Chinese military linked to 'overwhelming' number of cyberattacks

Chinese military linked to 'overwhelming' number of cyberattacks

Summary: A new security report alleges that the Chinese military has a hand in an "overwhelming" number of cyberattacks.

SHARE:

A U.S.-based security research firm says that a building associated with the Chinese military is the source of an "overwhelming" percentage of cyberattacks.

Hired by the New York Times, security firm Mandiant has released a 60-page report which alleges members of sophisticated hacking groups known as "Comment Crew" and "Shanghai Group" have been traced back to a 12-story building associated with the People's Liberation Army General Staff's 3rd Department, otherwise known as Unit 61398 in Shanghai.

The Virginia-based firm says within its latest report that although it cannot be determined if the hackers are present within the building, forensic investigations have managed to lead the security team to the unit's door. Either way, it seems likely, as founder of Mandiant Kevin Mandia told the publication:

"Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood."

Other security firms believe that hacking group "Comment Crew" is state-sponsored, and the latest U.S. National Intelligence Estimate has also suggested a number of these Chinese hacking groups have military or governmental backing due to the sophisticated nature of operations.

In addition, Mandiant's report -- and accompanying video below -- documents attacking sessions conducted by a China-based hacking group the firm calls the Advanced Persistent Threat group 1, or APT1. "Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors," the report states.

ATP1 allegedly maintains an "extensive infrastructure" of computer systems around the world, and has systematically stolen terabytes of data from at least 141 organizations. In addition, ATP1 focuses on attacking systems in English-speaking countries, and intruding IP addresses have been traced back to Shanghai in over 97 percent of cases. Mandiant says that the infrastructure of the group suggests there may be hundreds of human operators.

In summary, the firm said that "the details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them."

In response, China has dismissed the report as "groundless," according to the Associated Press. Chinese Foreign Ministry spokesman Hong Lei chose not to comment directly on the claims concerning the Chinese military unit, but questioned whether the evidence would hold weight against scrutiny.

At a news conference, Hong told reporters that "to make groundless accusations based on some rough material is neither responsible nor professional," and reiterated China's official stance on hacking as illegal. Hong also said that it wasn't just the United States which suffers due to the expansion of cybercrime, but that the country itself was also a continual target of hackers.

Topics: China, Government Asia, Legal, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • I don't think so

    The video implies a very low level dorm room hackers with very small botnet operations at best. This could be at any college or even high schooler's attic somewhere in the US. Top level hackers run huge botnets and use extensive methods to hide their locations (which seem to be more in Eastern Europe). And DC-area cyber/defense contractors in general don't have the best credibility when it comes to threat analyses -- these reports and presentations always seem more like marketing efforts for their services than anything else.
    JustCallMeBC
    • But there have been rumors about Chinese involvement for years

      I had a co-worker several years ago with a "hacker" background who talked about "war" between Chinese hackers and Western ones. And given the nature of mainland Chinese society, a large scale organized hacking effort not at least sanctioned by the Communist Party is almost inconceivable.

      Mind you, none of that is hard evidence that the Chinese government is involved in hacking efforts, but pardon us for being suspicious.
      John L. Ries
      • Rumors are exactly that

        The thing is that high level hacking requires high level computer skills, and areas that have a good concentration of high level computer talent would have other indicators besides rumors of hackers -- there would be companies as well taking advantage of that talent pool. You see this in other regions with more firmly identified hacker regions, especially in Scandinavia, Europe and the former Soviet block countries. But China? They have a very large population, and the Chinese have a deserved reputation for being good students. But they also have a reputation for not being very creative and innovative (which was sort of a subtle sub-theme in the movie, "The Social Network"), hence there is little in the way of Chinese companies in the overall global computer industry aside from manufacturing cheap knockoffs.

        Back in 2011, the FBI ID'd a lot of bank fraud originating from the Heilongjiang province in China. But that borders Russia. A massive 2007 cyber attack on Estonia pretty much took out that country's entire network. Russian hackers probably associated with the FSB (Federal Security Service, a semi-successor to the KGB) were widely blamed, but hard evidence was hard to come by despite the scale of the operation, which was much larger and more sophisticated than anything the Chinese have been even accused of. So for what it's worth.....
        JustCallMeBC
        • Russia

          I think it highly likely that the FSB orchestrates hacking efforts against adversaries (the Georgian DDoS incident comes to mind) and it's long been thought that President Putin has allies in the Russian underworld (I remember one OpEd piece that openly called him a "Don", though I think "Boss" in the political sense is closer to the mark).
          John L. Ries
        • I should add

          Rumors are not direct evidence, but they're often based on reality and are therefore grounds for suspicion (at least for conducting an investigation).
          John L. Ries
          • There indeed should be real investigations

            With the emphasis on "real" -- so far I've been only seeing utterly substandard investigations used mostly to justify saber rattling and boosting cyber-security budgets. The best info on cyber exploits all seem to originate from sources far away from the DC area for some strange reason....
            JustCallMeBC
          • Just how exactly...

            ...do you conduct "real Investigations" when the location of origination of said attacks comes from a political enemy?

