Details of China cyberspy unit emerges

2013-02-20 19:47
(Picture: Supplied)

(Picture: Supplied)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

Beijing - Unit 61 398 of the People's Liberation Army has been recruiting computer experts for at least a decade.

It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a US internet security firm accused it of conducting a massive hacking campaign against North American targets.

Hackers with the Chinese unit have been active for years, using online handles such as "UglyGorilla," Virginia-based firm Mandiant said in a report released on Tuesday as the US prepared to crack down on countries responsible for cyber espionage.

The Mandiant report plus details collected by AP depict a highly specialised community of internet warriors working from a blocky white building in Shanghai:

Recruiting the spies: Unit 61 398, alleged to be one of several hacking operations run by China's military, recruits directly from universities.

 It favours high computer expertise and English language skills.

A notice dated 2003 on the Chinese internet said the unit was seeking master's degree students from Zhejiang University's College of Computer Science and Technology.

It offered a scholarship, conditional on the student reporting for work at Unit 61 398 after graduation.

Cyberspy workplace: Mandiant says it traced scores of cyber-attacks on US defence and infrastructure companies to a neighbourhood in Shanghai's Pudong district that includes the 12-storey building where Unit 61 398 is known to be housed.

The building has office space for up to 2 000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand.

The surrounding neighbourhood is filled with apartment buildings, tea houses, shops and karaoke bars.

The Unit 61 398 community: While the building's activities may be top secret, Unit 61 398's status in the community as a military division is not.

It turns up in numerous Chinese internet references to community events, including a 2010 accord with the local government to set up a joint outreach centre on family planning.

Other articles describe mass weddings for officers, badminton matches and even discussion of the merits of the "Unit 61 398 Kindergarten”. Other support facilities include a clinic, car pool, and guesthouse - all standard for the military's often self-contained communities across China.

The pipeline: The Mandiant report describes a special arrangement made with China Telecom for a fibre optic communication infrastructure in the Unit 61 398 neighbourhood, pointing to its need for bandwidth and its elite status.

The contract between the two refers to Unit 61 398 as belonging to the general staff department 3rd department, 2nd bureau, and says China Telecom agreed to the military's suggested price due to "national defense construction" concerns.

Modus operandus: The cyberspies typically enter targeted computer networks through "spear-fishing" attacks, in which a company official receives a creatively disguised e-mail and is tricked into clicking on a link or attachment that then opens a secret door for the hackers, Mandiant says.

The cyberspies would steal and retransmit data for an average of just under a year, but in some cases more than four years. Information technology companies were their favourite targets, followed by aerospace firms, pointing to a key area of interest as China seeks to develop its own cutting-edge civilian and military aircraft.

Online handles: Mandiant identifies three of the unit's hackers by their screen names. It says one of them, "UglyGorilla," was first detected in a 2004 online forum posing a question to a cyber-security expert about whether China needed a dedicated force to square off against an online cohort being mustered by the US.

The user of another screen name, "Dota," appears to be a fan of Harry Potter; Mandiant said references to the book and movie character appear as answers to his computer security questions.

Unit 61 398 hackers were sometimes identified as the "Comment Crew" by security companies due to their practice of inserting secret backdoors into systems by using code embedded in comments on websites.

Revealing tweets: And what helped Mandiant track down the source of hacking into more than 140 companies and organisations from the US and elsewhere? Facebook and Twitter.

China's "Great Firewall" of internet filtering blocks those US-based social networks, but Unit 61 398 operators got around that by accessing them directly from the unit's system.

Mandiant was able to see that Facebook and Twitter accounts were being accessed from internet Protocol addresses connected to the unit.

It's not clear whether those accounts aided in hacking or were simply for the hackers' personal use.

"These actors have made poor operational security choices, facilitating our research and allowing us to track their activities," the report says.

- AP
Read more on:    twitter  |  facebook  |  us  |  china  |  internet  |  espionage
NEXT ON NEWS24X
SHARE:

Read News24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
7 comments
Add your comment
Comment 0 characters remaining
 

Inside News24

 
/News
 

Five wrapping hacks you have to know before Christmas

Five gift wrapping hacks that will save Christmas for you!

 
 

I love summer.24

Sexiest Instagrams of 2014
Joburg hot spots for cocktails, craft beer, tapas and wine!
Summer Survey!
Great ideas for the best summer sandwiches!

Jobs in Cape Town [change area]

Property [change area]

Travel - Look, Book, Go!

Kalahari.com - shop online today

Grand Theft Auto 5

Now available on PS4, Xbox One and PC from R649. Buy now!

Festive gifts!

Check out our awesome range of festive gifts to make everyone’s wishes come true. Shop now!

Save on Samsung

Cameras, mobile phones, TVs, Tablets and more. While stocks last. Shop now!

Save up to R2200 on electronics! – As seen in the catalogue

Wishing for tech gadgets this festive? Save up to R2100 on hot tech products at kalahari.com. While stocks last. Shop now!

30% off the bestselling books

Save big on the most captivating reads of 2014. While stocks last. Shop now!

OLX Free Classifieds [change area]

Samsung Galaxy s4

Mobile, Cell Phones in South Africa, Western Cape, Cape Town. Date October 24

Best bargain in big bay

Real Estate, Houses - Apartments for Sale in South Africa, Western Cape, Cape Town. Date October 25

VW Golf 6, 1.6 Trendline (Excellent condition)

Vehicles, Cars in South Africa, Western Cape, Cape Town. Date October 25

Horoscopes
Aquarius
Aquarius

It is hard to keep some sort of balance when the natural rhythm has flown out the window. The best thing to do is try not to keep...read more

There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.








Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.