China Cyberwarfare Evidence Now Undeniable – Mandiant

Not since the website Dark Visitor was launched by Scott Henderson has there been such an exhaustive study of China’s cyberwarfare capabilities.

The release of the report on Tuesday by Mandiant, a cyber security company, provides a detailed indictment charging the Chinese Communist Party with complicity in the creation of a cyberwarfare unit within the People’s Liberation Army (PLA) responsible for the theft of “hundreds of terabytes of data from at least 141 organizations” since 2006.

The 72-page PDF report, APT1 – Exposing One of China’s Cyber Espionage Units, traces the attacks to an office building housing PLA Unit 61398 on Datong Road in Gaoqiaozhen in the Pudong New Area of Shanghai.

The report gives some credit to two Project 2049 Institute PDF reports, The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure and China’s Electronic Intelligence Satellite Developments.

Though the 2049 reports are impressive, Mandiant destroys Beijing’s denials of being innocent of massive cyber intrusions around the world.

Clearly, Mandiant caught Beijing’s hands in the cookie jar.

Among large-scale thefts of intellectual property data, include 6.5 terabytes of compressed data from a single organization over a ten-month time period. In the first month of 2011, it successfully compromised at least 17 new victims operating in ten different countries.

In the last two years, the report said the Unit established a minimum of 937 Command and Control servers hosted on 849 distinct IP addresses in 13 countries.

In over 97 percent of the 1,905 times Mandiant observed the intruders connecting to their attack infrastructure, the Unit used IP addresses registered in Shanghai systems to use the Simplified Chinese language. 817 of the 832 (98%) IP addresses into APT1 controlled systems using Remote Desktop resolved back to China. At present, the report estimates that APT1’s current attack infrastructure includes over 1,000 servers.

Mandiant provides a video detailing how APT1 invades a system.

The report identifies three APT1 personas, including UglyGorilla, DOTA, and SuperHard. DOTA used a Shanghai phone number and SuperHard discloses its location to be the Pudong New Area of Shanghai.

“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398.” However, the report admits another far-fetched possibility: “A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right out of Unit 61398’s gates, preforming tasks similar to Unit 61398’s known mission.”

The report provides photos and details of Unit 61398 facilities, Chinese references discussing the unit’s training and coursework requirements, and internal Chinese communications documenting the nature of the unit’s relationship with at least one state-owned enterprise.