China has been blamed for cyberattacks on every major industrial base in the United States—and even in some corners for the Super Bowl blackout. But most of it has been rampant speculation coupled with the lacing together of a number of loose ends. Examples of the kind of direct attribution to the People’s Liberation Army (PLA) presented in a report today by security company Mandiant have been rare.
Mandiant’s expose on the Comment Crew, responsible it said for infiltrations against 141 organizations in 20 industries—most of them located in English-speaking nations—reveals a seven-year operation focused on stealing terabytes of secret data ranging from intellectual property, test results, technology blueprints, as well as personal and corporate information such as email messages and contact lists. The report goes so far as to out three specific individuals involved, and the building and neighborhood where the gang operates.
The report also comes at a time when there is increased chatter from policymakers in Washington about Chinese hacking activity, its impact on the U.S. economy, and how it is, in part, the basis for China’s rapid economic growth. Last week’s executive order from President Barack Obama, which outlined a number of voluntary information-sharing initiatives between the public and private sector, was directed at a number of critical infrastructure industries that are favorite targets of the China described in the Mandiant report.
“The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage,” the report said. “Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”
Mandiant said it has been monitoring the activity of this particular group, which it labeled APT1, since 2006. It gathered enough evidence to link APT1 to the 2nd bureau of the PLA General Staff Department’s (GSD) 3rd Department, also known as Unit 61398, a group whose work is considered a state secret. The unit is staffed by specialists who skilled in English linguistics, as well as cover communications, network security, operating system internals and digital signing processes. Recruits primarily are plucked from a pair of universities, the Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology.
As for the building in which the group operates, it’s a technological powerhouse, the report said. Located in the Pudong New Area of Shanghai, hundreds up to 2,000 work in the 12-story building which was wired with a special fiber optic communication infrastructure installed by China Telecom under special national defense orders, the report said.
The group’s specialty is persistence; using an arsenal of 42 families of backdoor malware and a nest egg of stolen credentials, they were able to keep access to victim networks on average up to a year without detection. The longest was four years and 10 months, Mandiant said, adding that data theft and pivoting about compromised networks was nonstop as long as access was maintained. Most of the victims were in the U.S., U.K., and Canada and businesses and government agencies that conduct business in English. The group stole indiscriminately from victims across the board in terms of industry type. Attacks were carried out against IT companies, aerospace, satellites and telecommunications, scientific research, energy, transportation, among many others related to specific strategic priorities listed by the Chinese. Attacks ramped up in 2011 in particular when 17 new victims were compromised from 10 industries; each was accessed simultaneously and in one case, 6.5 terabytes of data was stolen during a 10-month period.
“The results suggest that APT1’s mission is extremely broad; the group does not target industries systematically, but more likely steals from an enormous range of industries on a continuous basis,” the report said.
Mandiant said it was able to cement the connection between APT1 and the Chinese because the attackers were forced by censorship measures in China to log into social media accounts such as Facebook and Twitter directly from their attack infrastructure. This, Mandiant said, helped simplify attribution.
Attacks attributed to Comment Crew follow a lifecycle typical to other APT actors, starting with a spear-phishing campaign that gives the attackers an initial foothold to start installing backdoors for communication with command and control servers. Credentials are stolen using publicly available password cracking tools enabling the attacker to pivot from system to system gaining access to shared resources and dropping more backdoors, further strengthening network persistence. All the while, data is accessed, archived and moved off the network disguised as normal network traffic over HTTP. Mandiant also noticed a number of custom tools in play, including two targeting email messages on Exchange Servers and PST messages archived in Outlook.
Mandiant was able to observe APT1’s command and control infrastructure and map locations to IP addresses in 13 countries. It said that in almost all instances where Comment Crew members connected to C&C, they were doing so with IP addresses registered in Shanghai and using systems set to Simplified Chinese language keyboard layouts over the Microsoft Remote Desktop client.
“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1,” the report said. “We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398.”