US Infosec Firm Has A Public Dossier On PLA Cyber Spies

May 3, 2015

tags: infosec, Mandiant, phishing, PLA, report, Shanghai, Unit 61398

Two years ago, the Washington D.C.-based information security firm Mandiant released a comprehensive 76-page report on Unit 61398. This is the PLA’s secretive cyber espionage group responsible for more than a decade of stealing intellectual property and sensitive information from corporations around the world.

Exposing One of China’s Cyber Espionage Units is a must-read not for the controversy it might inflame (there was hardly any) but the actual knowledge dump it provides. Like addresses, charts, tactics, and people. That’s right. Mandiant name names.

From the very beginning, Mandiant’s authors pull no punches. The last paragraph of the executive summary on page 2 reads:

Our analysis has led us to conclude that APT1 [advanced persistent threat 1] is likely government-sponsored and one of the most persistent of China’s cyber threat actors.

…In seeking to identify the organization behind this activity, our research found that PLA Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is located in precisely in the same area from which APT1 activity appears to originate.

Now for the good stuff.

The Pecking Order

Unit 61398, whom Mandiant identifies as the organization behind APT1 activity against English-speaking countries, are under the 3rd Department of the General Staff Department (GSD). The 3rd Department handles the PLA’s signals intelligence. This is shown in an organizational chart on page 3.

Mandiant speculates Unit 61398’s membership could run in the thousands.

Entrance Requirements

Proof that diligent Google searching is a credible open source tool, Mandiant reveal that Unit 61398 recruit among the best and brightest and fluent in English. They found out by Googling Unit 61398 alumni and translating their pocket bios from science journals and job websites.

Like Israel’s fabled Unit 8200, the PLA recruits from STEM institutions. Examples are the Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology.

The entry level requirements for 61398 applicants are the implied “political” or loyalty factor, English proficiency (sometimes even British English), a strong mathematics background, and signal circuits expertise. All this on page 10.

They Have An Address

Mandiant even provides the location of Unit 61398’s headquarters sourced from DigitalGlobe, a satellite imagery provider. It’s in a guarded compound-cum-campus in Shanghai. The main building is a drab gray 12-storey affair

They’re here. Unit 61398 are in a walled compound along Datong road.

The Targets

Mandiant has been tracking attacks by APT1 since 2006 and the scope of their activities aren’t surprising. The brunt of Unit 61398’s work is penetrating US corporations. The UK, Israel, and India, plus Singapore, Taiwan, Switzerland, and Canada are the secondary priorities.

Most of these countries have advanced IT infrastructure and military-industrial complexes. Mandiant creates a timeline on page 23 that categorizes Unit 61398’s corporate targets from 2006 to 2012. Every major industry is in their cross hairs.

The Tactics

Lurking in social engineering discussion boards pays off. Because Unit 61398 use basic phishing attacks on their targets first. Here’s their modus as explained on page 27:

They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China…They employ good English–with acceptable slang–in their socially engineered emails.

Once the email is vetted by the target, a reply arrives with attached spyware and the organization is compromised. The full deets are from page 27 to 38.

These Guys

Over the years Mandiant used a straightforward method to observe APT1, a.k.a. Unit 61398. The trick was to find the domain registry for multiple websites with suspicious names. Most had addresses in Shanghai.

In the report’s last section, Mandiant profiles three hackers, one of whom has an affinity for Harry Potter. Also mentioned is Professor Zhang Zhaozong, a “retired rear admiral” who could be the architect of the PLA’s cyberwar and espionage apparatus. The real surprise is, if China now has a full-fledged cyber army, it’s a young one.