Q&A: China’s hacker army revealed

US-based IT security firm Mandiant shocked the world on Tuesday with a highly detailed report  on an alleged secret Chinese People’s Liberation Army hacker unit that infiltrated 141 private companies in the North America, Europe, the Middle East, Africa and Asia.

On Wednesday, China's Defense Ministry issued a statement rejecting the claims, saying the report "lacks technical proof."

But as Mandiant tells it, the most prolific hacker group in the PLA, Unit 61398, launches its cyberattacks from a 12-story, 130,663-square-foot building on the outskirts of Shanghai. There, the security firm says hackers use lightning-fast, high capacity fiber optics installed by the Chinese government in 2007. 

It is through these fiber-optic cables that Unit 61398 is alleged to have laid siege to 115 US companies, stealing intellectual property and proprietary information to give Chinese companies a competitive edge in the open market.

But, as Forbes pointed out, the report's revelations aren't exactly news. Mandiant’s managing director for threat intelligence, Dan McWhorter, told GlobalPost that Unit 61398 is only one of over 20 known hacker groups working in China to target global corporations.

GlobalPost: How does the cybersecurity infrastructure in the US, Europe and other Asian countries stack up against China's, by both offensive and defensive measures?

Dan McWhorter: We do not have strong visibility into the infrastructure of many countries, but we do know a reasonable amount for the UK, Europe, US and Canada. I also don’t know enough about Chinese infrastructure to make a judgment as to whether it is vulnerable. We know it’s firewalled, we know people inside the network don’t get the same access outside of it as we do. We don’t have the level of visibility necessary to speak to their defensive measures.

Are private-sector IT professionals prepared and equipped to fend off these incursions into corporate networks?

The thing that is a challenge for IT professionals is that unless you have visibility beyond your organization, it’s impossible to collect data with a broad enough scope to adequately defend. If you only have visibility into your own corporate network and not a strong threat feed, through partnerships with Government, peers, or a security firm, it’s difficult to defend yourself. You have no vantage point to understand what the attackers are doing or the tools that they’re using outside of your environment.

Things are getting better and better though. We don’t have top notch players in all major corporations, but the market is growing and security is becoming a more important issue. As a result, talent levels are rising.  

Will other developed nations begin to better prepare themselves to defend against attacks launched by groups like Unit 61398?

They’re coming along. In the UK for instance, there is a GCHQ (Government Communications Headquarters) program for identifying certified incident responders. There is already a UK CERT (Computer Emergency Readiness Team), just like the US CERT, and they can notify companies of intrusions. We’ve worked inside other countries in Europe, and we’re seeing that they’re aware of the threat and becoming more sophisticated at dealing with it. The is true in Canada as well. As nations develop you have no choice but to hone your defensives or you will systematically see your intellectual property stolen.

Keep in mind Mandiant’s vantage point though. What’s the true situation in Canada or the UK? We don’t have the best visibility to be able to say that. We’ve seen victims there, and we know they’re being targeted. Likely, the number of incidents in these countries underrepresented in our report since our main focus and customer base was the US market.

Are there other similar organizations within the PLA (People’s Liberation Army) that carry out the same sort of attacks as Unit 61398?

There are other groups within the PLA with a CNO (Computer Network Operations) mission. We know for certain other units exist. We track over 20 different groups that we trace back just to China. Of those additional groups, we’re confident that similar units report back to other groups in the PLA and inside China. We also know, as General Hayden has said, there a lot of contractors inside China as well. Just like inside the US or the UK, you have contract relationships with private entities that augment government capabilities. Of those more than 20 groups, some of those we believe to be sets of contractors.

Do these other organizations operate in a similar scope as Unit 61398?

Likely not. The amount of hacking APT1 does is immense. Everyone has been tracking them to some extent, and we have been tracking them for 6 years. They’re very, very robust, and they steal a lot of data. When you do that, someone needs to be processing that data, keeping up the attack infrastructure, building tools, creating target lists, analyzing documents, and putting in additional requests for what to acquire next. It takes an enormous organization to do this, and the amount of data they’re stealing is large. We’re aware of 141 victims targeted by a single unit. We don’t have the same depth of visibility into the all the other groups we track to say definitively how much they steal and how much can they process. Unit 61398 is pretty large from a manpower standpoint. I’m uncertain if the other organizations that we track have similar resources.

Does a unit like this have the capability to infiltrate critical infrastructure?

Sure. I think the state of things now is that it is extremely hard to play defense and not difficult to play offense. Most groups in China can get into critical infrastructure. That’s not necessarily a weakness in our infrastructure, at the end of the day, there is always a gap between offense and defense. You only need one weakness, one zero day attack, one email to get through. It’s very difficult to play defense.

Does there need to be more cooperation between the government and the private sector? Is the recent reintroduction of CISPA a step in the right direction?

I definitely think it’s step in right direction. Chairman Rogers and Representative Ruppersberger [of the US House of Representative’s Permanent Select Committee on Intelligence] have been proactive in the legislation they put forward. The executive order will also help on the sharing side. The major thing we need for encouraging sharing is to protect the corporations’ privacies and protect them against lawsuits based on the information they’ve volunteered. It’s hard to come forward with an open, sharing mantra if you’re terrified of getting sued. The critical component to getting sharing in place is the protection for corporations to come forward. We live in a litigious society .

With the recent revelations that the US government is planning to conduct offensive cyberstrikes, does China feel threatened?

It’s hard for me to predict the Chinese government’s response to things. They only have really two options, go extremely dark with this group and do nothing or just keep hacking the way they’ve been. Everyone is focused on the ways to detect and defend against this particular group now that such a broad indicator set has been released. This group is going to have a hard time continuing to do what they do without massive changes to their tactics, techniques, and procedures. As for future US actions, I don’t have visibility into them. Fortunately, the State Department is enabled with a report like ours to go to the negotiating table and point to an unclassified report that is data and analysis thick. With this sort of report, it’s going to be difficult for Beijing to dispute these actions in a private conversation with diplomats.

If a cyberwar started tomorrow between the US and China, who would win?

My answer here is going to be purely speculative, and it is certainly hard to predict. China has a great deal of access right now, and I’m not sure we’d ever have just a cyber war, I’m not sure where the battle lines would be drawn. I can tell you the amount of access china has to systems is very scary. One group out of the twenty plus we track back to China was responsible for intrusions into 141 organizations. They’re responsible for so many different intrusions and they have a very broad level of access…if it started today, it’s difficult to know what they would do with all that access, but I’m sure they could do some serious damage.