U.S. firm blames Chinese army unit for hacking American businesses


McClatchy Newspapers

A U.S. cyber-security firm has publicly accused the Chinese military of carrying out a series of Internet-based attacks on American and foreign companies in a one of the most detailed reports to date alleging such activity is officially condoned in China.

Alexandria, Va.-based Mandiant said that it tracked a People’s Liberation Army organization, known as Unit 61398, that since 2006 launched online attacks against at least 141 companies and organizations.

Of those 141 targets, 115 were in the United States, according to Mendiant’s 74-page report. “The activity we have directly observed likely represents only a small fraction of the cyber espionage,” the report said.

“Our research and observations indicate that the Communist Party of China … is tasking the Chinese People’s Liberation Army … to commit systematic cyber espionage and data theft against organizations around the world,” the report said.

The accusations seem certain to further stoke tensions between Washington and Beijing in what has become on one side a mounting body of allegations and evidence that hacking is being condoned, if not directed, by Beijing and, on the other side, continued denials from China.

In a regularly scheduled press briefing on Tuesday, the Chinese Foreign Ministry again denied official Chinese involvement in online hacking activity and pointed out that China is itself regularly subjected to such attacks.

While not citing China specifically, President Barack Obama said in his State of the Union address on Feb. 12 that, “America must also face the rapidly growing threat from cyber-attacks.”

“Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Obama said in the address. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Mandiant report identified one of the buildings from which Unit 61398 works in Shanghai and provided Google Earth images of the white, 12-floor structure. Mandiant distributed a copy of what it said was a China Telecom memorandum saying the state-owned company provided Unit 61398 with special fiber optic lines.

It also identified Unit 61398’s place within the Chinese military’s command structure: the second bureau of the general staff’s third department, which has a focus including signals intelligence and cyber surveillance.

Mandiant, which contracts with corporations to help protect their computer systems from hackers, said that it had analyzed the group’s intrusions through painstaking examination of electronic clues left behind in the wake of attacks.

While not naming specific cases, Mandiant said that its investigators sifted for digitial “fingerprints” such as Internet protocol addresses and information gleaned from the e-mail addresses used to launch “spearphishing” notes that carry attachments that, when clicked, allow access to a user’s computer. Those attachments contain dense code that may carry language identifying them as the work of a particular programmer or group.

Mandiant, which cited its “unique vantage point responding to victims,” issued a video showing what it said was screen footage of a member of the group setting up anonymous e-mail accounts that were used for “spearphishing.” The video also recorded a group member allegedly breaking into computer systems online and stealing files.

The industries targeted by Unit 61398, the report said, are consistent with those that China has marked as being strategically important to its growth. Mandiant did not identify the companies affected, but said they were from a broad range of sectors including aerospace, energy, telecommunications and scientific research.

Among the types of information stolen, the report said, were system designs, manufacturing procedures, contract negotiation positions and business plans.

The Mandiant document, which was first reported by The New York Times, said with obvious derision that besides Unit 61398, there was only one other possible culprit: “A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”

Email: tlasseter@mcclatchydc.com; Twitter: @tomlasseter

Read more World Wires stories from the Miami Herald

Palestinian girls inspect the rubble of Omar Ibn Abed Al-Aziz mosque, which was hit by an Israeli strikes in Beit Hanoun, in the northern Gaza Strip, Wednesday, Aug. 27, 2014. The third Gaza War in six years appears to have ended in another sort of tie, with both Israel and Hamas claiming the upper hand. Their questionable achievements have come at a big price, especially to long-suffering Palestinians in Gaza.

    Poll: Israelis skeptical of PM Gaza victory claim

    A new poll has shown that a majority of Israelis are skeptical of Prime Minister Benjamin Netanyahu's claim that Israel achieved a "great military and political" victory over Hamas in the latest round of fighting in the Gaza Strip.

In this photo taken on Tuesday, Aug. 26, 2014, a man plays with his his best friend at a dog cafe in Seoul, South Korea. For more than 30 years, chef and restaurant owner Oh Keum-il built her expertise in cooking one traditional South Korean delicacy: dog meat. Animal rights activists protest nearby, urging people not to eat man’s best friend. Young South Koreans grow up watching TV shows about raising puppies and other pets, which sapped appetite for dog meat, said Oh.

    A flavor out of favor: Dog meat fades in S. Korea

    For more than 30 years, chef and restaurant owner Oh Keum-il built her expertise in cooking one traditional South Korean delicacy: dog meat.

  • Undersea search for Malaysian plane refined

    The search area for a missing Malaysian airliner in the southern Indian Ocean has been refined based on the latest analysis, while the investigation into how the plane came to crash cannot proceed until the wreckage and black boxes are recovered, officials said Thursday.

Miami Herald

Join the

The Miami Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere on the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

The Miami Herald uses Facebook's commenting system. You need to log in with a Facebook account in order to comment. If you have questions about commenting with your Facebook account, click here.

Have a news tip? You can send it anonymously. Click here to send us your tip - or - consider joining the Public Insight Network and become a source for The Miami Herald and el Nuevo Herald.

Hide Comments

This affects comments on all stories.

Cancel OK

  • Marketplace

Today's Circulars

  • Quick Job Search

Enter Keyword(s) Enter City Select a State Select a Category