COVER STORY: Red China's global cyber-espionage exposed
by Peter Westmore
News Weekly, March 16, 2013
An American computer security company, Mandiant, which was targeted by Chinese cyber-spies, turned the tables on the hackers, infiltrating their systems and documenting the massive degree of computer espionage undertaken by the Chinese regime, through the government’s military force, the People’s Liberation Army (PLA).
Mandiant has been tracking Chinese computer espionage since 2004, on behalf of both corporate clients and US government departments. It has documented the extent of computer hacking, from one key PLA site in Shanghai, in a special report, available on its website, www.mandiant.com.
The Chinese attack on Mandiant came through an apparently innocuous email message, purporting to come from the CEO of Mandiant, Kevin Mandia, to fellow staff. It read:
“Subject: Internal Discussion on the Press Release
“Hello, Shall we schedule a time to meet next week? We need to finalise the press release. Details click here.
In fact, the email did not come from Mr Mandia: it came from an email account, set up in his name, from a free email service called Rocketmail. A person who followed the instructions and clicked on the message unwittingly downloaded a malicious program, which secretly embedded itself in the computer.
This program is called a backdoor. Hundreds of “backdoor” programs have been created, enabling the hackers to steal particular files (such as email addresses and passwords), to access the computer at any time, and even to remotely control the computer, using a Microsoft program called Remote Desktop.
The Mandiant report said, “On some occasions, unsuspecting email recipients have replied to the messages, believing they were communicating with their acquaintances. In one case a person replied, ‘I’m not sure if this is legit, so I didn’t open it.’ Within 20 minutes, someone responded with a terse email back: ‘It’s legit’.”
The response by Mandiant was to counter-attack the attackers, downloading onto Chinese attack-computers programs which not only read what the Chinese had downloaded, but actually captured screen images as hackers were targeting Western web sites.
There is an extraordinary Youtube video on the Mandiant site, showing Chinese hackers logging into a Western corporation, then downloading sensitive corporate information directly.
The Mandiant report lists the enormous scale of China’s computer espionage operation, and the huge amount of data stolen from many corporations over a number of years.
The investigation focused on one of the principal sources of Chinese computer espionage, which uses a series of internet addresses in Shanghai. Careful investigation showed that the internet addresses used in the cyber attacks were located in the New Pudong area of the city, and specifically, in a 12-storey building in that suburb.
The problem of analysing the Chinese cyber-intelligence program is partly based on the fact that all operational matters connected with the Chinese regime are secret. Additionally, the Chinese army disguises its military activities, even to the extent of the designations used by particular units.
Careful analysis of Chinese web sites, as well as information which became available from Mandiant’s own investigation, shows that the centre of this particular operation is an obscure unit with the designation of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s 3rd Department.
In China, such units also have a shorthand unit designation which, in this case, further obscures its identity. The Mandiant investigation found that it is designated as Unit 61398.
The General Staff Department is the most senior department of the PLA. Despite its name — which seems to imply that it is concerned with personnel — its real function is to provide military doctrine and operational guidance to the People’s Liberation Army.
The General Staff Department is believed to have 130,000 personnel in 12 bureaus, three research institutes and 16 regional and functional bureaus.
The care which the Chinese regime takes to disguise the true identity of its espionage operation is seen when a Google search was made in Chinese for documents which matched the 2nd Bureau of the PLA General Staff Department’s 3rd Department with Unit 61398 on Chinese government websites. No matches were found.
However, Mandiant has concluded, “Our research and observations indicate that the Communist Party of China (CPC) is tasking the Chinese People’s Liberation Army to commit systematic cyber espionage and data theft against organisations around the world.”
The report included photos and details of Unit 61398 facilities, Chinese references discussing the unit’s training and coursework requirements, and internal Chinese communications documenting the nature of the unit’s relationship with at least one state-owned enterprise.
“The PLA’s cyber command is fully institutionalised within the CPC and able to draw upon the resources of China’s state-owned enterprises to support its operations.
“The CPC is the ultimate authority in Mainland China; unlike in Western societies, in which political parties are subordinate to the government, the military and government in China are subordinate to the CPC. In fact, the PLA reports directly to the CPC’s Central Military Commission.
“This means that any enterprise cyber espionage campaign within the PLA is occurring at the direction of senior members of the CPC [Communist Party of China].
“We believe that the PLA’s strategic cyber command is situated in the PLA’s General Staff Department (GSD), specifically its 3rd Department. The GSD is the most senior PLA department. Similar to the U.S. Joint Chiefs of Staff, the GSD establishes doctrine and provides operational guidance for the PLA.
“Within the GSD, the 3rd Department has a combined focus on signals intelligence, foreign language proficiency, and defence information.”
The Mandiant report has estimated that, based on the size of the main building where it is located, Unit 61398 has hundreds or even thousands of staff.
It said that the central building in this complex is a 13,000 square metre facility that is 12 storeys high and was built in early 2007.
The report continues: “We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people, based on the size of [its] physical infrastructure. China Telecom provided special fibre-optic communications infrastructure for the unit in the name of national defence.
Unit 61398 building, Shanghai
“Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.”
This gives it the necessary expertise to target Western corporations.
The Mandiant investigation also found Unit 61398 actively recruited and trained English-speaking computer science specialists, according to information that came to light in Chinese research papers.
“There is evidence that Unit 61398 aggressively recruits new talent from the science and engineering departments of universities such as Harbin Institute of Technology and Zhejiang University’s School of Computer Science and Technology....
“Positions that Unit 61398 is seeking to fill require highly technical computer skills. The group also appears to have a frequent requirement for strong English proficiency.”
Harbin Institute of Technology is a selective university, established in 1920 with the help of the Soviet Union, and, since the communist takeover of China in 1949, has had close links to China’s military and the Communist Party. In recent years, it has built a high technology park.
Most of the key technology of China’s system for controlling the internet was developed at the Harbin Institute of Technology.
The Mandiant investigation found that Unit 61398 had stolen huge quantities of data from at least 141 corporations across a diverse range of industries since 2006, and had simultaneously launched cyber-attacks on dozens of organisations.
The report says: “Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organisations’ leadership.
“We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that [the unit] has committed.”
Mandiant found that the Chinese cyber espionage unit continued to steal data from target corporations while they had access to it.
Nearly 90 per cent of the corporations targeted were based in countries where English is the native language. In almost all the rest, English is the language of communications within the corporation.
The Mandiant report documents the alarming level of industrial and commercial espionage undertaken by the Chinese regime, through Unit 61398. However, as Mandiant points out, this is just one of more than 20 Chinese units involved in cyber espionage.
The report shows just how systematically the Chinese Communist Party has engaged in cyber warfare, at the very time that the Chinese Defence Ministry has denied that the regime is engaged in cyber theft, declaring, “It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” (Statement, January 2013).
It is clear from this report that, while the Chinese regime claims to be seeking peaceful co-existence with other countries, and uses the term “peaceful rise” or “peaceful development” to describe its economic and political agenda, it is actually involved in cyber warfare on a massive scale.
While Western governments undoubtedly know that this is the true character of the Chinese communist regime, they never talk about it — perhaps for fear of China’s retaliation — thereby perpetuating the myth that the regime acts responsibly and peacefully.
The Mandiant report shatters that claim, by documenting large-scale criminal activity undertaken by the highest organs of the Chinese Government.
In the context of the systematic persecution of human rights activists, bloggers and religious organisations, and its brutal suppression of Falun Gong, it confirms that the Chinese Communist Party will stop at nothing in its bid for global power.