Highly ALERT: Chinese Military Behind U.S. Cyber Attacks

A large and complex hacker group connected to China's military has been linked to hacks involving more than 100 companies in the U.S. and the theft of several hundreds of terabytes of data, according to a comprehensive report released Tuesday that unabashedly blames China for some of the largest hacks detected in recent years.
The group, known as the Comment Crew and APT1, operates out of a 12-story office tower in the Pudong New Area of Shanghai, and is said to be part of Unit 61398, a unit of the People's Liberation Army that has a staff of hundreds and perhaps thousands of hackers who have systematically stolen valuable data from U.S. firms since at least 2006 using the resources of state-owned enterprises, such as China Telecom, to conduct the attacks, according to Mandiant, the computer security firm that released the detailed 76-page report.

"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1," Mandiant writes in its report. "We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398."

According to Mandiant, senior leaders of the Communist Party of China are directly responsible for tasking China's military with committing systematic cyberespionage and data theft against organizations around the world, and Unit 61398 aggressively recruits new talent from the science and engineering departments of universities in China to conduct the activities.


A chart showing the hierarchical structure of China's hacking apparatus. Courtesy of Mandiant
Victims have included the security firm RSA, Coca-Cola and the maker of equipment used in critical infrastructure systems. Multiple industries have been targeted, including the aerospace and high-tech electronics industries as well as transportation, financial services, satellite and telecommunications, chemical, energy, media and advertising and food and agriculture.

But there are concerns that instead of just stealing data, the group may be targeting critical infrastructure systems with the aim of planting malware to conduct sabotage.

One of the most recent hacks attributed to the group involved Telvent Canada, a maker of control software used in the smart grid. According to the company, which is owned by Schneider Electric, the attackers installed malicious software on its network and also accessed project files for its OASyS SCADA system, which is heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.

The breach raised concerns that the hackers could embed malware in project files to infect the machines of program developers or other key people involved in a SCADA project. One of the ways that Stuxnet spread — the worm that was designed to target Iran's uranium enrichment program and was reportedly designed by the U.S. and Israel — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.

Though Mandiant doesn't name victims in its report, The New York Times attributes a hack of Coca-Cola in 2009 to the group. The attack occurred while the beverage giant was attempting to acquire the China Huiyuan Juice Group for $2.4 billion.

"As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola's negotiation strategy," the paper reports.

The hackers are responsible for engaging in prolonged breaches of victim networks that last months and in some cases years, during which they have stolen technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists.

The average hack has lasted 356 days, but in one case a victim was compromised for four years and 10 months. One victim lost 6.5 terabytes over a 10-month period.

The hackers used tried-and-true techniques that involve sending aggressive spear phishing emails to victims and using custom digital weapons to gain a foothold on systems and establish communication with a command-and-control server before they begin exporting data.

"They employ good English — with acceptable slang — in their socially engineered emails," Mandiant writes. "They have evolved their digital weapons for more than seven years, resulting in continual upgrades as part of their own software release cycle. Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships."

Read More: http://www.wired.com/threatlevel/2013...