解放軍 61398部隊 China’s growing corps of cyberwarriors

揭秘中國網絡戰部隊

DAVID E. SANGER,  DAVID BARBOZA,  NICOLE PERLROTH 聯合報道 2013年02月19日

上海郊區一座12層白色辦公樓，這裡是中國人民解放軍61398部隊司令部，中國國防部否認該部隊對網絡攻擊負有責任。

在上海郊區一片破敗的街區，主要的建築物是一棟12層的白色辦公樓。這裡是中國人民解放軍日益壯大的網絡作戰隊伍的一座基地。
這棟在大同路上的大樓，周圍環繞着餐廳、按摩店，以及一家葡萄酒進口商，它是解放軍61398部隊的司令部。美國情報官員表示，他們監視這支部隊的 活動已有多年。目前，已有越來越多經過這些情報官員證實的數字證據表明，針對美國公司、組織，以及政府部門的黑客攻擊，很大一部分來自這棟白樓及周邊地 區，這幾乎毫無疑問。

按圖放大

The New York Times

美國計算機安全公司Mandiant已於周二發佈了一份長達60頁的異常詳細報告， 它首次將中國最尖端黑客群體中的一些成員，追蹤到了逼近這支部隊司令部的地點。對很多美國的受害者來說，它被稱為“注釋組”(Comment Crew)或“上海組”(Shanghai Group)。Mandiant無法確認黑客位於這棟12層建築內，但它提出，除了這種結論之外，沒法解釋為何有這麼多的攻擊來自於這麼小的一塊區域。
Mandiant的創始人和執行總裁凱文·曼迪亞(Kevin Mandia)上周在一次採訪中說，“黑客要麼是來自61398部隊內部，要麼就是那些負責運營世界上控制、監控最嚴密的網絡的人，完全不知道有數以千計的人，在從這個街區發起攻擊。”
其他追蹤過“注釋組”的安全公司說，他們也相信這個組織是由國家支持的，而且最近一份機密的國家情報評估(National Intelligence Estimate)也證明，許多這些黑客組織或者由人民解放軍軍官負責，或者受雇於61398部隊這樣的機構，了解這份機密報告內容的官員這樣說道。這份 評估以美國所有16個情報機構的共識文件的形式發佈。
Mandiant在發表之前給《紐約時報》提供了該報告的樣本，希望“這份報告中提出的問題能夠引起關注”。《紐約時報》記者隨後與政府內外的其他 專家聯繫，來驗證報告中的結論。這些專家也都曾考察過這些黑客組織和人民解放軍的聯繫。（Mandiant曾受雇於紐約時報公司[The New York Times Company]，調查一次針對該新聞集團的來自中國的高水平黑客攻擊，但結論是並非“注釋組”所為，實施者是另一支中國組織。該公司目前沒有為紐約時報 公司提供服務，但雙方正在洽談商業合作事宜。）
