Unit 61398: A Chinese cyber espionage unit on the outskirts of Shanghai?

Filed Under: Featured, Malware

Made in China. Image from ShutterstockSecurity researchers at Mandiant have published a lengthy report [PDF], which appears to track a notorious hacking gang right to the door of a building belonging to the People's Liberation Army of China.

In its report, Mandiant says it believes it has traced a series of attacks back to the Pudong New Area on the outskirts of Shanghai, the same location as a 130,663 square foot PLA facility known as "Unit 61398".

Unit 61398 staff are said to have been trained in computer security, and are required to be proficient in the English language.

The report has caught the attention of the world's media, after the New York Times published a detailed story about the report earlier today.

New York Times report

It shouldn't be forgotten, of course, that the New York Times itself was recently hacked, and pointed the finger of blame firmly in the direction of China.

As we've discussed before, attribution is the key problem in these stories. How can you prove that country X was behind an internet attack, rather than - say - a patriotic hacker working from his back bedroom, or a hijacked PC controlled by a hacker in a different country?

At the same time, we shouldn't be naive. Countries around the world (not just the Chinese) are using the internet to spy on each other and gain advantage - whether it be political, financial or military.

Mandiant has certainly put together a hefty report - and it's well worth a read. Naturally, the Chinese government has debunked the claims.

Made in China image from Shutterstock.

, , , , , , ,

You might like

14 Responses to Unit 61398: A Chinese cyber espionage unit on the outskirts of Shanghai?

  1. Mandiant has posted a Youtube video which they claim is a video screen capture of one of these Chinese spies, which they label an "APT actor" in action - creating bogus Gmail accounts, engaging in spear phishing, and connecting to and stealing files from remote servers. http://youtu.be/6p7FqSav6Ho

  2. Boggle · 959 days ago

    Not "debunked" I think - more likely "denied". Debunk implies that the story is bunk (bunkum = nonsense) to start with. Which it may be, but I don't think you or the New York Times believe that, and nor do I.

    Very like the common and annoying misuse of "refute" for "reject".

    • You read my mind! I was just about to post this.

      debunk: Expose the falseness or hollowness of (a myth, idea, or belief).

      The Chinese government has done nothing of the sort. Denied, of course, but definitely not debunked.

  3. Benjamin · 959 days ago


    You write that "the Chinese government has debunked the claims" put forth by Mandiant. Do you mean that they have denied the claims? If they have, in fact, debunked the report can you point to the Chinese Government's counter-analyses?

    Thank you!

    • I meant they have denied the claims that they hack the computers of other countries.

      Reporters in Shanghai say that China's Foreign Ministry has called the report "groundless" and described the data as rudimentary.

      Sorry if I used the wrong word.

      • Dude · 958 days ago

        You should be sorry. You're a journalist (lol). Try a dictionary some time.

        • Actually I'm not a journalist. :) I'm just a guy who works at a security company, and blogs a bit.

          But yes, I should have been more careful with my wording. I've left it as-is above so you can carry on embarrassing me.

        • Anonymous · 128 days ago

          Is Shanghai nice at this time of year ?

  4. Dezso · 958 days ago

    I tried to download the Mandiant pdf report ,but after the first page everything stops ,
    the error window says ; "An error exists on this page .Acrobat may not display the page correctly.Please contact the person who created the pdf document.."
    Do you think Chinese hard at work??

  5. Humanoid · 958 days ago

    That video is hilarious. Hackers use their ip address to login to Gmail without re-routing or use their own phone to authenticate. They all use outdated Windows 2000 with Gui apps. In year 2013, script kiddies are still using the mid 90s Netbus technology? I thought only government contractors use those technology. Also, why would they use a FTP session that can be logged or traced back? This can't be state sponsored actors.

  6. Scott · 958 days ago

    Sounds as though Tom Clancy was on to something with his latest book 'Threat Vector'....

  7. Lese Majeste · 957 days ago

    And another boogieman is created to scare Americans into supporting endless wars.

    We don't have the money to pay China back what we owe, but starting a war might wipe the books clean.

    • SikkenTired · 128 days ago

      We "owe " $1.3 billion to the Chinese out of $19 trillion dollars . Small change.

  8. ChasL · 952 days ago

    Graham, has anyone fact checked the content of Mandiant's report? It has quite a few problems:

    - The report claims Hebei is a borough of Shanghai. Hebei province is actually 500 miles away. This place the geolocation claim more doubtful.

    - Page 11 cited a Unit 61398 central building at 208 Datong Road. That is the address of Unit 61398 Kindergarten (google "site:starbaby.cn 61398"). So Mandiant thinks China's premier cyber war unit would put a preschool that's open to the public in the same place?

    - The hacker DOTA was outted by Anonymous back in 2011 when Anonymous attacked HBGary (google "d0ta010 HBGary"), which begs the question who'd use compromised identity?

    This report is full of holes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley