Report Claims Hacker Group Linked To People’s Liberation Army

In the recent string of hacking attacks against American newspapers, government departments and other organizations, the difficulty of definitively attributing such actions has been a recurring theme. Chinese authorities have repeatedly denounced accusations of state-sponsored hacking on this basis. A new report (PDF) from information security firm Mandiant claims, however, that it has identified a well-known group of hackers as a unit of China’s People’s Liberation Army. The group, known as Comment Crew or APT1 (Advanced Persistent Threat 1), is said to be Unit 61398, the 2nd Bureau of the 3rd Department of the P.L.A.’s General Staff Department. Its members have reportedly stolen huge quantities of sensitive data in at least 140 separate attacks since 2006. From David E. Sanger, David Barboza and Nicole Perlroth at The New York Times:

[…] Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.

[…] What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.

[…] A few years ago, [U.S.] administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.

“Right now there is no incentive for the Chinese to stop doing this,” said Mr. Rogers, the House intelligence chairman. “If we don’t create a high price, it’s only going to keep accelerating.”

The Mandiant report provides details of three “personas” believed to be part of APT1, “in an effort to underscore there are actual individuals behind the keyboard.” (See also Bloomberg Businessweek’s recent ‘A Chinese Hacker’s Identity Unmasked’, via CDT, on an alleged hacker identified as a teacher at a P.L.A. university.) The most dramatic of the released materials is a narrated video purportedly showing one of these hackers at work:

Searches for “Unit 61398″ were quickly blocked on Sina Weibo, while a BBC team filming near the unit’s headquarters was detained and had their footage confiscated. The Telegraph’s Tom Phillips also visited the area:

Large propaganda posters are pinned to walls around the base between Shanghai’s Datong and Tonggang roads. “Everyone has the duty to defend our country and our home!” reads one poster, featuring a group of young soldiers crawling through mud.

Another poster shows a line of PLA tanks and four fighter jets and is emblazoned with the slogan: “Security and peace protects hundreds of thousands of households!”

Opposite the building identified by Mandiant is a street of hardware shops and a salon carrying a bright pink sign with the name: “Slender Beauty.”

[…] On Tuesday afternoon, a woman who identified herself as a member of ‘Unit 61398’ but refused to produce any identification reprimanded the Daily Telegraph for taking notes on a nearby street corner.

Reuters was also there, and escaped with its video intact:

Mandiant has previously drawn criticism for declining to share information with others in the security community, according to a profile at Bloomberg Businessweek earlier this month. In the report, the authors explain the reasoning for releasing their findings this time(PDF).

The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group. It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively. The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.

At the same time, there are downsides to publishing all of this information publicly. Many of the techniques and technologies described in this report are vastly more effective when attackers are not aware of them. Additionally, publishing certain kinds of indicators dramatically shortens their lifespan. When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy. It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way.

We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism.

Criticism has already started to emerge. Security analyst Jeffrey Carr has written that the report contains “critical analytical flaws”: Mandiant, he argues, failed to prove that APT1 and Unit 61398 are one and the same, or to consider alternative explanations for their observations.

In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage. I know that they do – especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges – that there are multiple states engaging in this activity; not just China. And that if you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

When questioned about the report on Tuesday, a Ministry of Foreign Affairs spokesman issued a customary denial. From Ben Blanchard and Joseph Menn at Reuters:

“Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” spokesman Hong Lei told a daily news briefing.

“Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”

Hong cited a Chinese study which pointed to the United States as being behind hacking in China.

“Of the above mentioned Internet hacking attacks, attacks originating from the United States rank first.”