Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firm Mandiant Says China's Army Runs Hacking Group APT1

Posted by timothy on from the could-just-be-a-side-gig dept.

judgecorp writes "The Chinese government has been accused of backing the APT1 hacking group, which appears to be part of the Chinese People's Liberation Army (PLA), according to the security firm which worked with the New York Times when it fell victim to an attack. The firm, Mandiant, says that APT1 is government sponsored, and seems to operate from the same location as PLA Unit 61398." Unsurprisingly, this claim is denied by Chinese officials. You can read the report itself online (PDF), or skim the highlights.

3 of 137 comments (clear)

  1. So what else is new? by mnooning · · Score: 5, Interesting

    I was so excited when I got my first wireless router a number of years ago that I used to check the in/out listings daily. I did not care too much about unauthorized access (who would want to monitor me?) so I just chose the Netgear defaults. I quickly found out that a number of DAILY accesses were from somewhere in China. They were not from the same places in China, but they were from China nonetheless. I quickly made the security corrections. Fortunately they do not seem to get in now. Emphasis on the words "seem to".

  2. Actual Report Here by guttentag · · Score: 5, Informative
    Direct Link to the 6.8 MB PDF file here.

    Mandiant page with appendix and hashes for their materials here.

    I was reading through this last night and it contains some interesting details, but is also something of an advertisement for Mandiant's services. Some highlights:
    • The name of the group is People's Liberation Army Unit 61398 in Shanghai, and Mandiant has found that one of their personas uses easy to remember passwords for the many accounts he sets up, including a sort of mnemonic for the unit's number (“2j3c1k” likely stands for 2 ju 3 chu 1 ke, which likely stands for 2nd Bureau, 3rd Division, 1st Section, which is the official name of Unit 61398). The majority of attacks come from the neighborhood where this unit is based, and they have been supplied with "special" fiber connections "in the name of national defense."
    • The group is focused on the U.S. and Canada, and is mostly interested in attacking the information technology industry, but has taken an interest in aerospace, public administration, satellites and telecom, scientific research, energy and transportation.
    • They include interesting profiles of three "personas" known to be involved in the units attacks: Malware author "Ugly Gorilla" (a.k.a. "Wang Dong"), hacker "DOTA" (whose gmail account they claim to have broken into, and they provide a screenshot) and tool author "SuperHard" (Mei Qiang).
    • The group uses the term “rouji,” which translates to "Meat Chicken," in their software to refer to infected computers.
  3. we're in denial by Anonymous Coward · · Score: 5, Interesting

    posting anon for obvious reasons. I work for a very large tech company, and we've been trying to remove these bastards for years. YEARS. But the admins still click on cutepicture.exe in their email, and the devs always open the malicious Confidential2012salaries.ppt.... so it's like one big game of whack-a-mole. When we get more effective, sometimes we can maintain a dry environment for a good long time. Other times they throw serious resources at us and we get flooded, sometimes even tracing malicious action to short-term contractors physcially working in the US. It's like a swarm of locusts, picking through every bit of data with commercial value. I think one thing that escapes many US/EU security people is the scale of the PRC effort. When you have tens of thousands of people at your disposal, and update your overall plans every 5 years, it's never "a hack." If you do anything they're interested in, they're in your house.

    But two alternate realities persist:
    1. The Chinese government will continue to vapidly claim that attribution based on years of solid data are "unfounded and irresponsible" accusations. It is difficult to understand or engage with an adversary on any constructive level when their government consistently spouts predictable juvenile lies.
    2. Our/your PR & legal people will steadfastly refuse to discuss the long-game nature of the Chinese intrusions, and deny they started 2-5-10 years ago and persist to this day. (We got a good chuckle out of the NYT assertion that the intruders entered only a few months ago, and that they have been eradicated from the network. I believe their corp lawyers said that. Any tech who believes either assertion it is a fool.)