Exposing One of China’s Cyber Espionage Units

mandiant.com

APT 61398 渗透

Executive Summary

China’s Computer Network Operations Tasking to PLA Unit 61398 (61398部队)

APT1: Years of Espionage

APT1: Attack Lifecycle

APT1: Infrastructure

APT1: Identities

Conclusion

Appendix A: How Does Mandiant Distinguish Threat Groups?

Appendix B: APT and the Attack Lifecycle

Appendix C (Digital): The Malware Arsenal

Appendix D (Digital): FQDNs

Appendix E (Digital): MD5 Hashes

Appendix F (Digital): SSL Certi cates

Appendix G (Digital): IOCs

Appendix H (Digital): Video

APt1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队).

» The nature of “Unit 61398’s” work is considered by China to be a state secret; however, we believe it engages in harmful “Computer Network Operations.”

» Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.

» We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.

» China Telecom provided special ber optic communications infrastructure for the unit in the name of national defense.

» Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.

» Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.