Biz & IT —

Unusually detailed report links Chinese military to hacks against US

Chinese intrusions are increasingly targeting critical industrial systems.

The emblem of the People's Liberation Army.
The emblem of the People's Liberation Army.

Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.

The 74-page study is only the latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government or military apparatus. But until now, many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations. Given the anonymity that shrouds most network intrusions, critics have pointed out, the use of Chinese domain names, IP addresses, and localized language in computer espionage campaigns could almost as easily have been chosen by perpetrators from other countries who want to divert the attention of investigators.

The Mandiant report is largely a response to these critics. It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew." IP addresses that have been used for years in espionage hacks map to the immediate surroundings of the building. The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute. Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.

Chinese government officials have criticized the Mandiant allegations as "unprofessional" and "irresponsible." They say China's infrastructure and computer systems are also routinely targeted in the same kinds of hacks. On Tuesday, Chinese military personnel reportedly detained a BBC television crew that filmed Unit 61398. The crew was eventually released, but their footage was confiscated.

Mandiant says it has documented 141 hacking intrusions led by Comment Crew since 2006. Given the IP addresses and clues gleaned from individual members with hacker handles including UglyGorilla and DOTA, the authors conclude that the campaign is almost surely sponsored by the Chinese government or military. The only other option, according to the report: "A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398's known mission."

According to Mandiant, Comment Crew has for years vacuumed up the proprietary secrets of more than 100 targets, including technology blueprints, manufacturing processes, clinical trial results, pricing documents, and negotiation strategies. Of more concern, Comment Crew hackers have most recently tuned their focus to computer systems used to control dams, gasoline refineries, and other critical infrastructure. One recent target is the Chertoff Group, which is headed by the former secretary of the Department of Homeland Security, Michael Chertoff. Other targets include the National Geospatial-Intelligence Agency, the National Electrical Manufacturers Association, and the Canadian arm of Telvent. As Ars reported in September, hackers compromised the company, which provides software that allows oil and gas pipeline companies to remotely monitor and control sensitive equipment.

"This is terrifying because—forget about the country—if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent," Dale Peterson, who is CEO of industrial control security firm Digital Bond, told the NYT.

The article also recounts a recent attempt to compromise Digital Bond itself by purportedly sending a fraudulent e-mail from Peterson to a part-time employee. The message, which used perfect English to discuss a security weakness in industrial systems, was laced with malware that "would have given the attackers control over the employee's computer and potentially given them a front-row seat to confidential information about Digital Bond's clients, which include a major water project, a power plant, and a mining company."

The Mandiant report doesn't name the Comment Crew victims, but the NYT article recalls the 2009 hack of Coca-Cola company, which coincided with its failed attempts to acquire the China Huiyuan Juice Group for $2.4 billion.

"As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola's negotiation strategy," reporters David Sanger, David Barboza and Nicole Perlroth wrote.

The hack began with a "spear phishing" e-mail addressed to a Coca-Cola executive that included a link to a booby-trapped website. With the executive's computer infected, the attackers were able to move from machine to machine inside the company's network. The hackers then sent "confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed," according to the NYT.

Mandiant's report is consistent with the findings of other security firms. After Dell SecureWorks researcher Joe Stewart reverse-engineered malware used to penetrate EMC's RSA division, he discovered that most of the data that was stolen in the attack was transferred to the same range of IP addresses that Mandiant has now identified.

China is by no means alone in being fingered as a sponsor of well-funded hacks on computers in foreign countries. An array of sophisticated malware with names including Stuxnet, Flame, and Duqu have been unleashed on networks in Iran and other Middle East countries, reportedly after the programs were supported and executed by the US and Israeli military officials. US officials have long insisted they operate under strict rules that bar the use of offensive weapons for nonmilitary purposes or for stealing corporate data.

Channel Ars Technica