Second PLA Unit Implicated in Online Spying

After the U.S. Justice Department accused, identified, and pressed charges against five People’s Liberation Army officers for crimes related to economic espionage last month, California-based “computer forensics” firm CrowdStrike has released a report implicating a second unit of the Chinese military in hacking to obtain trade and military secrets. From the New York Times.

The report, parts of which The New York Times was able to corroborate independently, ties attacks against dozens of public and private sector organizations back to a group of Shanghai-based hackers whom CrowdStrike called Putter Panda because they often targeted golf-playing conference attendees. The National Security Agency and its partners have identified the hackers as Unit 61486, according to interviews with a half-dozen current and former American officials.

[...] Unit 61486, researchers say, in some instances shared computing resources and communicated with members of Unit 61398, the P.L.A. unit whose members were the focus of last month’s indictments.

[...] CrowdStrike’s forensic investigation revealed that members of Unit 61486 took steps to hide their origins — by using compromised foreign websites to launch their attacks, for instance — but left behind digital traces of their identities and whereabouts. The report does not name the companies that were targeted because of confidentiality agreements CrowdStrike has with clients.

The hackers’ tools were developed during working hours in Chinese time zones, researchers say, and Internet records show that in one case hackers used the same I.P. address as members of to launch their attacks. The use of that address for simultaneous attacks suggests cooperation between and Unit 61486, said Adam Meyers, CrowdStrike’s head of threat intelligence. [Source]

The Times’ also quotes a CrowdStrike founder alleging that units 61398 and 61486 are merely “the very tip of the iceberg.” As was the case after charges were levied last month, China’s Foreign Ministry has denied the new allegations, and drawn attention to the U.S. sponsored surveillance programs revealed one year ago by former NSA contractor Edward Snowden. This becomes the latest instance of back-and-forth between Washington and Beijing over state-sponsored espionage. Washington’s initial allegations stem from a distinction between gathering intelligence for economic advantage, which the DOJ alleges the PLA is involved in, and gathering information for security, in which the NSA no doubt engages. Beijing does not place as much importance in this distinction as does Washington.

Just after the U.S. Justice Department announced charges against the five alleged members of PLA Unit 61398, it was reported that Beijing had banned Windows 8 from all government computers. Last week, CCTV, China’s state broadcaster, aired a report claiming that the operating system allowed to harvest data on Chinese society “more precise and up-to-date that collected by our National Bureau of Statistics,” and alleging that the tech company had worked with Washington on data gathering. Microsoft responded by taking to its official Weibo account in defense. Neowin provides a translation:

  1. Microsoft has never assisted any government in an attack of another government or clients.
  2. Microsoft has never provided any government the authority to directly visit our products or services.
  3. Microsoft has never provided any so-called “Backdoor” into its products or services.
  4. Microsoft has never provided the data or info of our clients to the U.S. Govt. or National Security Agency.
  5. Microsoft has never concealed any requests from any government for information about its clients.

These claims attack all of the key points China has made about Windows 8 and Microsoft’s alleged cooperation with the US government. [Source]

Coverage from the Wall Street Journal puts the Windows 8 ban into the broader context of U.S.-China sparring over , Beijng’s desire to lessen reliance on foreign tech products, and the heavy use of pirated software products in China:

The decision to ban procurement of Windows 8 came more than a month after Microsoft officially pulled the plug on providing support for its aging but widely installed Windows XP software. Still, it patched a security hole for Microsoft’s Internet Explorer browser for XP users in the weeks after the announcement.

Companies like Microsoft could face further backlash in China. The U.S. and China have clashed in recent weeks after the U.S. indicted five officers in the People’s Liberation Army on allegations of cyberespionage. In response, China said it would more closely scrutinize imported Internet technology for threats it might pose to national security.

China has long had the stated goal of weaning itself off foreign-produced technology. Experts say friction following Mr. Snowden’s leaks has already hurt sales for companies like Cisco Systems Inc. and International Business Machines Corp.

Still, China lacks know-how in specialized areas such as software, high-end servers and certain types of mission-critical equipment, experts say. [...]

[...] Microsoft is trying to push more Chinese users to switch to a licensing system for Windows that operates from servers, hoping that will help it cut down on the rampant piracy of its operating system in China. [Source]