Tuesday, February 19, 2013

Mandiant: China's Cyber Espionage Led by PLA Unit in Shanghai

A highly publicized report from Mandiant, a security consulting firm based in Arlington, Virginia, links cyber attacks on over 140 U.S. corporations to a specific unit of China's People's Liberation Army.


The report, called "APT1: Exposing One of China’s Cyber Espionage Units," details how it has the PLA's Unit 61398 systematically carried out spear-phishing attacks and stole confidential data from leading companies across multiple industries.  Mandiant claims the widespread attacks are on-going.  

In addition to describing the methodology of the attacks, the Mandiant report provides domain names, MD5 hashes of malware and X.509 encryption certificates associated with the attackers.

Some highlights of the widely-cited Mandiant report:
  • APT1 has systematically stolen hundreds of terabytes of data
  • APT1 is believed to have dozens, if not hundreds of human operators.
  • APT1 maintains an extensive infrastructure of computer systems around the world.
  • In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
  • Mandiant observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were 
  • registered to organizations in China (709), followed by the U.S. (109).