Unit 61398 - China's army of hackers

Image credits: Patrick Rodwell (http://bit.ly/WaPpOJ) CC - edited by The East Asia Gazette


This article also appears on Nation of Change.

Let’s face it: China has a meager track record when it comes to warring with foreign opponents. Taiwanese scholar Lung Chang once commented that the Sino-French War of 1883-5 was the Qing Dynasty’s sole victory against an outsider. Yet this so-called “victory” essentially ended in a draw: the Chinese fleet was crushed and a peace treaty was signed that largely favored French rights in the Tonkin area of North Vietnam.

However, when it comes to cyber-war, it’s a whole different ballgame.

Chinese computer gurus have proven time and again to be formidable at their art. For instance, Robin Li, the founder of China’s biggest search engine Baidu, is one of Asia’s most coveted programmers as well as one of Yahoo! and Google’s fiercest competitors in China. By 2006, Baidu had a market value of $3 billion and operated the fourth-most trafficked website in the world. In 2009 Forbes Magazine ran a story about Li entitled “The Man Who’s Beating Google." Baidu’s inception is all but a Chinese tale: Li completed a master’s degree at SUNY Buffalo and developed software for several U.S. companies including The Wall Street Journal. He subsequently met his soon-to-become co-founder, Eric Xu, during the summer of 1998 in Silicon Valley, together with one of Yahoo!’s top engineers, John Wu1. Baidu’s success in China was largely due to the hefty support it received from the Chinese government. The Guardian once portrayed Baidu as being “weak on piracy and strong on censorship. [A system] very much in keeping with a country that mixes ultra-capitalist economics with authoritarian communist politics.”

In recent years, it has become evident that Baidu is not the only internet company to work alongside as well as receive hefty support from the Chinese government.

Bearding the dragon in his den

In 2011, The Washington Post confirmed it had been victim of sophisticated cyber-attacks stemming from China, attacks that a hobbyist would have been unlikely to carry out. In October 2012, after The New York Times revealed that the family of former prime minister Wen Jiabao had silently accumulated a multibillion-dollar fortune, the newspaper claimed it had been hacked, and that it’s Shanghai bureau chief David Barboza as well as former Beijing bureau chief Jim Yardley’s emails had been infiltrated. The Wall Street Journal, Facebook, Twitter and even Apple also claimed to have been hacked.

According to The New York Times, these Chinese cyberwarriors are part of a growing corps that is part of the People’s Liberation Army. Located in the Pudong district on the outskirts of Shanghai, off Tonggang Road, the twelve story P.L.A. Unit 61398 has been monitored by U.S. intelligence for years, leaving “little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.” Mediant estimates that the building has office space for up to 2,000 people, and the Unit's personnel could be anywhere from hundreds to several thousand.

Unit 61398, Shanghai

In a 74-page report given in advance to The New York Times, the internet security firm that was hired to track down the source of these infiltrations – Mandiant  – said it linked 141 major hacking attacks to Unit 61398. Twenty of them were directed towards companies involved in the critical infrastructure of the United States, from gas lines to waterworks and power grids. What’s more, the report only discloses the “easily identifiable”2 attacks. Thousands more are likely to have occurred.

China has denied the allegations, saying computer hacking is illegal. According to The New York Times, foreign ministry spokesman Hong Kei said, ‘‘Making unfounded accusations based on preliminary results is both irresponsible and unprofessional, and is not helpful for the resolution of the relevant problem.’’ But the lambasting is not haphazard.

Together with the 74-page report, Mandiant released a YouTube video that purports to show actual Chinese attacker sessions and intrusion activities. Many viewers commented it’s odd that the video shows an English edition of an old Windows operating system, but as some netizens replied, the machine being observed could be a compromised pivoting point, not the attacker’s actual system. Mandiant’s full report maps Unit 61398’s global activity. Of the observed attacks, 115 were directed towards the United States, 2 towards Canada, 5 towards the United Kingdom and 1 towards Japan. The report states, “we have observed APT1 [Advanced Persistent Threat] steal as much as 6.5 terabytes of compressed data from a single organization over a ten-month time period.” To get a sense of how much data that is, a MacBook laptop has approximately 256 gigabytes of storage space nowadays; 6.5 terabytes is equivalent to 26 of those laptops. That is a lot of stolen data for a single attack.

According to Akamai Technologies, China is the world's number one source of observed digital assault, with 33% of the traffic, whereas the US comes in second, with 13%. The problem has spurred U.S. President Barack Obama to sign a directive that aims to share information the government has gathered regarding these security breaches with American Internet providers.

Unit 61398 buildingYet the Chinese foreign ministry insists the claims are groundless, and that the IP addresses used to find the People's Liberation Army's Shanghai-based Unit 61398 were themselves hijacked addresses.

What does this mean? Every time a user browses the web, he leaves a trace of his address and other basic information that is relayed from the client to the host. This creates privacy concerns for individuals who do not wish to be spied on for every single website they visit. Masking one’s internet identity has become quite a trend in recent decades as individuals want to protect their anonymity. Many projects such as the Tor Project create a rubber-band effect of relays. Projects such as these were initially designed for the primary purpose of protecting government communications. Today, these are used for a plethora of purposes by normal people, the military, journalists, law enforcement officers, activists, and anybody else who wishes to preserve his or her internet privacy. The more people use the network, the more intricate the relays. This practice is not illegal: a user’s privacy is as important as freedom of speech. In fact, the Tor website writes that “a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.”

Internet relay programs like Tor can also be used by users when they are blocked by their local Internet providers from accessing websites. In China, for instance, Facebook is banned, but many netizens use relays to get around this block. In other words, it can also work against the government's favor, because the use of such programs results in a well crafted veil of anonymity.

It is possible that the IP addresses used to attack sensitive U.S. data were indeed hijacked, as the Chinese foreign ministry argued. But according to Mandiant, the sheer number of attacks coming from that same area are suspicious, since relay networks normally diversify the addresses for added privacy.

American cybersecurity analyst and expert Jeffrey Carr wrote in a blog post, “The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an ‘expectation bias’... My problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room. My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China.”

Today, The Global Times quoted a report released by China's National Computer Network Emergency Response Technical Team Coordination Center, which identified 73,000 foreign IP addresses that had been linked to attacks on 14 million Chinese computers. The number of attacks originating from the U.S. ranked at the top.

Caught red-handed?

The situation is undoubtedly hairy and it is hard to tell whether Mandiant has properly done its homework or if the Chinese government should be given the benefit of the doubt.

However, there is one piece of evidence that might root out all ambiguity.

Zhejiang University AdToday, the China Digital Times posted a link to a 2004 notice from Zhejiang University. The notice calls for computer science graduate students of the 2003 class to work for Unit 61398 of China’s People’s Liberation Army. Students who sign the contract are promised a 5,000 Yuan ($800) stipend per annum.

This document may be the nail in the coffin that exposes the truth about China's army of hackers.