Published February 19, 2013
A Chinese army unit has likely orchestrated the overwhelming number of cyber attacks on U.S. companies and government agencies, according to a new report from computer security firm Mandiant.
In a 60-page study released on Tuesday, Mandiant points the finger at a group called Unit 61398 whose work is a Chinese state secret and appears to receive “direct government support.”
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” Mandiant said, explaining what will likely be a controversial decision to directly accuse a specific group of widespread hacking.
China pushed back against the accusations.
“Cyber attacks are anonymous and transnational, and it is hard to trace the origin of attacks, so I don't know how the findings of the report are credible," Hong Lei, a spokesman at the Chinese Foreign Ministry, told reporters on Tuesday.
Hong also said China has frequently suffered from cyber attacks, with the U.S. being the top source of the incidents.
The Mandiant report discovered attacks by Unit 61398 dating back to 2006 and found the level of activity jumped over the past two years. The average infiltration of a network lasted about a year, though in one incident the group stayed inside for almost five years.
Mandiant said it has witnessed the group, also known as “Comment Crew” or “Shanghai Group,” conduct cyber espionage on more than 100 victims across a wide spectrum of industries, including financial services, information technology, media, legal services, food and agriculture, aerospace and metals and mining.
While the report doesn’t name specific victims of the Comment Crew, The New York Times reported the group attacked Coca-Cola (KO) in 2009 just as the beverage giant’s attempt to buy China Huiyuan Juice Group for $2.4 billion collapsed. The Chinese hackers were scouring Coke’s computers in an effort to learn more about the company’s negotiation strategy just as the two companies were discussing a deal, the paper said.
Mandiant said the “sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group in China leaves little doubt about the organization behind” the Comment Crew, which it calls APT1.
However, the report issues one other tongue-in-cheek possibility: “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”
The Mandiant report follows a string of high-profile hacking incidents in recent months, including the infiltration of the U.S. Federal Reserve, The Wall Street Journal, the Times and a series of major U.S. banks like Bank of America (BAC) and J.P. Morgan Chase (JPM).