Report: Chinese military engaged in ‘extensive cyber espionage campaign’
HONG KONG (CNN) — An American cybersecurity firm has linked one of the world’s most prolific groups of computer hackers to the Chinese government, saying in a new report that an extensive cyber-espionage campaign is being waged from a location near Shanghai.
The security firm, Mandiant, detailed the allegations in a 60-page report published Tuesday that describes the group’s tactics over a six-year period.
The Virginia-based Mandiant, which helps companies detect and respond to cyber threats, said it has observed the group of hackers — called the “comment crew” — systematically steal hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since 2006.
Mandiant claims the activity can be traced to four networks near Shanghai — with some operations taking place in a location that is also the headquarters of Unit 61398, a secret division of China’s military.
“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind [the group],” Mandiant said. “We believe the totality of the evidence we provide in this document bolsters the claim that [the group] is Unit 61398.”
Chinese foreign ministry spokesman Hong Lei dismissed the hacking charges on Tuesday, insisting that China is the victim of many cyberattacks — most originating in the United States.
“Making baseless accusations based on premature analysis is irresponsible and unprofessional,” he said. “China resolutely opposes any form of hacking activities.”
Last month, the Chinese defense ministry said the country’s military “has never supported any hacker activities.”
The latest accusation against Beijing comes amid concerns about the breadth and depth of cyberattacks originating in China. Recently, several leading U.S. news organizations reported their computer systems had been attacked by China-based hackers.
Mandiant estimates that hundreds, and perhaps thousands, of people work within Unit 61398, which is housed in a 12-story, 130,663 square-foot facility.
Organizations in English-speaking countries are the primary victims of the comment crew — making up 87% of the 141 attacks observed by Mandiant. Of that, 115 attacks targeted organizations in the United States.
The hackers have a “well-defined attack methodology,” and Mandiant said the group has stolen large volumes of intellectual property, including technology blueprints, proprietary manufacturing processes and business plans.
The report did not list companies or agencies that have been attacked, but the comment crew is known to have attacked Coca-Cola, security firm RSA, and consultancy Chertoff Group.
The Coca-Cola hack occurred in 2009 when the beverage giant was trying to purchase China’s Huiyuan Juice Group. According to reports, comment crew stole Coca-Cola’s negotiation strategy along with other information about the proposed offer. The deal was scuttled just days after the hack, when the Chinese government said it could not accept the deal on antitrust grounds.
RSA was attacked by the group in 2011, which compromised the security of some of its SecurID tokens used to gain entry into corporate systems. Using information gained from the RSA hack, the group subsequently attacked aerospace and defense company Lockheed Martin.
All of these attacks started the same way: via a cleverly worded emails — written in perfect English — that appeared to be from someone inside the company. Instead, it contained malicious software designed to gain access to the corporations networks.
Mandiant was able to pinpoint the identities of three individuals working with the group. The report identifies the hackers who use the monikers “Ugly Gorilla,” “dota” and “SuperHard.” It tracks their activities in an unusually detailed manner, including information on their e-mail accounts, cell phones and hacking techniques.
Government and intelligence officials in the United States are increasingly concerned about the threats posed by cybercrime, especially from government actors.
Outgoing Defense Secretary Leon Panetta said last year that a cyberattack could be crippling, citing risks to the power grid, Wall Street and the financial system.
“We are literally getting hundreds of thousands of attacks everyday that try to exploit information in various agencies and departments and frankly throughout this country,” Panetta said.
In a statement, White House spokesman Tommy Vietor said the administration is aware of the Mandiant report, and is acting to negate these threats.
“The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions,” Vietor said. “We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so.”
Earlier this month, President Obama signed an executive order designed to address the country’s most basic cybersecurity needs — and highlighted the effort in his State of the Union address.
The order will make it easier for private companies in control of the nation’s critical infrastructure to share information about cyberattacks with the government. The order also directs the government to work with the private sector on standards that will help protect companies from cybercrime.
In recent weeks, The New York Times, Washington Post and Wall Street Journal have disclosed that their computer networks had been targeted by hackers in China.
The New York Times, which hired Mandiant to help mitigate the threat, reported Tuesday that the comment crew was not the source of the attack on its network.
China is not the only country believed to be involved in cyberattacks. The existence of several other state-sponsored cyberweapons have also been reported in recent years, with names like Stuxnet, Duqu and Flame. The U.S. government is widely believed to have played a role in developing some of those viruses, with an eye toward containing Iran.