-sponsored cyber spies have enough resources and experience to make busting into most U.S. companies about as hard as pushing open a broken porch door,” said Matt Pottinger, CEO of Asia-focused consulting firm China Six LLC. “Americans don't live in a safe neighborhood anymore. In terms of our digital security, we’ve gone from living in Logan, Utah to Logar, Afghanistan in less than a decade." 

Mandiant anticipates reprisals in return for publicly divulging the information. But the report’s value lies in the difficulty the Chinese government could have in issuing future pro-forma denials, such as the one it released last month:  “It is unprofessional and groundless to accuse the Chinese military of launching cyber-attacks without any conclusive evidence.”  Thanks to Mandiant, the evidence appears to be in.