雖然“注釋組”已從像可口可樂(Coca-Cola)這樣的公司獲取了大量信息，但它的重心越來越集中在與美國關鍵性基礎設施相關的公司之上，不管 是電網、燃氣管線，還是水利工程。據研究安全的專家說，其中一個目標是一家能夠遠程訪問北美洲超過60%的石油和燃氣管線的公司。這支隊伍也曾攻擊過計算 機安全公司RSA。該公司的計算機代碼正被用來保護機密的公司和政府數據庫。
周一，在與中國駐美國大使館聯繫的過程中，使館的官員再次堅稱，中國政府不參與電腦黑客攻擊，而且這種行為違法法律。他們稱中國本身是電腦黑客攻擊 的受害方，並清楚地指出，在美國有很多的黑客組織。但是安全研究人員說，來自中國的攻擊近年已顯著增加。自從2006年起，Mandiant已經探測到超 過140次來自“注釋組”的入侵。美國情報機構以及每日追蹤約20個此類中國組織的私營安全公司說，這些組織看來是與上述部隊有關聯的承包商。
儘管該部隊的存在和運作被認為是中國的國家機密，但密歇根州共和黨眾議員、美國眾議院情報委員會(House Intelligence Committee)主席麥克·羅傑斯(Mike Rogers)在一次採訪中表示，Mandiant公司的報告“與情報委員會一段時間以來觀察到的活動情況完全一致”。
白宮表示“知道”Mandiant公司的這份報告，國家安全委員會(National Security Council)發言人湯米·菲托爾(Tommy Vietor)表示，“我們已多次向中國的高層官員，包括軍方的高層，表達了對網絡盜竊行為的最高關注，我們將繼續這樣做。”
美國政府計劃，從周二起開始對中國的黑客組織採取更大膽的防禦措施，其根據是奧巴馬總統上周簽署的一份指令。政府計劃同美國的互聯網供應商共享已搜 集到的信息，這些信息涉及一些最大的黑客組織獨特的數字簽名，它們包括“注釋組”和其他一些發源於61398部隊駐地附近的組織。
但政府警告不會明確地將這些組織或它們使用的大型計算機服務器同解放軍聯繫在一起。是否公開對該部隊進行點名並譴責其實施了廣泛的盜竊行為是當前討論的主題。
“這件事在外交上非常敏感，”一名情報官員說，語氣里充滿了沮喪。
但奧巴馬政府的官員表示，他們計劃在未來幾周告訴中國的新一屆領導人，攻擊的數量和水平已經變得非常猖獗，以至於它們會威脅到中美之間的基本關係。
美國政府也有網絡作戰人員。美國同以色列合作，用名為“震網”(stuxnet)的惡意軟件來對伊朗的鈾濃縮項目進行干擾。但政府官員堅持稱，他們行動規則雖然保密，卻非常嚴格，這些規則禁止將攻擊性手段用於非軍事目的或竊取公司數據。
美國發現，在某種意義上，自己陷入了同中國的不對稱數字戰。“在冷戰時期，我們每天把精力花在莫斯科周圍的核指揮中心上，”國防部的一名高級官員前不久說。“如今可以說，上海的計算機服務器同樣使我們憂心忡忡。”

