Details of China cyberspy unit emerges
2013-02-20 19:47
Beijing - Unit 61 398 of the People's Liberation Army has
been recruiting computer experts for at least a decade.
It has made no secret of details of community life such
as badminton matches and kindergarten, but its apparent purpose became clear only
when a US internet security firm accused it of conducting a massive hacking
campaign against North American targets.
Hackers with the Chinese unit have been active for years,
using online handles such as "UglyGorilla," Virginia-based firm
Mandiant said in a report released on Tuesday as the US prepared to crack down
on countries responsible for cyber espionage.
The Mandiant report plus details collected by AP depict a
highly specialised community of internet warriors working from a blocky white
building in Shanghai:
Recruiting the spies: Unit 61 398, alleged to be one of
several hacking operations run by China's military, recruits directly from
universities.
It favours high
computer expertise and English language skills.
A notice dated 2003 on the Chinese internet said the unit
was seeking master's degree students from Zhejiang University's College of
Computer Science and Technology.
It offered a scholarship, conditional on the student
reporting for work at Unit 61 398 after graduation.
Cyberspy workplace: Mandiant says it traced scores of
cyber-attacks on US defence and infrastructure companies to a neighbourhood in
Shanghai's Pudong district that includes the 12-storey building where Unit 61 398
is known to be housed.
The building has office space for up to 2 000 people.
Mandiant estimates the number of personnel in the unit to be anywhere from
hundreds to several thousand.
The surrounding neighbourhood is filled with apartment
buildings, tea houses, shops and karaoke bars.
The Unit 61 398 community: While the building's
activities may be top secret, Unit 61 398's status in the community as a
military division is not.
It turns up in numerous Chinese internet references to
community events, including a 2010 accord with the local government to set up a
joint outreach centre on family planning.
Other articles describe mass weddings for officers,
badminton matches and even discussion of the merits of the "Unit 61 398
Kindergarten”. Other support facilities include a clinic, car pool, and
guesthouse - all standard for the military's often self-contained communities
across China.
The pipeline: The Mandiant report describes a special
arrangement made with China Telecom for a fibre optic communication
infrastructure in the Unit 61 398 neighbourhood, pointing to its need for
bandwidth and its elite status.
The contract between the two refers to Unit 61 398 as
belonging to the general staff department 3rd department, 2nd bureau, and says
China Telecom agreed to the military's suggested price due to "national
defense construction" concerns.
Modus operandus: The cyberspies typically enter targeted
computer networks through "spear-fishing" attacks, in which a company
official receives a creatively disguised e-mail and is tricked into clicking on
a link or attachment that then opens a secret door for the hackers, Mandiant
says.
The cyberspies would steal and retransmit data for an
average of just under a year, but in some cases more than four years.
Information technology companies were their favourite targets, followed by
aerospace firms, pointing to a key area of interest as China seeks to develop
its own cutting-edge civilian and military aircraft.
Online handles: Mandiant identifies three of the unit's
hackers by their screen names. It says one of them, "UglyGorilla,"
was first detected in a 2004 online forum posing a question to a cyber-security
expert about whether China needed a dedicated force to square off against an
online cohort being mustered by the US.
The user of another screen name, "Dota," appears
to be a fan of Harry Potter; Mandiant said references to the book and movie
character appear as answers to his computer security questions.
Unit 61 398 hackers were sometimes identified as the
"Comment Crew" by security companies due to their practice of
inserting secret backdoors into systems by using code embedded in comments on
websites.
Revealing tweets: And what helped Mandiant track down the
source of hacking into more than 140 companies and organisations from the US
and elsewhere? Facebook and Twitter.
China's "Great Firewall" of internet filtering
blocks those US-based social networks, but Unit 61 398 operators got around
that by accessing them directly from the unit's system.
Mandiant was able to see that Facebook and Twitter
accounts were being accessed from internet Protocol addresses connected to the
unit.
It's not clear whether those accounts aided in hacking or
were simply for the hackers' personal use.
"These actors have made poor operational security
choices, facilitating our research and allowing us to track their
activities," the report says.
- AP
