BEIJING — The Chinese government continues to deny accusations of official involvement in cyber attacks against foreign targets, insinuating such activity is the work of rogues.
But at least one element cited by Internet experts points to professional cyber spies: China’s hackers take the weekend off.
Accusations of state sanctioned hacking took center stage this past week after a detailed report by a U.S.-based Internet security firm Mandiant. It added to growing suspicions that the Chinese military is pilfering information from foreign companies that could be worth millions or even billions of dollars.
Experts say Chinese hacking attacks are characterized not only by their brazenness, but also by their persistence.
“China conducts at least an order of magnitude more than the next country,” said Martin Libicki, a specialist on cyber warfare at the Rand Corporation, based in Santa Monica, Calif. The fact that hackers take weekends off suggests they are paid, and that would belie “the notion that the hackers are private,”he said.
Libicki and other cyber warfare experts have long noted a Monday-through-Friday pattern in the intensity of attacks believed to come from Chinese sources, though there has been little evidence released publicly directly linking the Chinese military to the attacks.
Mandiant went a step further in its report last Tuesday saying that it had traced hacking activities against 141 foreign entities in the U.S. Canada, Britain and elsewhere to a group of operators known as the “Comment Crew” or “APT1,” for “Advanced Persistent Threat 1,” which it traced back to the People’s Liberation Army Unit 61398. The unit has its headquarters in a 12-story building inside a military compound in a crowded suburb of China’s financial hub of Shanghai.
Attackers stole information about pricing, contract negotiations, manufacturing, product testing and corporate acquisitions, the company said.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
China denies any official involvement, calling such accusations “groundless” and insisting that China is itself a major victim of hacking attacks, the largest number of which originate in the U.S. While not denying hacking attacks originated in China, Foreign Ministry spokesman Hong Lei said Thursday that it was flat out wrong to accuse the Chinese government or military of being behind them.
Mandiant and other experts believe Unit 61398 to be a branch of the People’s Liberation Army General Staff’s Third Department responsible for collection and analysis of electronic signals such as email and phone calls. It and the Fourth Department, responsible for electronic warfare, are believed to be the People’s Liberation Army units mainly responsible for infiltrating and manipulating computer networks.
China acknowledges pursuing these strategies as a key to delivering an initial blow to an opponent’s communications and other infrastructure during wartime - but the techniques are often the same as those used to steal information for commercial use.
China has consistently denied state-sponsored hacking, but experts say the office hours that the cyber spies keep point to a professional army rather than mere hobbyists or so called “hacktivists” inspired by patriotic passions.
Mandiant noticed that pattern while monitoring attacks on The New York Times last year blamed on another Chinese hacking group it labeled APT12. Hacker activity began about 8:00 a.m. Beijing time and usually lasted through a standard work day.
The Rand Corporation’s Libicki said he wasn’t aware of any comprehensive studies, but that in such cases, most activity between malware embedded in a compromised system and the malware’s controllers takes place during business hours in Beijing’s time zone.
Richard Forno, director of the University of Maryland Baltimore County’s graduate cyber security program, and David Clemente, a cyber security expert with independent analysis center Chatham House in London, said that observation has been widely noted among cyber security specialists.
The People’s Liberation Army’s Third Department is brimming with resources, according to studies commissioned by the U.S. government, with 12 operation bureaus, three research institutes, and an estimated 13,000 linguists, technicians and researchers on staff. It’s further reinforced by technical teams from China’s seven military regions spread across the country, and by the military’s vast academic resources, especially the University of Information Engineering and the Academy of Military Sciences.
The Chinese army is believed to have made cyber warfare a priority in its war fighting capabilities more than a decade ago. Among the few public announcements of its development came in a May 25, 2011 news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China’s “online” army.
Unit 61398 is considered just one of many such units under the Third Department responsible for hacking, according to experts.
Greg Walton, a cyber-security researcher who has tracked Chinese hacking campaigns, said he’s observed the “Comment Crew” at work, but cites as equally active another Third Department unit operating out of the southwestern city of Chengdu. It is tasked with stealing secrets from Indian government security agencies and think tanks, as well as the India-based Tibetan Government in Exile, Walton said.
Another hacking outfit believed by some to have People’s Liberation Army links, the “Elderwood Group,” has targeted defense contractors, human rights groups, non-governmental organizations and service providers, according to computer security company Symantec.
Business, Pages 23 on 02/26/2013