一支秘密部隊
61398部隊的正式稱謂是人民解放軍總參三部二局，在官方對中國軍隊的描述中，幾乎找不到它的存在。但研究該組織的情報分析人士表示，它是中國計 算機間諜活動的重要組成部分。2011年，弗吉尼亞州研究亞洲安全和政策問題的非政府組織2049項目研究所(Project 2049 Institute)稱，該部隊是“以美國和加拿大為目標的重要實體，最可能關注有關政治、經濟和軍事的情報”。
儘管奧巴馬政府從未公開論及這支中國部隊的行為，但國務院(State Department)的一份秘密電報詳細描述了美國對該組織向政府網站發起攻擊的擔憂，這份電報是在奧巴馬2008年11月當選為總統的前一天寫的。 （當時，美國的情報機構將該部隊命名為“拜占庭式的坦率”，在電報被維基解密[WikiLeaks]公開後，這個暗語隨之被停用。）
該電報稱，美國國防部(Defense Department)和國務院是該部隊的特定目標，電報描述了該組織的入侵者如何通過電子郵件，發起所謂的“魚叉式捕魚”攻擊，一旦收件人點擊郵件，這 些郵件便會將惡意軟件安裝在目標計算機上。通過這些計算機，它們潛入了多個內部系統。
美國官員稱，出於一些外交上的考慮，以及對跟蹤該部隊的期待，政府從未公開這個問題。但Mandiant的報告正迫使這個問題進入公眾視野。
Mandiant公司追蹤“注釋組”的行蹤已有6年多，這個名稱源於這些攻擊者喜好在網頁里添加隱藏的代碼，即注釋。研究人員已經了解，“注釋組” 的攻擊者會在不同的攻擊中利用相同的惡意軟件、網絡域名、IP地址、黑客工具和技術。根據“注釋組”遺留下的數字痕迹，Mandiant公司跟蹤了該團體 進行的141次攻擊，並稱這些攻擊為“APT1”，意為“1號高度持續性威脅”。
曼迪亞說，“不過，這些攻擊只是我們能夠輕易識別出的那一部分。”其他安全專家估計，“注釋組”實施了數千次網絡攻擊。
Mandiant公司對IP地址和其他的數字證據片段進行了定位，這些證據都指向上海浦東區的邊緣地帶，正好圍繞着61398部隊的司令部。 Mandiant公司的報告，連同3000個IP地址和其他能用來識別攻擊源的信息，可以斷定，“證據總體上”引向一個結論，那就是“APT1來自 61398部隊”。
Mandiant公司發現，攻擊中使用的兩套IP地址的註冊地，就位於61398部隊大樓所在的地段。
曼迪亞說，“我們追蹤的攻擊中，有90%來自於那裡。”
該報告帶着一絲諷刺的口吻斷言，唯一的另外一種可能是，“一個全都講中文的大陸人組成的，資源充足的秘密組織，能夠直接接入上海的電信基礎設施，多年以來，這個組織一直在61398部隊的門外，進行大規模的計算機間諜活動。”
Mandiant的報告中最引人入勝的細節是，它追蹤了數名黑客的每一步電腦操作，該公司認為，這些黑客是為解放軍工作的。Mandiant公司在 黑客正在入侵的美國公司的電腦系統內部，追蹤了他們的行動。這些公司為了擺脫中國間諜，給Mandiant公司的調查人員提供了完全的公司電腦系統訪問權 限。
最引人注目的黑客之一是“UglyGorilla”（意為醜陋的大猩猩——譯註），他在2004年1月第一次出現在中國的一個軍事論壇上，當時他問道，中國是否有與美國軍方建立的“網軍相似的部隊”。
到2007年，“UglyGorilla”放出了一系列惡意軟件，Mandiant的報告稱，這些惡意軟件都帶有一個“能夠明確辨別的特徵”。另一 名被Mandiant公司稱為“DOTA”的黑客，創建了一些用於置入惡意軟件的電子郵件賬號。根據追查，這名黑客頻繁使用一個似乎是根據其部隊番號設置 的密碼。“DOTA”和“UglyGorilla”都使用同一組可以被追溯到61398部隊所在區域的IP地址。
Mandiant公司發現，攻擊者有數次曾翻越中國的防火牆，登錄他們在Facebook和Twitter上的賬號。中國的防火牆屏蔽了普通中國公民對上述社交網站的訪問。而這使得黑客的真實身份更容易被追查到。
Mandiant公司還發現了中國電信的一份內部備忘錄，備忘錄討論了這家國有電信企業為61398部隊安裝高速光纖線路的決定。
中國國防部否認中國軍方曾發起攻擊。該部上個月曾發表聲明稱，“在未經徹底調查、沒有確鑿證據的情況下就指責中方對美進行網絡攻擊，是武斷的和不負責任的。”這份聲明及中方的其他聲明促使Mandiant公司公開了手中的證據。

