Asia
9:27 am
Wed February 20, 2013

U.S. Security Company Tracks Hacking To Chinese Army Unit

Originally published on Tue February 19, 2013 7:17 pm

Cyberattacks on dozens of American companies have been traced to an area on the outskirts of Shanghai that houses a Chinese military unit, according to a report out Tuesday by Mandiant, a U.S. cybersecurity company.

The 60-page document, first reported by The New York Times, says the group behind the attacks — nicknamed "Comment Crew" — is the most prolific the company has ever tracked and has been hacking U.S. companies since at least 2006.

Mandiant says the hackers' real identity is Unit 61398 of China's People's Liberation Army, or PLA.

The unit sits near the Yangtze River in Shanghai's sprawling Pudong district, which is home to more than 5 million people. The walled compound stands out in an otherwise typical Shanghai neighborhood of restaurants, karaoke clubs and grocery stores.

The complex, which covers nearly three acres, has a 12-story tower with satellite dishes on the top and few signs other than those that indicate it's run by China's military.

Photos and filming are not permitted, and a BBC reporter was detained Tuesday after trying to videotape the complex.

When an NPR reporter showed up, a plainclothes police officer in a blue down coat was pacing the sidewalk out front, scanning the street and looking agitated as he spoke on a cellphone.

Wide-Ranging Attacks

Mandiant says the hackers have stolen hundreds of terabytes of data, including technology blueprints, proprietary manufacturing processes, business plans and partnership agreements.

"They've compromised over 141 corporations across 20 different industries and stolen just a wealth of intellectual property," says Dan McWhorter, who oversees Mandiant's threat intelligence business unit. Most of the companies were American.

McWhorter says the hackers appeared to be trying to steal intellectual property to help Chinese companies compete against U.S. and other foreign firms.

"In China, the government is very intimately involved in industry," McWhorter says, "so I think the PLA is motivated to take these documents for huge economic gain."

At a briefing Tuesday, China's Foreign Ministry dismissed Mandiant's report. Hong Lei, the ministry spokesman, questioned anyone's ability to track down hackers with certainty.

"Cyberattacks are anonymous and transnational, and it is hard to trace the origin," said Hong, "so I don't know how the findings of the report are credible."

Hong said that China has also suffered from cyberattacks, and that in 2012, foreign hackers seized control of 14 million Chinese computers. Hong seemed to point the finger at America, if not the U.S. government.

"China is also a victim of cyberattacks," he said. "In the attacks mentioned above, the number of attacks originating from the U.S. ranks first."

A Long-Running Operation

McWhorter says tracking the attacks to the PLA wasn't that hard, because the volume of data stolen was enormous, and the operation has been going on for so long.

"We just followed the data, followed the breadcrumbs," says McWhorter. "All the network communication kept going back to Shanghai, again and again."

Mandiant says it tracked the hackers back to four large networks in Shanghai, two in the Pudong area where Unit 61398 is located.

"We started doing our research as far as what kind of organizations could be that large doing this type of activity," says McWhorter, "and that's what led us to discover Unit 61398."

Beyond corporate espionage, Mandiant found hacking that was more worrisome, such as the infiltration of crucial U.S. infrastructure, including electric power grids and gas lines.

McWhorter says there is no sign that Chinese hackers tried to disable such operations, but the capability existed.

"If you have the ability to steal the documents, you could have just as easily crashed the hard drives," he said. "From a national security standpoint, that's very scary."

In his State of the Union address, President Obama alluded to this threat without directly naming China.

"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," Obama said.

The president said the nation could not look back years from now and wonder why it didn't do anything to stop it.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

LINDA WERTHEIMER, HOST:

Cyber attacks on dozens of American companies appear to have originated in an area of Shanghai that houses a Chinese military unit. That's according to a report out today from a U.S. cyber security company, which says the group behind the attacks is the most prolific it's ever followed. The hacking has been going on since at least 2006. The 60-page document was first divulged by the New York Times. NPR's Frank Langfitt has more.

FRANK LANGFITT, BYLINE: The security company, Mandiant, says it's been tracking a giant hacking group nicknamed Common Crew, for years. Dan McWhorter of Mandiant's threat intelligence unit says the real name is this.

DAN MCWHORTER: The PLA unit 61398.

LANGFITT: PLA, as in China's People's Liberation Army. McWhorter says the unit has a complex on the outskirts of Shanghai and it's very aggressive.

MCWHORTER: They've compromised over 141 corporations across 20 different industries and stolen just a wealth of intellectual property.

LANGFITT: Mandiant says most of those companies were American. McWhorter adds the hackers seem to be trying to steal intellectual property to compete against American and other foreign firms.

MCWHORTER: In China, you know, the government's very intimately involved with industry, so I think the PLA's motivated to take these types of documents for huge economic gain.

LANGFITT: At a briefing today, China's foreign ministry dismissed the report. Hong Lei, the ministry's spokesman, questioned anyone's ability to track down hackers with certainty.

HONG LEI: (Through translator) Cyber attacks are anonymous and transnational, and it's hard to trace the origin of attacks, so I don't know how the findings of the report are credible.

LANGFITT: Hong said China has also suffered from hacking. In 2012, he said, foreign hackers seized control of 14 million computers in China. He seemed to point the finger at America, if not the U.S. government.

LEI: (Through translator) China is also a victim of cyber attacks. In the attacks mentioned above, the number of attacks originating from the U.S. ranks first.

LANGFITT: McWhorter says tracking the attacks to the PLA wasn't that hard, because the volume of data stolen was enormous and the operation had been going on for years.

MCWHORTER: We just sort of followed the data, followed the bread crumbs. And all the network communication kept going back to Shanghai again and again, in particular, the Pudong new area. And so then we started doing our research as far as like what types of organizations could be that large doing this type of activity. And that's what lead us to discover unit 61398.

LANGFITT: I've come to the People Liberation Army compound that in the report and it's a big - looks like a 12-story big block building. There are hardly any signs out front, just something that says it's military and you're not allowed to take pictures. I also notice that there's a plain-clothes police officer walking back and forth on the street on a cell phone, keeping any eye out for anybody who's coming to watch.

Now, this is a normal sort of neighborhood in the outskirts of Shanghai, with karaoke clubs and little restaurants and hotels. Nothing out of the ordinary, except for this big building. Beyond corporate espionage, Mandiant found hacking that was more worrisome, infiltration of crucial U.S. infrastructure, including electric power grids and gas lines.

Dan McWhorter said there's no sign Chinese hackers tried to disable such operations, but the ability was there.

MCWHORTER: The same level of access they need to steal the IP, they can also do damage. If you have the ability to steal the documents, you just as easily could have crashed the hard drives. From a national security standpoint, that's very scary.

LANGFITT: In his State of the Union address, President Obama referenced the threat without naming China.

(SOUNDBITE OF STATE OF THE UNION ADDRESS)

PRESIDENT BARACK OBAMA: Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.

LANGFITT: The president said the nation could not look back years from now and wonder why it didn't do anything to stop it. Frank Langfitt, NPR News, Shanghai. Transcript provided by NPR, Copyright NPR.