A large and complex hacker group connected to China’s military has been linked to hacks involving more than 100 companies in the U.S. and the theft of several hundreds of terabytes of data, according to a comprehensive report released Tuesday that unabashedly blames China for some of the largest hacks detected in recent years.
The group, known as the Comment Crew and APT1, operates out of a 12-story office tower in the Pudong New Area of Shanghai, and is said to be part of Unit 61398, a unit of the People’s Liberation Army that has a staff of hundreds and perhaps thousands of hackers who have systematically stolen valuable data from U.S. firms since at least 2006 using the resources of state-owned enterprises, such as China Telecom, to conduct the attacks, according to Mandiant, the computer security firm that released the detailed 76-page report.
“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1,” Mandiant writes in its report. “We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398.”
According to Mandiant, senior leaders of the Communist Party of China are directly responsible for tasking China’s military with committing systematic cyberespionage and data theft against organizations around the world, and Unit 61398 aggressively recruits new talent from the science and engineering departments of universities in China to conduct the activities.
Victims have included the security firm RSA, Coca-Cola and the maker of equipment used in critical infrastructure systems. Multiple industries have been targeted, including the aerospace and high-tech electronics industries as well as transportation, financial services, satellite and telecommunications, chemical, energy, media and advertising and food and agriculture.
But there are concerns that instead of just stealing data, the group may be targeting critical infrastructure systems with the aim of planting malware to conduct sabotage.
One of the most recent hacks attributed to the group involved Telvent Canada, a maker of control software used in the smart grid. According to the company, which is owned by Schneider Electric, the attackers installed malicious software on its network and also accessed project files for its OASyS SCADA system, which is heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.
The breach raised concerns that the hackers could embed malware in project files to infect the machines of program developers or other key people involved in a SCADA project. One of the ways that Stuxnet spread — the worm that was designed to target Iran’s uranium enrichment program and was reportedly designed by the U.S. and Israel — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.
Though Mandiant doesn’t name victims in its report, The New York Times attributes a hack of Coca-Cola in 2009 to the group. The attack occurred while the beverage giant was attempting to acquire the China Huiyuan Juice Group for $2.4 billion.
“As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy,” the paper reports.
The hackers are responsible for engaging in prolonged breaches of victim networks that last months and in some cases years, during which they have stolen technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists.
The average hack has lasted 356 days, but in one case a victim was compromised for four years and 10 months. One victim lost 6.5 terabytes over a 10-month period.
The hackers used tried-and-true techniques that involve sending aggressive spear phishing emails to victims and using custom digital weapons to gain a foothold on systems and establish communication with a command-and-control server before they begin exporting data.
“They employ good English — with acceptable slang — in their socially engineered emails,” Mandiant writes. “They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships.”
Forensic investigators at Mandiant uncovered a complex infrastructure backing the operation that involves 937 command-and-control servers hosted in 13 countries and an arsenal of more than 40 families of malware. The vast majority of IP addresses used for the servers were registered to organizations in China.
Mandiant says the operation likely includes linguists, open source researchers responsible for investigating victims, malware and exploit writers, and industry experts and translators who are responsible for communicating requests to the hackers and analyzing data stolen from victims.
In its report, Mandiant identified three specific individuals who are part of the hacking group — hackers known as UglyGorilla, DOTA, and SuperHard. UglyGorilla has been responsible for registering domains used in the attack and writing malware. DOTA has been traced to e-mail accounts that were used in spear phishing attacks against victims. SuperHard is described as a “significant contributor” in the creation of malware used by the group.
Mandiant identified domain names, IP addresses, and MD5 hashes of malware used by the group so that system administrators can take steps to block malicious activity identified with the group.
Although China has long been suspected of engaging in systematic hacking and espionage against Western countries, attribution is difficult to determine definitively in computer intrusions, and many have been reluctant to publicly point a finger at China or other specific nation-state actors. That changed in 2010, after Google was hacked and accused the Chinese government of being behind the attack, which focused on obtaining access to the Gmail accounts of Tibetan activists as well as Google’s source code. Following that hack, the U.S. government took the unprecedented move of publicly condemning China for the breach, which China denied.
Mandiant discussed its decision to publish a report definitively identifying China as the culprit behind such hacks.
“The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one,” the company writes. “What started as a ‘what if’ discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group. It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”
“Without establishing a solid connection to China,” Mandiant notes, “there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”
At the same time, Mandiant said it was “acutely aware” of the risks in publishing its report, since revealing the tactics of the attackers will lead them to change their techniques, thus making it harder to track them in the future. “We expect reprisals from China as well as an onslaught of criticism [from other security professionals],” Mandiant noted.
“When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy,” the report states. “It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way.”
Chinese Military Group Linked to Hacks of More Than 100 Companies