攻擊加劇
Mandiant公司認為，61398部隊對美國企業和政府的計算機系統實施了零星的攻擊；該公司發現的最早攻擊發生在2006年。兩年前，攻擊的 數量突然大幅增多。Mandiant公司發現，其中的一些入侵是長期性的。平均來說，“注釋組”會在侵入的網絡內部待上一年，來盜取數據和密碼；其中的一 個案例中，“注釋組”入侵系統的時長為四年零十個月。
Mandiant公司一直觀察這個組織，目睹他們從該公司的100多家客戶那裡，盜取了技術規劃、製造流程、臨床試驗結果、定價文件、談判策略和其 他專有信息，這些客戶主要來自美國。Mandiant確認，有20個行業受到了攻擊，從軍方承包商到化工廠、礦業公司和衛星和電信企業。
Mandiant的報告並未給出受攻擊者的名稱，因為這些公司通常堅持要匿名。據熟悉該公司調查結果的人士稱，2009年可口可樂公司(Coca-Cola)受到的攻擊，恰逢這家飲料業巨頭嘗試以24億美元收購中國匯源果汁集團。此次收購最後以失敗告終。
正當可口可樂公司高管進行談判時，“注釋組”也正在忙着在他們的電腦里翻找，明顯是為了更多地了解可口可樂的談判策略。那次併購案如果成功，會成為外資併購中國企業最大的一宗併購案。
就像之前數以百計的攻擊一樣，對可口可樂的攻擊，始於發給一名高管的一封看似無害的電子郵件，但實際上這是一次魚叉式捕魚攻擊。這名高管點擊了郵件 中的惡意鏈接，從而使黑客能在可口可樂公司的網絡中立足。每周，攻擊者都會悄無聲息地從網絡內部把該公司的機密文件通過複雜的電腦網絡傳回上海。
兩年後，至少有三個位於中國的組織對RSA公司實施了類似的攻擊，“注釋組”是其中一個。RSA以其SecurID令牌而知名，是大型技術企業 EMC旗下的一家計算機安全公司。美國情報機關、軍隊承包商和大型企業的員工，都佩戴有SecurID令牌。《紐約時報》也使用這項技術，來允許遠程訪問 其郵件和生產系統。RSA已經提出為用戶更換SecurID令牌，並稱已在產品中添加了新的安全措施。
同可口可樂的事件一樣，RSA遭受的攻擊始於一封以一名RSA僱員為目標的、精心設計的有害電子郵件。兩個月後，黑客們攻破了美國最大的國防承包商洛克希德·馬丁公司(Lockheed Martin)，其部分手段運用了他們在RSA攻擊中搜集到的信息。
Mandiant並非唯一一家跟蹤“注釋組”的私營公司。2011年，戴爾公司(Dell)下屬的SecureWorks部門研究人員喬·斯圖爾特(Joe Stewart)通過分析RSA攻擊中的惡意軟件，發現攻擊者使用一種黑客工具，掩蓋了自己的真實地址。
通過對這種工具軟件進行逆向工程，他發現絕大多數被盜數據，一直在向同一段IP地址傳輸。後來Mandiant確定，這段IP地址位於上海。
戴爾SecureWorks稱，相信“注釋組”中包含的攻擊者，與“暗鼠行動”(Operation Shady RAT)背後的攻擊者是同一批。“暗鼠行動”是2011年發現的一場大規模的電腦間諜行動，在五年時間裡，超過70個組織在這場行動中受到了攻擊，其中包 括聯合國(United Nations)，以及美國、加拿大、韓國、台灣和越南的政府機構。

基礎設施面臨危險
美國調查人員最為擔憂的是，最近據信來自61398部隊的一系列攻擊，不僅僅是為了竊取情報，目的還包括獲取操縱美國關鍵基礎設施，包括電網和其他公用事業設施的能力。
“數字聯結”(Digital Bond)是一家專門處理這種工業控制電腦的小型安全公司。該公司員工稱，去年6月，“注釋組”對其進行了攻擊但並未成功。數字聯結公司的一名兼職員工收 到了一封郵件，看上去似乎來自他的老闆戴爾·彼得森(Dale Peterson)。這封郵件以地道的英文，討論了關鍵基礎設施系統上的安全弱點，還要求該員工點擊鏈接，查看一份文檔，從而了解更多信息。彼得森截獲了 這封郵件，並拿它與其他研究者一同分析。他們發現鏈接中包含一種遠程訪問工具，令攻擊者能夠控制員工的電腦，並有可能令攻擊者方便地接觸到關於該公司客戶 的機密信息。這些客戶包括一個大型水利工程、一座發電廠和一家礦業公司。

AlienVault公司安全研究員傑米·布拉斯科(Jaime Blasco)對攻擊中使用的計算機服務器進行了分析，這讓他找到了包括切爾托夫集團(Chertoff Group)在內的其他受害者。這家公司是由國土安全部(Department of Homeland Security)前部長邁克爾·切爾托夫(Michael Chertoff)領導的，該公司曾模擬過一場針對美國的大規模數字攻擊行動。其他攻擊行動針對的是國家地球空間情報局(National Geospatial-Intelligence Agency)的一家承包商，以及國家電氣製造商協會(National Electrical Manufacturers Association)。後者是一家遊說團體，代表的是電網部件製造企業的利益。這些機構證實它們受到了攻擊，但表示已經攔截攻擊者，使他們未能進入其 網絡。
布拉斯科說，根據偵測，所有這些遭襲者都受到了“注釋組”的攻擊。不過安全專家表示，到目前為止最令人不安的攻擊行為是一次針對泰爾文特公司 (Telvent)加拿大分部的成功入侵行動。泰爾文特公司現在屬於施耐德電氣(Schneider Electric)，該公司設計的軟件能夠供石油和天然氣管道公司，以及電網運營企業遠程控制閥門、開關和安全系統。

泰爾文特公司保留着石油、天然氣管線的詳盡設計方案，這些方案涉及一多半北美洲和南美洲的石油與天然氣管線。去年9月，泰爾文特加拿大公司向客戶通報，攻擊者侵入了該公司的系統，並取走了項目文件。攻擊的途徑被立即切斷，因而入侵者未能奪得系統的控制權。
施耐德電氣發言人馬丁·漢納(Martin Hanna)沒有回應置評請求，不過對相關攻擊事件中所用的惡意軟件做過研究的安全專家確認，入侵者就是“注釋組”，這些專家包括戴爾SecureWorks的斯圖爾特和AlienVault公司的布拉斯科。
“這種攻擊十分可怕。先不管國家，如果有人僱傭我，說希望獲得相關攻擊能力，來儘可能多地關停關鍵系統，我肯定願意盯上那些廠商，做一些像泰爾文特遭受的攻擊一樣的事情，”Digital Bond公司的彼得森說，“那可是這一領域的聖杯。”
奧巴馬在國情咨文(State of the Union)演說中指出了這種擔憂，但並未提到中國或其他任何國家。“我們知道外國政府和企業會染指美國企業的機密，”他說，“現在我們的敵人也在追求破 壞我們的電網、金融機構、空中交通管制系統的能力。我們不能等到多年以後，才去思索為什麼現在的我們無所作為。”

奧巴馬面臨著一個棘手的選擇。面對錯綜複雜而且至關重要的對華關係，是否值得就計算機黑客攻擊，讓世界第一大經濟體和第二大經濟體展開對抗？

幾年前，美國政府官員說，知識產權的竊取使其不勝其煩，每年造成數十億美元的收入損失。然而事情很顯然已經發生了變化。有越來越多的證據顯示，攻擊 背後有政府支持，61398部隊越來越肆無忌憚，對美國基礎設施構成的威脅也越來越大，這讓官員們得出結論，認為有必要採取更強有力的應對方式。

“現在中國沒有就此罷手的動力，”眾議院情報委員會主席羅傑斯說，“如果我們不能提高攻擊的代價，攻擊行為就只會加劇。”

翻譯：王童鶴、曹莉、陳亦亭、林蒙克、張薇 

 

 

 

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

By DAVID E. SANGER,  DAVID BARBOZA and NICOLE PERLROTH February 19, 2013

 On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors. The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.

