Clues Connect Global Hacking To Chinese Government, Security Firm Says

Feb 19, 2013
Originally published on March 4, 2013 3:41 pm

"Hundreds of investigations convince us" that the Chinese government is at least aware of, and likely sponsoring, cyber thieves who have stolen massive amounts of information from companies around the world, including American defense contractors, a U.S. security firm reported Tuesday.

Virginia-based Mandiant Corp., which posted its findings online, says that its analysis leads it to conclude that "Advanced Persistent Threat 1," as it calls the operation, "is likely government-sponsored and one of the most persistent of China's cyber threat actors."

According to Mandiant, since 2006 it has "observed APT1 compromise 141 companies spanning 20 major industries."

The firm writes that:

"We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate."

For its part, as The Associated Press says, "China's Foreign Ministry dismissed the report as 'groundless,' and the Defense Ministry denied any involvement in hacking attacks."

On Morning Edition today, NPR's Frank Langfitt reported that Mandiant's Dan McWhorter says most of the companies targeted by the hacking have been American. The cyber thieves' goal, says McWhorter, is to steal information in order to benefit Chinese firms.

"In China, the government is very intimately involved in industry," McWhorter said. "So I think the PLA is motivated to take these documents for huge economic gain."

Tracking the hacking to the PLA wasn't that hard, McWhorter said, because the volume was enormous. "We just followed the data, followed the bread crumbs," he said. "All the network communication kept going back to Shanghai again and again. ... And so then we started doing our research, as far as what kind of organizations could be that large doing this type of activity. And that's what lead us to discover unit 61398."

The New York Times, which broke the news about Mandiant's findings, writes that "a growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower" on the outskirts of Shanghai where PLA Unit 61398 is headquartered.

What is Mandiant? Last May, NPR's Tom Gjelten looked at the company, which was "founded in 2004 by Kevin Mandia, a former Air Force officer with a background in security consulting. The company distinguished itself early by helping companies learn more about who was attacking them, as opposed to protecting the companies from the malicious software, or malware, the attackers were using."

Copyright 2018 NPR. To see more, visit