Skip to Content

Unmasked, but Unfazed—Chinese Hacking Group Is Still Active

An exposé of its methods and technology may not have deterred a group targeting U.S. corporate secrets.
March 1, 2013

The computer hacking group accused last week of being part of a specific unit of the Chinese military is apparently unfazed by the public attention triggered by a detailed report on its activities published by the security firm Mandiant. Another researcher tracking the group says that most of the infrastructure it had in place to carry out attacks remains in place.

“They shut down some of the infrastructure, but not much,” says Jaime Blasco, director of labs at security company AlienVault, who had been tracking the same group for several years. Blasco says that many of the group’s command-and-control servers—computers that act as relays between an attacker and the software placed inside a victim company—are still in place, and apparently active. “The group will not change much, because it works—they have been using the same infrastructure for years,” he says.

A spokesperson for Mandiant turned down a request to speak about the company’s latest information on the activity of the group (which is known as Advanced Persistent Threat 1, or APT1), saying only that some command-and-control servers had been seen to go offline.

Mandiant’s 60-page report was the most detailed public allegation yet that the Chinese military infiltrates companies in the U.S. and elsewhere. Other companies have made similar claims, but Mandiant, based in Washington, D.C., identified a specific army unit and even a specific office building in Shanghai’s suburbs as the origins of numerous attacks. Senator Dianne Feinstein, chair of the Senate Intelligence Committee, told MSNBC that the report was “essentially correct.”

Chinese officials have denied any link to what Mandiant and others have uncovered about the group, and all previous accusations of similar activity, such as those made by Google after it was breached by attackers looking for the e-mail accounts of Chinese dissidents (see “Google Reveals China Espionage Efforts”).

Aviv Raff, chief technology officer of Israeli security company Seculert, says that it wouldn’t be surprising for the group Mandiant calls APT1 to continue as usual despite the headlines about them. Some of their attacks and techniques had already been described publicly, he says. “I think this specific group doesn’t really care; we heard about these attacks for a long time,” says Raff.

A brazen response by attackers to the public discovery and detection of their technology and tactics is not unheard of. An attack known as Mahdi, discovered by researchers at Seculert and elsewhere last August (see “Bungling Cyber Spy Stalks Iran”), remains active, says Raff.

However, more sophisticated—if less prolific—groups believed to be backed by nation-states have been seen to change tactics after being exposed. “Red October went down quickly after it became public knowledge,” says Raff, referring to a large and apparently long-running campaign uncovered by Russian security firm Kaspersky in January and tracked by Seculert.

Sykipot, a campaign even more sophisticated than APT1 that targeted the U.S. defense sector and is also believed to originate in China, has since gone quiet, says Blasco, who tracked it closely. “It has been out for three to four years, and they have been adding new features and command and control infrastructure,” he says. “I lost the trail six months ago, and most of the command-and-control servers we knew are down.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.