Conflict & Justice

China's army linked to cyber attacks against US


A person walks past a 12-story building alleged in a report by the Internet security firm Mandiant to be the home of a Chinese military-led hacking group on Feb. 19, 2013.


Peter Parks

HONG KONG — A nondescript 12-story office building in a rundown Shanghai neighborhood is reported to be the source of sophisticated cyber attacks against private and government US organizations.

A 60-page study released Tuesday by Mandiant, a US computer security firm, details a hacker group known as ATP1, aka "Comment Crew" or Shanghai Group," and links the Chinese military — which has denied allegations of computer hacking — to the group's cyber attacks dating from 2006 to the present.

When asked earlier this month in the wake of cyber attacks on US newspapers, China's defense ministry said: "The Chinese military has never supported any hack attacks," adding that, "It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence."

The Mandiant report claims to have that conclusive evidence, which The New York Times says is "confirmed by American intelligence officials."

The report states:

Our analysis has led us to conclude that APT1 (Advanced Persistent Threat) is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.

Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world.

On Tuesday, Chinese foreign ministry spokesman Hong Lei dismissed the report's allegations.

"Making baseless accusations based on premature analysis is irresponsible and unprofessional," Lei said. "China resolutely oppose any form of hacking activities."

Mandiant could not confirm the attacks came from inside the 12-story building, known as Unit 61398, but argued there was no other explanation as to why so many attacks originated from the area, according to The New York Times.

Full disclosure from The New York Times, which received an advance copy of the report and broke the story: "Mandiant was hired by The New York Times Company to investigate a sophisticated Chinese-origin attack on its news operations, but concluded it was not the work of Comment Crew, but another Chinese group."

Mandiant concludes its report with the convincing point that, "In a State that rigorously monitors internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai."

GlobalPost's senior correspondent in Hong Kong, Benjamin Carlson, called the hacking story the "boldest and most compelling evidence ever shown publicly that ties China's military to the extensive hacking of US interests."

It's an astonishing story, and one that will likely compel a response on Capitol Hill. So far, the US government has done little but complain indirectly about Chinese hacking for fear of damaging economic or diplomatic relations. This report may help change that.

The report follows President Obama's recent executive order to bolster US cyber security, and some experts have speculated there's a connection between two, but there's no way to tell.

Last year, outgoing Defense Secretary Leon Panetta cited cyber security as a significant threat to US interests.

"We are literally getting hundreds of thousands of attacks everyday that try to exploit information in various agencies and departments and frankly throughout this country," Panetta said.

As The New York Times notes, ATP1 "has drained terabytes of data from companies like Coca-Cola." But it appears the hacker group has increasingly targeted organizations vital to US infrastructure, especially those related to its "electrical power grid, gas lines and waterworks," the newspaper reported.  

GlobalPost's Carlson pointed out that there are, however, small errors in the report that may undermine its case.

For example, in one section it identifies Hebei as a suburb of Shanghai, when in fact Hebei is a province with a population of 72 million.

Of course, the US government also conducts cyber attacks against foreign countries. For example, the US and Israel created the Stuxnet worm that was used to disrupt Iran’s uranium enrichment program.

Benjamin Carlson contributed to this report from Hong Kong.