When the New York Times reported last month that hackers had infiltrated its computer systems, it was pretty sure they were with the Chinese military, but beyond that it didn’t really identify them. That changed on Monday night, when the Times ran a massive report tracing the hackers to a building outside Shanghai, which houses Unit 61398 of the People’s Liberation Army. That unit is thought to house the hacking outfit known in computer security circles as “Comment Crew” or “Shanghai Group,” thought to be responsible for much of China’s alleged cyber-attacks since 2006. The Times based its story largely on a 60-page study from Mandiant, the security firm it hired to fight off the the attacks that followed its expose on the family wealth of outgoing Chinese Prime Minister Wen Jiabao. Not only did Mandiant trace the likely infiltrators of the Old Gray Lady, it found Comment Crew was behind hundreds of attacks on U.S. companies, focusing increasingly “on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks.” Nervous yet?
The Chinese government maintains that it does not engage in hacking, which is illegal, and said China itself was a victim of hackers. But Mandiant is confident enough in the evidence it has gathered, including IP addresses located near Unit 61398’s headquarters, unique malware and web domains used repeatedly by hackers, and even video of hackers at work (below), that it brushed off China’s denial quite glibly:
“Either [the attacks] are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
If not Unit 61398, the report concludes sarcastically, the hacks are coming from “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure that is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”
We even get to meet a couple of the individual hackers, including one identified as “DOTA,” whose job is to set up fake e-mail addresses for spear-phishing attacks, and who was tracked “using a password that appeared to be based on his military unit’s designation.” DOTA is also apparently a Harry Potter fan, frequently setting security questions to the values “Harry” and “Potter,” the report found.
Because this is all about security, most of the hacking victims want to remain anonymous, so we don’t get to learn many specifics about who the infrastructure-related attacks targeted. But one security firm that represents such companies, Digital Bond, identified an e-mail with a malicious link that would have given hackers “a front-row seat to confidential information about Digital Bond’s clients, which include a major water project, a power plant and a mining company.”
If you want to see what hacking looks like, Mandiant released this handy video: