Report: Chinese Government Hackers Behind Dozens Of Attacks On U.S. Companies

Feb 19, 2013
Originally published on February 19, 2013 5:42 pm



The Chinese army is the source of a persistent and prolific cyber espionage unit, whose hackers have attacked dozens of U.S. corporations and government agencies. That's the conclusion of a lengthy report released today by the computer security firm Mandiant. Mandiant says the hacking campaign goes back at least to 2006 and it targeted industries strategic to China's growth, including IT, energy and aerospace.

Kevin Mandia is the founder and CEO of Mandiant. He joins me here in the studio to talk about what they found. Welcome to the program.

KEVIN MANDIA: Thanks for having me.

BLOCK: Why don't you give us a sense of the scale and the scope of the hacking that you've traced to a group that you call Advanced Persistent Threat One?

MANDIA: Well, I think it's key to note two things. One, we only are publishing on a single group out of China and we think there's plenty more. Second is we only published the lowest bounds, if you think about it. Mandiant knows of 141 victim companies that have been compromised APT Group One, that we concluded was Unit 61398 in the Chinese army. And the reason we only know the lowest bounds is we only knows what Mandiant knows. We don't know what other security companies know.

So, I almost feel like we're a long line of security companies that is blaming China. But what makes this report different is this is the first five we're trying to elevate it to it's not just someone in China, this is right under the noses of the government or it is the government themselves.

BLOCK: We mentioned some of the industries that were targeted and presumably a number of these are your own clients. What information exactly were the hackers stealing? What kinds of stuff are they after?

MANDIA: If you're a company that's doing mergers and acquisitions in China, we see your email targeted. But if you're in the defense industrial base and you make weaponry or you make high-tech systems, what we see there is your Word document, your PowerPoint documents, your PDF documents - those are taken. So the campaigns depend a little bit about the industry you're in and what the attackers are seeking.

BLOCK: Now, the Chinese defense and foreign ministry have denied any connection to hacking. They call these unfounded accusations. They say hacking is illegal in China. What evidence do you have that, in fact, this is the Chinese army unit - People's Liberation Army Unit 61398 - that's behind what you've seen here?

MANDIA: All right. Right before I tell you the evidence, I'll tell you this: They always deny it. But let's look at what Mandiant did. We had a dual-pronged investigation. On one hand, we're responding to all these victim companies and following technical evidence. And all the technical evidence brought us to thousands of computers being compromised by about a thousand computers and that the people logging in into the infrastructure used to hack all these companies were native Chinese speakers and that the IP addresses, or the origins of these attacks, went back to Shanghai.

In conjunction with that, we learned about a unit that had existed in Shanghai, where they were recruiting people that spoke English and understood what we call Computer Network Operations were attacking. And it was a unique requirement. And their location was right in the same location where the technical evidence was bringing us.

So if you look at the scale of the operations, the mission of the unit, and what we actually witnessed and just where it's coming from, it all overlaps.

BLOCK: I read in your report that your own company, Mandiant, got one of these spear-fishing emails from this apparent Chinese unit with a malicious attachment. How does it work? Is it any different from any other standard hacking that you see all the time?

MANDIA: Well, I think spear-fishing is commonly used by a lot of people that want to target an organization or target individuals. But how it works is, in general, the victims get an email and there's either a link in that email or there is an attachment to that email that contains malicious code.

BLOCK: So the email that your company got had a malicious attachment. What was the red flag that showed you this was not what it appeared to be?

MANDIA: It was an email from me allegedly but it was from an external account that I don't use, to two Mandiant employees. And both Mandiant employees recognized this just wasn't my email address. And I was lucky enough nobody clicked on the attachment. They recognize it for what it was. It was a fraud.

BLOCK: Why did you decide to go public with this, because you do say in your report that your own security techniques are vastly more effective when attackers are not aware of them? And you do, as you say, expect reprisals, so why publish?

MANDIA: Because information sharing does work, I believe that. And we wanted to get the indicators out to the public. The bottom-line is no one is getting smarter from each breach and we need to make the environment so that we do.

BLOCK: Kevin Mandia is the founder and CEO of the computer security firm Mandiant. Kevin, thanks for coming in.

MANDIA: Thank you very much. Transcript provided by NPR, Copyright NPR.