Netizens Gather Further Evidence of PLA Hacking
After China’s Ministry of National Defense denied allegations made by U.S. cyber security company Mandiant that People’s Liberation Army Unit 61398 had been conducting hacking activities against targets within the U.S. and a host of other countries, evidence in support of Mandiant’s claims quickly surfaced in the form of a 2004 PLA recruitment advertisement.
Since then, netizens have continued to point out evidence from across the Chinese Internet–including this Xinhua article from August 2008 [zh] that states PLA Unit 61398 specifically installed flooring for use in high-security environments:
Everyone knows that Anxin Flooring is a renowned brand in China’s wooden flooring industry. They entered the large-scale realty project business very early on. Plus, at the very beginning, they specialized in working with clients that had very strict standards for their building materials, such as national organs and foreign embassies. The PLA General Political Department building, the General Staff Meteorological Bureau, the General Staff Surveying and Mapping Bureau, the Unit 61587 Commander Building, the General Staff Headquarters Satellite Positioning Center Residential Building, Unit 61398, the State Administration of Taxation, the Beijing Cultural Palace of Nationalities, CNPC Overseas Staff Dormitory, the Bulgarian Embassy office building, and the Wenzhou Municipal Government building were all early buyers of Anxin flooring for major projects.
How does Anxin Flooring relate to PLA-sponsored cyber attacks? One netizen explained the correlation on his Sina blog [zh]:
Chinese netizen: Unit 61398 is most likely conducting IT-related work in their office building. There’s still a report up on the web about Anxin Flooring. The report states “army units that require very strict guidelines for their building materials, the General Staff Headquarters Satellite Positioning Center Residential Building, and Unit 61398” all used their flooring. Anxin is an American wholly foreign-owned company, and its leading product–wooden flooring–is known to protect against static electricity. Anyone in the IT industry would know that without a computer room, there would be no need for this kind of anti-static flooring.
Of course, one could argue all office buildings house computers. However, not all office buildings house PLA international relations and intelligence experts, like Colonel Zhou Jianping. An announcement for a public lecture by Zhou Jianping [zh] displays his affiliation with Unit 61398:
Public Announcement for the Pudong Forum Lecture Series
[Source: Pudong News. Published December 15, 2010]
–The Situation on the Korean Peninsula and the Border Security Environment
Topic: The Situation on the Korean Peninsula and the Border Security Environment
Lecturer: Director of the China Institute of International Relations and researcher at the Shanghai City Strategic Studies Association, Zhou Jianping.
Time: 1:30pm December 25, 2010.
Location: Pudong Library’s 600-person lecture hall
Researcher of the People’s Liberation Army General Staff Headquarters Unit #61398, rank of Colonel. Director of the China Institute of International Relations and researcher at the Shanghai Strategic Studies Association. From 1979-2001, he taught international relations at the People’s Liberation Army Foreign Languages Institute. In 2001, he was redeployed to Shanghai to work in intelligence research.
Professor Zhou worked long-term in the field of international relations education. He is especially knowledgeable in the fields of Chinese border security and hot button issues of international relations. He has published academic articles in these fields. In recent years, his research has centered mainly on border security and the Taiwan issue. He has also conducted deep research into the fields of Sino-American relations and U.S. political, diplomatic, and strategic military issues.
An academic paper published in the Journal of PLA University of Science and Technology (Natural Science Edition) coauthored by a member Unit 61398, titled “Novel Method to Calculate Causal Correlation Belief Values of Network Alerts.” Keywords: network security, alert correlation, attack time expense, and correlation belief. You can view the paper’s cover page, which includes an English abstract, through this link.
Chinese IT and Internet information portal Cecb2b.com reported on this paper [zh] in light of the New York Times piece:
Cecb2b Net. On February 19, The New York times and numerous western media reported that a 60-page report released by U.S. cyber security company Mandiant linked recent cyber attacks experienced by many western media organizations with China’s People’s Liberation Army. Hackers were traced back to “the headquarters of People’s Liberation Army Unit 61398, located in a 12-story building in Pudong, Shanghai.”
Using Baidu’s literature search function, we found an article coauthored by Song Sigen of PLA Unit 61398 regarding the detection of intrusion by hackers, titled “Novel Method to Calculate Causal Correlation Belief Values of Network Alerts” (see images on Baidu Literature). The article was published in the June 2009 edition of the Journal of PLA University of Science and Technology (Natural Science Edition), volume 10 issue 3.
Translated by Little Bluegill.