China’s Computer Network Operations Tasking to PLA Unit 61398 (61398部队)
APT1: Years of Espionage
APT1: Attack Lifecycle
Appendix A: How Does Mandiant Distinguish Threat Groups?
Appendix B: APT and the Attack Lifecycle
Appendix C (Digital): The Malware Arsenal
Appendix D (Digital): FQDNs
Appendix E (Digital): MD5 Hashes
Appendix F (Digital): SSL Certi cates
Appendix G (Digital): IOCs
Appendix H (Digital): Video
APt1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队).
» The nature of “Unit 61398’s” work is considered by China to be a state secret; however, we believe it engages in harmful “Computer Network Operations.”
» Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.
» We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.
» China Telecom provided special ber optic communications infrastructure for the unit in the name of national defense.
» Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.
» Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.