Report: Chinese military engaged in 'extensive cyber espionage campaign'

  @CRrileyCNN February 19, 2013: 10:43 AM ET
china hacking

A soldier in the People's Liberation Army stands watch.

HONG KONG (CNNMoney)

An American cybersecurity firm has linked one of the world's most prolific groups of computer hackers to the Chinese government, saying in a new report that an extensive cyber-espionage campaign is being waged from a location near Shanghai.

The security firm, Mandiant, detailed the allegations in a 60-page report published Tuesday that describes the group's tactics over a six-year period.

The Virginia-based Mandiant, which helps companies detect and respond to cyber threats, said it has observed the group of hackers -- called the "comment crew" -- systematically steal hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since 2006.

Mandiant claims the activity can be traced to four networks near Shanghai -- with some operations taking place in a location that is also the headquarters of Unit 61398, a secret division of China's military.

"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind [the group]," Mandiant said. "We believe the totality of the evidence we provide in this document bolsters the claim that [the group] is Unit 61398."

Chinese foreign ministry spokesman Hong Lei dismissed the hacking charges on Tuesday, insisting that China is the victim of many cyberattacks -- most originating in the United States.

"Making baseless accusations based on premature analysis is irresponsible and unprofessional," he said. "China resolutely opposes any form of hacking activities."

Last month, the Chinese defense ministry said the country's military "has never supported any hacker activities."

Protecting the power grid from hackers

The latest accusation against Beijing comes amid concerns about the breadth and depth of cyberattacks originating in China. Recently, several leading U.S. news organizations reported their computer systems had been attacked by China-based hackers.

Mandiant estimates that hundreds, and perhaps thousands, of people work within Unit 61398, which is housed in a 12-story, 130,663 square-foot facility.

Organizations in English-speaking countries are the primary victims of the comment crew -- making up 87% of the 141 attacks observed by Mandiant. Of that, 115 attacks targeted organizations in the United States.

The hackers have a "well-defined attack methodology," and Mandiant said the group has stolen large volumes of intellectual property, including technology blueprints, proprietary manufacturing processes and business plans.

Related: Burger King Twitter gets McHacked

The report did not list companies or agencies that have been attacked, but the comment crew is known to have attacked Coca-Cola, security firm RSA, and consultancy Chertoff Group.

The Coca-Cola (CCE, Fortune 500) hack occurred in 2009 when the beverage giant was trying to purchase China's Huiyuan Juice Group. According to reports, comment crew stole Coca-Cola's negotiation strategy along with other information about the proposed offer. The deal was scuttled just days after the hack, when the Chinese government said it could not accept the deal on antitrust grounds.

RSA was attacked by the group in 2011, which compromised the security of some of its SecurID tokens used to gain entry into corporate systems. Using information gained from the RSA hack, the group subsequently attacked aerospace and defense company Lockheed Martin (LMT, Fortune 500).

All of these attacks started the same way: via a cleverly worded emails -- written in perfect English -- that appeared to be from someone inside the company. Instead, it contained malicious software designed to gain access to the corporations networks.

Mandiant was able to pinpoint the identities of three individuals working with the group. The report identifies the hackers  who use the monikers "Ugly Gorilla," "dota" and "SuperHard." It tracks their activities in an unusually detailed manner, including information on their e-mail accounts, cell phones and hacking techniques.

Related: Watching porn is bad for your smartphone

Government and intelligence officials in the United States are increasingly concerned about the threats posed by cybercrime, especially from government actors.

Outgoing Defense Secretary Leon Panetta said last year that a cyberattack could be crippling, citing risks to the power grid, Wall Street and the financial system.

"We are literally getting hundreds of thousands of attacks everyday that try to exploit information in various agencies and departments and frankly throughout this country," Panetta said.

In a statement, White House spokesman Tommy Vietor said the administration is aware of the Mandiant report, and is acting to negate these threats.

"The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions," Vietor said. "We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so."

Earlier this month, President Obama signed an executive order designed to address the country's most basic cybersecurity needs -- and highlighted the effort in his State of the Union address.

The order will make it easier for private companies in control of the nation's critical infrastructure to share information about cyberattacks with the government. The order also directs the government to work with the private sector on standards that will help protect companies from cybercrime.

Related: Your antivirus software probably won't prevent a cyberattack

In recent weeks, The New York Times, Washington Post and Wall Street Journal have disclosed that their computer networks had been targeted by hackers in China.

The New York Times, which hired Mandiant to help mitigate the threat, reported Tuesday that the comment crew was not the source of the attack on its network.

China is not the only country believed to be involved in cyberattacks. The existence of several other state-sponsored cyberweapons have also been reported in recent years, with names like Stuxnet, Duqu and Flame. The U.S. government is widely believed to have played a role in developing some of those viruses, with an eye toward containing Iran. To top of page



Join the Conversation

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.