An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by P.L.A. officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.
Mandiant provided an advance copy of its report to The New York Times, saying it hoped to “bring visibility to the issues addressed in the report.” Times reporters then tested the conclusions with other experts, both inside and outside government, who have examined links between the hacking groups and the P.L.A. (Mandiant was hired by The New York Times Company to investigate a sophisticated Chinese-origin attack on the news operations, but concluded it was not the work of Comment Crew, but another Chinese group. The firm is not currently working for the Times Company but they are in discussions about a business relationship.)
While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America. The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.
Contacted Monday, Chinese officials at its embassy in Washington again insisted that its government does not engage in computer hacking, and that such activity is illegal. They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States. But in recent years the Chinese attacks have grown significantly, security researchers say. Mandiant has detected more than 140 Comment Crew intrusions since 2006. American intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.
While the unit’s existence and operations are considered a Chinese state secret, Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, said in an interview that the Mandiant report was “completely consistent with the type of activity the Intelligence Committee has been seeing for some time.”
The White House said it was “aware” of the Mandiant report, and Tommy Vietor, the spokesman for the National Security Council, said, “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.”
The United States government is planning to begin a more aggressive defense against Chinese hacking groups, starting on Tuesday. Under a directive signed by President Obama last week, the government plans to share with American Internet providers information it has gathered about the unique digital signatures of the largest of the groups, including Comment Crew and others emanating from near where Unit 61398 is based.
But the government warnings will not explicitly link those groups, or the giant computer servers they use, to the P.L.A. The question of whether to publicly name the unit and accuse it of widespread theft is the subject of ongoing debate.
“There are huge diplomatic sensitivities here,” said one intelligence official, with frustration in his voice.
But Obama administration officials say they are planning to tell China’s new leaders in coming weeks that the volume and sophistication of the attacks have become so intense that they threaten the fundamental relationship between Washington and Beijing.
The United States government also has cyberwarriors. Working with Israel, the United States has used malicious software called Stuxnet to disrupt Iran’s uranium enrichment program. But government officials insist they operate under strict, if classified, rules that bar using offensive weapons for nonmilitary purposes or stealing corporate data.
The United States finds itself in something of an asymmetrical digital war with China. “In the cold war, we were focused every day on the nuclear command centers around Moscow,” one senior defense official said recently. “Today, it’s fair to say that we worry as much about the computer servers in Shanghai.”
A Shadowy Unit
Unit 61398 — formally, the 2nd Bureau of the People Liberation Army’s General Staff Department’s 3rd Department — exists almost nowhere in official Chinese military descriptions. Yet intelligence analysts who have studied the group say it is the central element of Chinese computer espionage. The unit was described in 2011 as the “premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence” by the Project 2049 Institute, a nongovernmental organization in Virginia that studies security and policy issues in Asia.
While the Obama administration has never publicly discussed the Chinese unit’s activities, a secret State Department cable written the day before Barack Obama was elected president in November 2008 described at length American concerns about the group’s attacks on government sites. (At the time American intelligence agencies called the unit “Byzantine Candor,” a code word dropped after the cable was published by WikiLeaks.)
The Defense Department and the State Department were particular targets, the cable said, describing how the group’s intruders send e-mails, called “spearphishing” attacks, that placed malware on target computers once the recipient clicked on them. From there, they were inside the systems.
American officials say that a combination of diplomatic concerns and the desire to follow the unit’s activities have kept the government from going public. But Mandiant’s report is forcing the issue into public view.
For more than six years, Mandiant tracked the actions of Comment Crew, so named for the attackers’ penchant for embedding hidden code or comments into Web pages. Based on the digital crumbs the group left behind — its attackers have been known to use the same malware, Web domains, Internet protocol addresses, hacking tools and techniques across attacks — Mandiant followed 141 attacks by the group, which it called “A.P.T. 1” for Advanced Persistent Threat 1.
“But those are only the ones we could easily identify,” said Mr. Mandia. Other security experts estimate that the group is responsible for thousands of attacks.
As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”
Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as the Unit 61398’s building.
“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.
The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”
The most fascinating elements of the Mandiant report follows the keystroke-by-keystroke actions of several of the hackers who the firm believes work for the P.L.A. Mandiant tracked their activities from inside the computer systems of American companies they were invading. The companies had given Mandiant investigators full access to rid them of the Chinese spies.
