Experts show that the Chinese military is likely coordinating the attacks

Feb 19, 2013 08:48 GMT  ·  By

Mandiant, the security firm in charge of investigating the data breaches that affected The New York Times and The Washington Post, has published a detailed report on APT1, believed to be one of the most persistent cyber espionage units sponsored by the Chinese government.

The 60-page report covers all aspects of APT1 and the company has even published a video that shows attacker sessions and intrusion activities conducted by the advanced persistent threat (APT) group.

Mandiant reveals that APT1 is most likely the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also known as Unit 61398, based on its Military Unit Cover Designator.

It’s believed that APT1 has stolen hundreds of terabytes of information from at least 141 organizations from around the world since 2006.

The unit’s main targets are organizations from a wide range of industries, most of them being located in English-speaking countries.

The infrastructure used by the cyber espionage entity appears to be operated by at least dozens of human operators, but Mandiant believes there could be hundreds of individuals involved.

Chinese officials have often argued that the US can’t make accusations based only on some IP addresses, but Mandiant’s report shows some interesting things.

For instance, of the 1,905 Remote Desktop sessions they analyzed, in 1,849 of them the APT1 operator used “Chinese (Simplified) – US Keyboard” for the keyboard layout settings.

In addition, 98% of the IP addresses that logged in to the APT1 controlled systems were traced back to China. Moreover, 99.8% of the IP addresses used for HUC Packet Transmit Tool (HTRAN) communications were registered to four Shanghai net blocks.

These figures show that the attacks are either coming from Unit 61398, or the Chinese military is, as Mandiant CEO Kevin Mandia told The New York Times, “clueless about thousands of people generating attacks from this one neighborhood.”

The complete report is available here.

Here is the video which shows attacker sessions and intrusion activities: