Report traces espionage hackers to Shanghai building

By on
Report traces espionage hackers to Shanghai building

But researcher says hacker group just one of 25.

An explosive security report has pinned the majority of China-based attacks against the US to an army of hackers working for the People's Liberation Army out of a nondescript building on the outskirts of Shanghai.

The report, by security firm Mandiant, claims P.L.A Unit 61398 operates out of the complex and is responsible for a deluge of hacking traffic originating in and around it.

Members of an infamous group known in most instances as Comment Crew or Shanghai Group were allegedly tracked to the P.L.A unit and the building. 

The extensive 60-page research document (pdf) was compiled from years of forensic work with large US corporations which have lost crucial data to allegedly China-based hackers. 

It said public accounts of data breaches against US security firms, critical infrastructure, and industrial control system and SCADA operators to a persistent and government-backed hacking outfit operating out of the white Shanghai apartment block.

"We believe that organisations in all industries related to China’s strategic priorities are potential targets of APT1’s (the group) comprehensive cyber espionage campaign," ther report stated.

"While we have certainly seen the group target some industries more heavily than others, our observations confirm that APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan."

Mandiant researchers correlated data IP addresses, toolsets and social engineering information to pin the attacks to the hacking group.

Beijing denied the accusations to the New York Times, and reiterated its affirmation that it is not involved in hacking which it considers illegal.

Chinese hackers have left a trail of victims including SCADA software outfits Telvent and Digital Bond, and security firm Alient Vault which had links to sensitive information on the US' defensive preparedness against hacking, according to the report.

Hackers were also involved in the Shady Rat hacking campaign which was billed as a massive global espionage attack that hit some 75 organisations, the report said.

APT1 is one of scores of such collectives researchers say operate out of China at the behest of Beijing. It started operating and first came to the public light in 2006 when Symantec's Japan office described a host which was operated by a hacker known as Ugly Gorilla, who was tracked in the research.

"APT1 has a well-defined attack methodology, honed over years and designed to steal massive quantities of intellectual property. They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China – before beginning the cycle again," the report stated.

"They employ good English — with acceptable slang — in their socially engineered emails. They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships."

APT1 typically established a foothold in organisations via a well-written spear phishing attempt containing malicious pdf files within a compressed zip. It also used custom backdoors, thought to be previously unknown, of which 42 families were detailed by Mandiant.

"We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been present for more than a few weeks," the report said.

The group's average infiltration lasted 356 days, with the longest stretching to four years and 10 months. The most amount of data stolen from a single organisation was 6.5 terabytes, extracted over 10 months.

The group was also unique in that it utilised unique attack vectors including GETMAIL which helped to steal email.

Once the attackers compromised a network they were difficult to detect, the report said, because they connected to shared resources and could execute commands on other systems using Microsoft's psexec tool or Windows Task Scheduler.

"These actions are hard to detect because legitimate system administrators also use these techniques to perform actions around the network."

Mandiant claims Unit 61398:

  • Employs hundreds, perhaps thousands of personnel
  • Requires personnel trained in computer security and computer network operations
  • Requires personnel proficient in the English language
  • Has large-scale infrastructure and facilities in the Pudong New Area of Shanghai
  • Was the beneficiary of special fibre optic communication infrastructure provided by state-owned enterprise China Telecom in the name of national defence.


While Australian organisations were not among APT1's victims, a former defence contractor security professional with access to similar data to the report said government agencies here have been targeted.

The researcher spoke to SC on the condition of anonymity. He said his former company, like Mandiant, had chased hacking groups some of which had stolen information from the World Bank.

He warned that China is heavily involved in state-sponsored hacking against other nations, and has successfully raided Australian organisations and government agencies.

"The reason [Australia is] attacked is because you have something China wants," he said.

"China is on a Pacific Rim buying spree and needs a lot of natural resources and I don't think your country really knows how to strategise and approach China vis-a-vis its relationship with the United States."

He said US organisations including defence contractors were more focused on protecting US assets at the expense of Australian sites.

Comment Crew was the fifth most dangerous hacking group out of a list of 25. The more deadly groups conducted an initial compromise of corporate systems before Comment Crew was sent in to remain embedded in victim networks for ensuing months and years.

"There is another one in Shanghai that has more technologically sophisticated backdoors and better TTPs (Tactics, Techniques, and Procedures) than Comment Crew," the researcher said.

"Comment Crew has more malware but they get caught a lot so there is more intelligence on them," he said.

The group behind the recent attack on the New York Times was one such outfit, he said. The Times confirmed Comment Crew was not behind the attacks which targeted journalists over four months.

"There are some groups that will come as a smash-and-grab and steal everything and the kitchen sink, then Comment Crew will be sent in to mine email every week for ongoing monitoring. They have typically been associated with time-sensitive targeting, like corporate negotiations."

He said over-classification of intelligence data hindered information sharing between Australia, New Zealand, the US, Canada and Britain, known as the Five Eyes. This led to inconsistencies with naming conventions for hacking groups engaged in espionage, and made it difficult to assess how many groups existed.

The Mandiant report may inspire other researchers to investigate state-sponsored hacking groups and push governments to act decisively against such threats, according to the source.

"It's the steady ongoing exposure to this issue that will force our leaderships' hands to say, 'This sh*t is out of control and we have to do something'."

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?