One of the most visible hackers it followed is UglyGorilla, who first appeared on a Chinese military forum in January 2004, asking whether China has a “similar force” to the “cyber army” being set up by the American military.
By 2007 UglyGorilla was turning out a suite of malware with what the report called a “clearly identifiable signature.” Another hacker, called “DOTA” by Mandiant, created e-mail accounts that were used to plant malware. That hacker was tracked frequently using a password that appeared to be based on his military unit’s designation. DOTA and UglyGorilla both used the same I.P. addresses linked back to Unit 61398’s neighborhood.
Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities.
Mandiant also discovered an internal China Telecom memo discussing the state-owned telecom company’s decision to install high-speed fiber-optic lines for Unit 61398’s headquarters.
China’s defense ministry has denied that it is responsible for initiating attacks. “It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence,” it said last month, one of the statements that prompted Mandiant to make public its evidence.
Escalating Attacks
Mandiant believes Unit 61398 conducted sporadic attacks on American corporate and government computer networks; the earliest it found was in 2006. Two years ago the numbers spiked. Mandiant discovered some of the intrusions were long-running. On average the group would stay inside a network, stealing data and passwords, for a year; in one case it had access for four years and 10 months.
Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.
Mandiant’s report does not name the victims, who usually insist on anonymity. A 2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to acquire the China Huiyuan Juice Group for $2.4 billion, according to people with knowledge of the results of the company’s investigation.
As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.
The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack. When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.
Two years later, Comment Crew was one of at least three Chinese-based groups to mount a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors and many major companies. (The New York Times also uses the firm’s tokens to allow access to its e-mail and production systems remotely.) RSA has offered to replace SecurID tokens for customers and said it had added new layers of security to its products.
As in the Coca-Cola case, the attack began with a targeted, cleverly fashioned poisoned e-mail to an RSA employee. Two months later, hackers breached Lockheed Martin, the nation’s largest defense contractor, partly by using the information they gleaned from the RSA attack.
Mandiant is not the only private firm tracking Comment Crew. In 2011, Joe Stewart, a Dell SecureWorks researcher, was analyzing malware used in the RSA attack when he discovered that the attackers had used a hacker tool to mask their true location.
When he reverse-engineered the tool, he found that the vast majority of stolen data had been transferred to the same range of I.P. addresses that Mandiant later identified in Shanghai.
Dell SecureWorks says it believed Comment Crew includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam were targeted.
Infrastructure at Risk
What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.
Staff at Digital Bond, a small security firm that specializes in those industrial-control computers, said that last June Comment Crew unsuccessfully attacked it. A part-time employee at Digital Bond received an e-mail that appeared to come from his boss, Dale Peterson. The e-mail, in perfect English, discussed security weaknesses in critical infrastructure systems, and asked the employee to click a link to a document for more information. Mr. Peterson caught the e-mail and shared it with other researchers, who found the link contained a remote-access tool that would have given the attackers control over the employee’s computer and potentially given them a front-row seat to confidential information about Digital Bond’s clients, which include a major water project, a power plant and a mining company.
Jaime Blasco, a security researcher at AlienVault, analyzed the computer servers used in the attack, which led him to other victims, including the Chertoff Group. That firm, headed by the former secretary of the Department of Homeland Security, Michael Chertoff, has run simulations of an extensive digital attack on the United States. Other attacks were made on a contractor for the National Geospatial-Intelligence Agency, and the National Electrical Manufacturers Association, a lobbying group that represents companies that make components for power grids. Those organizations confirmed they were attacked but have said they prevented attackers from gaining access to their network.
Mr. Blasco said that, based on the forensics, all the victims had been hit by Comment Crew. But the most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.
Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.
Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack, including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault, confirmed that the perpetrators were the Comment Crew.
“This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and doing things like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the holy grail.“
Mr. Obama alluded to this concern in the State of the Union speech, without mentioning China or any other nation. “We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”
Mr. Obama faces a vexing choice: In a sprawling, vital relationship with China, is it worth a major confrontation between the world’s largest and second largest economy over computer hacking?
A few years ago, administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.
“Right now there is no incentive for the Chinese to stop doing this,” said Mr. Rogers, the House intelligence chairman. “If we don’t create a high price, it’s only going to keep accelerating.”