            As much as they make all Happy-Happy to make our junk and take our money, make NO mistake that their government sees us as enemies. How exactly do you suggest we investigate this short of retaliatory hacks or outright invasion? Communists are practiced liars so platitudes of "oh, no, it's not us" can be believed about as much as the little kid who sticks his finger in the dike saying, "I got this!".
            Zorched
          • Everything leaves bits of tracks and evidence

            Good investigators clear their heads and then patiently and skillfully follow things up to collect enough information so that a telling picture forms. Bad investigators usually go about with sloppy, poorly skilled efforts and preconceived (or politically useful) notions, and collect & choose only enough info to support what they want to believe (or what they would have others believe.)
            JustCallMeBC
          • We know this

            Is there anybody you would trust to conduct an impartial investigation?
            John L. Ries
          • Strange question

            To pose to a random dude on the Internet. With that said, there are people in cyber who have gained enough respect and reputation, as well as good connections, to get some serious tracing, evidence gathering, and analysis done. The sticking issue would be that much of their results will have to be classified and not privy to public scrutiny, and that the ID's of the investigators would likely have to be protected as well -- any really thorough investigation may well run afoul of sensitive and/or dangerous information (there are a lot of players potentially involved in cyber mischief, and they are not all from Eastern Europe and Asia.)

            Actually you can ask Julian Assange to do this, with maybe the reward that he's given 2 hrs to do whatever he wants outside of the Ecuadorian embassy without any government interference, even it includes him trying to escape the UK. (It would make for a nice TV special.)
            JustCallMeBC
          • Reasonable question to ask

            Talkbackers spout off without thinking very hard on a regular basis and I suspected that you wouldn't believe allegations of Chinese government hacking no matter who made them.

            I haven't actually read Mandiant's report yet, but do you know of any reasons to disbelieve their findings? Obviously, we would expect the Chinese government to deny the allegations even if they were true.
            John L. Ries
          • I stated my reasons in my initial post

            The "evidence" they demonstrate is that of much lower level hackers of the type you might find at any American college or large, well-equipped high school. I've seen high level hacker activity and there is no comparison. China probably does have some decent enough hackers, but I think they are being proxied for most of the bigger stuff they are being blamed for. Go back to that attack on Estonia -- that was massive and blatant, yet nobody could say for sure where it originated from because it was so sophisticated. If the Chinese were really so skilled, they would make it look like we were being hacked by Russians, Iranians, Somalians, and whoever else we don't get along that well with.
            JustCallMeBC
          • Patriotic hackers

            As noted before, I have difficulty believing that large numbers of freelance hackers are operating right under the noses of the secret police without at least the tacit approval of the Communist Party (China is still a totalitarian state). If the Party doesn't have operational control, it at least tolerates the activity.
            John L. Ries
          • No again

            As I said, if China really had that sort of cyber talent pool, it would show up in other areas. Also I just finished doing a quick bit of real research for a posting a comment on David Gewirtz's rather militaristic article about China's supposed cyber security threat. Here, take this quiz: 1) Which country by far hosts the most botnet servers?; 2) Which country scores the highest in HostExploit's HE Index for being the source and host of malicious cyber activity? 3) Which country ranks higher in overall globally in terms of malicious cyber activity, the U.S. or China? Answers below.
            .
            .
            .
            .
            .
            .
            .
            .
            .
            .
            .
            Answers: 1) the U.S.; 2) Russia; 3) the U.S.
            The information comes from recent reports by HostExploit and McAfee
            JustCallMeBC
          • Not all that militaristic

            David Gewirtz was suggesting what amounts to computer arms control talks, of which the hard core cold warriors in the U.S. of the 70s and 80s (including, at least initially, Ronald Reagan) were highly suspicious. The true militaristic approach would be to attack first and then consider offers of surrender if they seem worthwhile (but never, EVER, disarm).
            John L. Ries
          • After having read the report myself

            I do have a hard time believing that either Russian gangsters or the FSB is framing the PLA, but I'm not all that expert and I only know a handful of Chinese characters. Without actually researching the issue myself (which I don't have time to do), I can't call the report proof, but I think it raises reasonable suspicion that the PLA is actively involved in industrial espionage (not something freelancers are going to have a lot of interest in, but national governments might well).

            At the very least, the report can be taken as a detailed primer on the sorts of things sysadmins need to look for on their systems. Of course, not casually opening strange attachments is always good advice.

            Of, course, it's easy enough for the PLA to recruit "cyber-soldiers" from among CS students at the major universities, and "no" is probably not going to be an acceptable answer.
            John L. Ries
          • There might well be investigations

            But intelligence agencies usually don't report their activities to the press and prosecutors are focused on actually bringing charges against people (and Congressional committees are very definitely a two edged sword). Do you have any suggestions as to someone generally seen as credible that would actually be allowed to report his findings?
            John L. Ries
          • Off the top of my head

            Eugene Kaspersky, Bruce Schneier, Friðrik Skúlason, Mikko Hyppönen, and Lance Spitzner all have pretty good reputations.
            JustCallMeBC
  • Simple Solution

    Its called Country IP Block if you or your company have no legitimate reason to transfer data to APAC or wherever then block it all at the company firewall. Its not fool proof but for me eliminates a ton of brute force attempts against my home network.
    ammohunt
    • Hackers use proxies

      I one time ran across a web-based hack that scattered executable code across web servers from the UK to the US West. IP blocks would not work.
      JustCallMeBC