China military unit behind many hacking attacks on U.S., cybersecurity firm says
Updated 5:39 PM ET
A shadowy unit of China's vast army, tucked away in a nondescript office building in the thriving business hub of Shanghai, is behind a huge proportion of the hacking attacks on U.S. websites, according to an American cybersecurity firm.
Mandiant released a detailed 60-page report (PDF) Tuesday claiming its "research and observations indicate that the Communist Party of China is tasking the Chinese People's Liberation Army to commit systematic cyber espionage and data theft against organizations around the world."
The report says Mandiant tracked thousands of computer attacks on U.S. companies and organizations, starting in 2006 and rapidly increasing right into this year, to one specific neighborhood in Shanghai. Mandiant found that a vast majority of the attacks were coming from one group of hackers, dubbed by the company "Advanced Persistent Threat 1", or APT1.
"We ran into APT1 again and again and again, so we started observing and orienting toward APT1 just because of the volume of attacks they were doing," Mandiant founder and chief executive Kevin Mandia told The New York Times. "After responding to APT1 for years, at over 100 different organizations, you start to pick up patterns ... over 98 percent of the time, when they were doing their intrusions in the U.S. companies, they were also using computer addresses from Shanghai. So I called 98 percent not an anomaly."
Researching the attacks led Mandiant to a tall building on the outskirts of Shanghai, with satellite dishes on the top and a secure perimeter, which houses Unit 61398 of the People's Liberation Army.
"In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate."
- The "Cold War for the next generation"
- U.S. getting cyber-robbed "every single day"
- U.S. weighs action against Beijing after cyberattacks
Mandia told The Times that his company's open-source research showed Unit 61398 is "chartered with hiring people that can speak English, and be able to exploit networks, and know computer security. We thought that was an interesting combination, and that unit just so happens to be located in the same region of Shanghai where we're tracking over 90 percent of the connections coming from."
The report cites an internal 2008 memo from China's state-controlled telecommunications company, China Telecom, purportedly found online by Mandiant. The document appears to detail some of the infrastructure installation at the Unit 61398 building. The author of the memo advises his or her colleagues at the regional branch of China Telecom that the PLA "also hope Shanghai Telecom will smoothly accomplish this task for the military based on the principle that national defense construction is important."
China has repeatedly denied any government involvement in computer hacking.
"Chinese law forbids hacking and any other actions that damage Internet security," a statement from the Defense Ministry said early this year. "The Chinese military has never supported any hacking activities. Cyberattacks are characterized by being cross-national and anonymous. To accuse the Chinese military of launching cyberattacks without firm evidence is not professional and also groundless."
Talking to journalists Tuesday, Foreign Ministry spokesman Hong Lei responded to the report, according to The Associated Press: "To make groundless accusations based on some rough material is neither responsible nor professional." He also said that China, too, has been a target of hackers.
The report comes on the heels of warnings from U.S. lawmakers -- and from Mandiant itself -- that Chinese hackers have been behind a startling wave of cyber attacks on U.S. entities.
Rep. Mike Rogers, R-Mich., who has co-authored cyber security legislation pending in Congress, said in a panel discussion on "Face the Nation" earlier this month that hackers are intent "every single day" on "shutting down our financial services or finding other ways to destroy material in companies that won't allow them to function on a day-to-day basis."
His remarks came after three of the U.S.'s biggest newspapers and Twitter were all targeted by hackers. The New York Times and The Washington Post said the attacks were believed to have originated in China. On Tuesday, CNET reported that Apple was also the target of hackers along with those aforementioned companies.
Speaking to The New York Times for an article published Tuesday, Mandia said his company published its report to alert the U.S. public and government that, "it's not just freelance people in China doing these attacks, it's attacks directed by the government. So that means these attacks can be more advanced they can be more funded, they can be more pervasive, and they will probably continue unabated. It could be the new normal."
Mandia told CBS News correspondent Bob Orr earlier this month that the number and sophistication of the attacks on U.S. organizations is so daunting, it would be futile to try and prevent them all.
"These attacks are inevitable, so let's make sure we keep these attackers from our crown jewels," said Mandia.
To bolster the U.S. defenses against such cyberattacks on vital infrastructure and defense systems, Mandia said it was crucial that entities targeted by hackers start sharing the information on the attacks more fluidly, stressing that "everybody needs to get smarter from each breech, almost like a neighborhood watch."
President Obama signed an executive order on Feb. 12 aimed at boosting the nation's cybersecurity by enabling the government to share information with private firms more easily, and establishing mandatory reporting on security threats from government agencies to U.S. corporations at risk. Congress, however, has been unable to agree on any legislation to set new laws on cybersecurity.
In the wake of attacks on the U.S. newspapers, Orr reported that the Pentagon was pushing to expand its cybersecurity forces. The U.S. military's so-called Cyber Command will grow five-fold over the next few years, from 900 employees at present, to about 5,000 civilian and military personnel, Orr reported.
Edited by CBSNews.com foreign editor Tucker Reals