A beige office block in Shanghai’s suburbs belonging to the Chinese army became world famous on Tuesday after Mandiant, a Washington-based computer security company, released a 60-page report alleging that it houses a group routinely stealing information from U.S. companies. While there’s no direct proof that the Chinese army sponsors the campaign, one thing the report makes clear is that the people carrying it out weren’t the slickest of operators.
The group often didn’t bother to hide where a network was being infiltrated from. Mandiant’s investigators caught attackers logging into Facebook, Twitter, and Gmail accounts using the computers they had attacked, and then stole the hackers’ passwords.
Mandiant’s report comes a week after President Obama announced a new effort to defend the U.S. against computer attacks that he said were being used to steal corporate secrets and even lay the groundwork for sabotage of energy infrastructure (see “Obama Announces Plan to Shore Up Cyber Defenses”). Mandiant reports that the group it tracked, dubbed APT1, has stolen hundreds of terabytes of sensitive commercial data from at least 141 companies since 2006, and also breached Telvent, a Canadian company whose software is used to remotely manage energy infrastructure. Mandiant alleges that APT1 is part of Unit 61398 of the Chinese army, and is engaged in a campaign to perform industrial espionage to aid Chinese companies and gather intelligence that could be used for computer-based attacks against U.S. energy infrastructure. Most victims were in the U.S. but companies in Canada, the U.K., South Africa, and Israel were also targeted.
Mandiant, which helps companies respond to targeted attacks on and infiltration of their computer networks, bases its claims on information from many cases involving the APT1 group over the past six years. In many cases, Mandiant employees covertly watched APT1 operatives at work inside victims’ computers.
Many tactics discovered that way seem poor choices for a group whose work depends on avoiding detection. Operatives were seen to routinely log into Facebook, Twitter, and Gmail accounts using their victims’ computers.
Those accounts were primarily used to send out spoof e-mails used to trick people into installing malicious software used to breach new systems. Watching that—and stealing the passwords—provided valuable evidence that linked together attacks made on different companies. It even allowed Mandiant to infer the existence of several distinct online personas, assumed to represent particular members of APT1.
Mandiant explains this risky tactic as being used to sidestep the restrictions of China’s Internet censorship system, which blocks access to Facebook and many other western sites. (The company hasn’t explained why computer security experts working for the army on covert missions wouldn’t be provided with alternative ways around China’s “great firewall.” Many tourists and business visitors to China use commercial VPN services to avoid Chinese Internet censorship.)
Mandiant also found evidence that a member of the APT1 team was using an online identity—UglyGorilla—that he or she had used for years online. Google searches revealed that the handle had been used in 2004 on a Chinese army online Q&A session, asking “Does China have cyber troops?”
That the APT1 group often made little apparent effort to hide its physical location provides the main underpinning of Mandiant’s claim that the group was, in fact, part of Unit 61398, and inside that newly famous office block. The company says that many clues point toward the Pudong New Area, a suburb of Shanghai where, Mandiant says, the Chinese army building is the only significant facility with high-grade communications infrastructure.
The attackers sometimes didn’t bother to use methods that could hide the IP address—a number unique to every Internet-connected computer—being used to access systems compromised by the group, Mandiant claims. IP addresses collected as a result and by reverse-engineering the IP-hiding tools when they were used were associated with Shanghai and the Pudong New Area. Web domain names used by the group were also found to be registered to addresses and phone numbers in those areas.
Both types of clue could have been better hidden or obfuscated relatively easily. Domain registration data is not checked for accuracy when registering a domain. The APT1 group did use tools that cloud the true originating IP of Internet data, but they were not used all of the time.
Many techniques could have made the group’s operations more covert, says Dmitri Alperovitch, a cofounder and chief technology officer of security startup company Crowdstrike, which is working on new ways to detect and deceive attackers like those used by the APT1 group. Alperovitch helped lead the investigation into the Aurora attacks that originated in China and breached U.S. companies including Google (see “Google Reveals Chinese Espionage Efforts”). However, sloppy operational security doesn’t rule out Unit 61398, he says. “That is very common with Chinese actors, including those tied to the PLA [People’s Liberation Army],” he says, “probably because they don’t much care if they get caught.” Alperovitch says that his company has identified other units in the Chinese army carrying out attacks similar to those by APT1.
Chinese officials have denied their country has any link to the operations described by Mandiant, without offering specific counters to the points raised by the company. Jeffrey Carr, founder of computer security analysts Taia Global and author of the book Inside Cyber Warfare, believes those protestations may be true. He doesn’t doubt that China’s army carries out computer-based attacks and surveillance, but believes it would operate more professionally than APT1 does.
“Sophisticated is a very loosely used term,” he says of Mandiant’s labeling of the attacks. “I don’t believe that the Chinese military or their intelligence services would use such obvious methods and be so frequently found out,” he says. “If the Chinese government really was behind all of the attacks that Mandiant claims, they’re terrible at it.”