Unit 61398 - China's army of hackers

By Daniele Pestilli on February 20, 2013
Image credits: Patrick Rodwell (CC)

This article also appears on Nation of Change.

Let’s face it: China has a meager track record when it comes to warring with foreign opponents. Taiwanese scholar Lung Chang once commented that the Sino-French War of 1883-1885 was the Qing Dynasty’s sole victory against an outsider. Yet this so-called “victory” essentially ended in a draw: the Chinese fleet was crushed and a peace treaty was signed that largely favored French rights in the Tonkin area of North Vietnam.

However, when it comes to cyber-war, it's a whole different ballgame.

Chinese computer gurus have proven time and again to be formidable at their art. For instance, Robin Li, the founder of China’s biggest search engine Baidu, is one of Asia’s most coveted programmers as well as one of Yahoo! and Google’s fiercest competitors in China. By 2006, Baidu had a market value of $3 billion and operated the fourth-most trafficked website in the world. In 2009 Forbes Magazine ran a story about Li entitled “The Man Who’s Beating Google.“ Baidu’s inception is all but a Chinese tale: Li completed a master’s degree at SUNY Buffalo and developed software for several U.S. companies including The Wall Street Journal. He subsequently met his soon-to-become co-founder, Eric Xu, during the summer of 1998 in Silicon Valley, together with one of Yahoo!’s top engineers, John Wu, the New York Times writes. Baidu’s success in China was largely due to the hefty support it received from the Chinese government. The Guardian once portrayed Baidu as being “weak on piracy and strong on censorship. [A system] very much in keeping with a country that mixes ultra-capitalist economics with authoritarian communist politics.”

In recent years, it has become evident that Baidu is not the only internet company to work alongside as well as receive hefty support from the Chinese government.

In 2011, The Washington Post confirmed it had been victim of sophisticated cyber-attacks stemming from China, attacks that a hobbyist would have been unlikely to carry out. In October 2012, after The New York Times revealed that the family of former prime minister Wen Jiabao had silently accumulated a multibillion-dollar fortune, the newspaper claimed it had been hacked, and that it’s Shanghai bureau chief David Barboza as well as former Beijing bureau chief Jim Yardley’s emails had been infiltrated. The Wall Street Journal, Facebook, Twitter and even Apple also claimed to have been hacked.

According to The New York Times, these Chinese cyberwarriors are part of a growing corps that is part of the People’s Liberation Army. Located in the Pudong district on the outskirts of Shanghai, off Tonggang Road, the twelve story P.L.A. Unit 61398 has been monitored by U.S. intelligence for years, leaving “little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.” Mediant estimates that the building has office space for up to 2,000 people, and the Unit's personnel could be anywhere from hundreds to several thousand.

Unit 61398, Shanghai
Unit 61398, Shanghai, China

In a 74-page report given in advance to The New York Times, the internet security firm that was hired to track down the source of these infiltrations – Mandiant  – said it linked 141 major hacking attacks to Unit 61398. Twenty of them were directed towards companies involved in the critical infrastructure of the United States, from gas lines to waterworks and power grids. What’s more, the report only discloses the “easily identifiable” attacks. Thousands more are likely to have occurred.

China has denied the allegations, saying computer hacking is illegal. According to The New York Times, foreign ministry spokesman Hong Kei said, “Making unfounded accusations based on preliminary results is both irresponsible and unprofessional, and is not helpful for the resolution of the relevant problem.” But the lambasting is not haphazard.

Together with the 74-page report, Mandiant released a YouTube video that purports to show actual Chinese attacker sessions and intrusion activities. Many viewers commented it’s odd that the video shows an English edition of an old Windows operating system, but as some netizens replied, the machine being observed could be a compromised pivoting point, not the attacker’s actual system. Mandiant’s full report maps Unit 61398’s global activity. Of the observed attacks, 115 were directed towards the United States, 2 towards Canada, 5 towards the United Kingdom and 1 towards Japan. The report states, “we have observed APT1 [Advanced Persistent Threat] steal as much as 6.5 terabytes of compressed data from a single organization over a ten-month time period.” To get a sense of how much data that is, a MacBook laptop has approximately 256 gigabytes of storage space nowadays; 6.5 terabytes is equivalent to 26 of those laptops: a substantial amount of stolen data for a single attack.

According to Akamai Technologies, China is the world's number one source of observed digital assault, with 33% of the traffic, whereas the US comes in second, with 13%. The problem has spurred U.S. President Barack Obama to sign a directive that aims to share information the government has gathered regarding these security breaches with American Internet providers.

Unit 61398 building
The Unit 61398 building

Yet the Chinese foreign ministry insists the claims are groundless, and that the IP addresses used to find the People's Liberation Army's Shanghai-based Unit 61398 were themselves hijacked addresses.

What does this mean? Every time a user browses the web, she leaves a trace of her address and other basic information that is relayed from the client to the host. This creates privacy concerns for individuals who do not wish to be spied on for every single website they visit. Masking one’s internet identity has become increasingly popular as individuals want to protect their anonymity. Browsers such as the Tor Project aim to create a rubber-band effect of relays. Such projects were initially designed for the primary purpose of protecting government communications. Today, they are used for a plethora of purposes by common people, the military, journalists, law enforcement officers, activists, and anybody else who wishes to preserve his or her internet privacy. The more people use the network, the more intricate the relays. This practice is not illegal: a user’s privacy is as important as freedom of speech. In fact, the Tor website writes that “a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.”

Internet relay programs like Tor can also be used by users when they are blocked by their local Internet providers from accessing websites. In China, for instance, Facebook is banned, but many netizens use relays to get around this block. In other words, it can also work against the government's favor, because the use of such programs results in a well crafted veil of anonymity.

It is possible that the IP addresses used to attack sensitive U.S. data were indeed hijacked, as the Chinese foreign ministry argued. But according to Mandiant, the sheer number of attacks coming from that same area are suspicious, since relay networks normally diversify the addresses for added privacy.

American cybersecurity analyst and expert Jeffrey Carr wrote in a blog post, “The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an 'expectation bias'... My problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room. My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China.”

Today, The Global Times quoted a report released by China's National Computer Network Emergency Response Technical Team Coordination Center, which identified 73,000 foreign IP addresses that had been linked to attacks on 14 million Chinese computers. The number of attacks originating from the U.S. ranked at the top.

Caught red-handed?

The situation is undoubtedly hairy and it is hard to know whether Mandiant has properly done its homework or if the Chinese government should be no more suspicious than any other country's government that is hostile towards the United States.

However, there is one piece of evidence that might root out all ambiguity.

Zhejiang University Ad
Zhejiang University Ad recruiting computer scientists for Unit 61398

Today, the China Digital Times posted a link to a 2004 notice from Zhejiang University. The notice calls for computer science graduate students of the 2003 class to work for Unit 61398 of China’s People’s Liberation Army. Students who sign the contract are promised a 5,000 Yuan ($800) stipend per annum.

This document may be the nail in the coffin that exposes the truth about China's army of hackers.