China PLA Linked To Major Hacker Collective

The Chinese government knows about and may be backing a major hacking group known as APT1, which appears to be part of the nation’s People’s Liberation Army (PLA), it has been claimed.

APT1, one of more than 20 APT groups with origins in  China, has been carrying out sophisticated attacks on an array of targets since 2006, said security company Mandiant, which worked with the New York Times when the media body was hit, supposedly by Chinese hackers.

It is “one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen”, Mandiant said in its report.

PLA hackers?

“The details we have analysed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them,” it added.

The company has seen nearly 150 victims over seven years, tracking the attackers back to four large networks in Shanghai.

It has also identified links with China’s PLA. “Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.

“In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

According to Mandiant, China Telecom has provided special fibre connections for the unit. The unit has been busy pilfering “hundreds of terabytes” of data, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements and emails, the security firm said.

The group is said to be targeting English-speaking nations also. Five of the targets are believed to be from the UK. “Of the 141 APT1 victims, 87 percent of them are headquartered in countries where English is the native language,” the report read.

APT1 maintained access to the victim’s network for an average of 356 days, targeting a wide range of industries, from IT and aerospace firms to entertainment and financial services.

Additionally, it appeared the unit was recruiting heavily from local educational institutions, such as the Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology. The division also seems to employ hundreds, possibly thousands, the US firm said.

Despite its claims, Mandiant there was one other “unlikely” scenario – that a group with similar attributes and whereabouts to the PLA unit is carrying out major corporate espionage without the Chinese government’s knowledge.

“We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism,” Mandiant added.

TechWeekEurope has not yet had a response from the Chinese Embassy in London to a request for comment on the matter. China has repeatedly denied accusations it is sponsoring hacks on US companies, even though various media bodies have recently pointed the finger at the Asian superpower, as did Google following the Aurora attacks of 2010, in which the tech giant was hit.

Are you a security expert? Try our quiz!