BEIJING — A U.S. security firm has tied more than a hundred cyberattacks on U.S. corporations to China’s military, according to a report released Tuesday.
The 60-page study by investigators at the Alexandria-based Mandiant security firm presents one of the most comprehensive and detailed analysis to date tracing corporate cyber-espionage to the doorstep of Chinese military facilities. And it calls into question China’s repeated denials that its military is engaged in such activities.
The document, first reported by the New York Times, draws on data Mandiant collected from 147 attacks during seven years it traced back to a single group it designated “APT1,” a group Mandiant has now identified as a military unit within the 2nd bureau of China’s People’s Liberation Army General Staff Department’s 3rd Department, going by the designation “Unit 61398.”
The Chinese military has repeatedly denounced such accusations, and did so again Tuesday. “Similar to other countries, China faces serious threats from cyberattack and is one of the main victims of cyberattacks in the world,” the Ministry of Defense said. “The Chinese army never supported any hacking activities. The accusation that the Chinese military engaged in cyberattacks is neither professional nor in accordance with facts. “
China’s Ministry of Foreign Affairs spokesman Hong Lei on Tuesday also challenged the report’s findings. “Hacking attacks are transnational and anonymous,” Hong said. Determining their origins are extremely difficult,” he said. “We don’t know how the evidence in this so-called report can be tenable.”
Mandiant investigators said they based their conclusion in part by tracing an overwhelming number of cyberattacks by the APT1 group to networks serving a small area on the edges of Shanghai — the same area where Unit 61398 is believed to be operating in a 12-story building. It also found evidence that China Telecom had provided special high-speed fiber optic lines for those headquarters in the name of national defense.
The only alternative explanation to military involvement, Mandiant argues in the report, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates.”
Other security experts have also traced cyberattacks to China in the past. In one instance, documented by Bloomberg News reporters last week, a malware expert at Dell SecureWorks and other security experts traced cyberattacks to a man named Zhang Changhe teaching at the Chinese military academy, PLA Information Engineering University.
Along with Tuesday’s report, Mandiant included lengthy descriptions of the group’s past methods and more than 3,000 indicators to help others bolster their defenses against the unit’s tactics.
The company explained its rationale, saying its leaders decided that the benefits of exposing the military unit’s activity and pinning responsibility squarely on China now outweighed the usefulness of keeping silent.