A report, released yesterday by security firm Mandiant, highlighted again how China’s programme of state-sponsored cybercrime, with its own dedicated military unit (Unit 61398), has stolen hundreds of terabytes of data from English-speaking companies. The groundbreaking report released on Tuesday, cited highly detailed evidence to support a claim that the Chinese government, through Unit 61398 of the People’s Liberation Army, has been engaging in systematic attacks on American interests, as well as those of other English-speaking nations around the globe, over the course of the past 6 years. The report, which included domain names, IP addresses, SSL certificates, and MD5sums of malicious binaries, has already caused a major political stir, with the Obama administration set to impose trade penalties for cybertheft, with the Chinese government denying any involvement.
Highlights of the report:
- APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
- APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
- APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
- APT1 maintains an extensive infrastructure of computer systems around the world.
- In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
- The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
- In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
- Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.