Earlier this year, when the New York Times reported that it had been the target of hacks from China, the paper noted that the attacks were likely connected to the Chinese military. On Tuesday, the Times reported that, based on evidence confirmed by U.S. intelligence officials, there is “little doubt” that “an overwhelming percentage of the attacks on American corporations, organizations and government agencies” originate from one People’s Liberation Army unit based in the outskirts of Shanghai.
A study released Tuesday by U.S. security firm Mandiant identified PLA Unit 61398 as the most likely perpetrators of the hacks. Mandiant had been tracking hacks perpetrated by the so-called “Comment Crew” for over six years before concluding that the hackers were part of Unit 61398. Via the Times:
Unit 61398 — formally, the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department — exists almost nowhere in official Chinese military descriptions. Yet intelligence analysts who have studied the group say it is the central element of Chinese computer espionage. The unit was described in 2011 as the “premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence” by the Project 2049 Institute, a nongovernmental organization in Virginia that studies security and policy issues in Asia.
While the Obama administration has never publicly discussed the Chinese unit’s activities, a secret State Department cable written the day before Barack Obama was elected president in November 2008 described at length American concerns about the group’s attacks on government sites. (At the time American intelligence agencies called the unit “Byzantine Candor,” a code word dropped after the cable was published by WikiLeaks.)
The majority of Comment Crew’s attacks, even those carried out against major firms like Coca-Cola to steal internal information, utilized the simple but effective spearphishing technique. Hackers gain access to entire computer networks through sending misleading emails which a user then clicks on. Security experts have expressed concern that Chinese hackers might use such techniques to control critical U.S. infrastructure. The Times noted:
What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.
… A few years ago, administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.
However, China has strongly denied involvement in any such activities. “It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence,” said China’s defense ministry last month.
Following reports on Chinese hacks targeting U.S. news publications, the Obama administration said it was considering more assertive action against this cyber-threat, although what such action might look like remains unclear. Earlier this year, the AP noted that such “actions could include threats to cancel certain visas or put major purchases of Chinese goods through national security reviews.”