PLA Unit 61398


…rears its head, and not for the first time.    Nor is this the first time that Unit 61398 has been a topic of my efforts.

It seems, though, that China is upping the ante considerably.  The New York Times reports:

As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”

The stakes are extremely high.  This is a gray area in which the Chinese vowed fifteen years ago to firmly ensconce themselves, in order to counter US conventional military and economic power.   Everything they have done since the publishing of Unrestricted Warfare has been in support of that decision.

My assertion regarding attribution in the 2011 USNI post…

With all the debate about “Acts of War” in disruption of the information system realm by an enemy of America, the matter will come down to the yawning chasm between what you can believe with certitude, and what you can prove.    Attribution for a “digital Pearl Harbor”, a decade-old phrase making a bit of a comeback, will not be as easy as spotting the red discs on the wings of the torpedo bombers….

…remains as true as ever.  And Red China, the PLA, and its state-sponsored hackers are taking full advantage.

And the Chinese Ministry of Foreign Affairs said Tuesday that the allegations were ‘‘unprofessional.’’

‘‘Making unfounded accusations based on preliminary results is both irresponsible and unprofessional, and is not helpful for the resolution of the relevant problem,’’ said Hong Lei, a ministry spokesman. ‘‘China resolutely opposes hacking actions and has established relevant  laws and regulations and taken strict law enforcement measures to defend against online hacking activities.’’

What is most worrisome, however, has been the nature of the entities being exploited by “Comment Crew”/ATP1:

But the most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.

Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.

Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack, including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault, confirmed that the perpetrators were the Comment Crew.

“This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the holy grail.”

The Mandiant Report is worth the read, as well.  But not at bedtime.

In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack
infrastructure, aPt1 used IP addresses registered in shanghai and systems set to use the simplified
Chinese language.
» In 1,849 of the 1,905 (97%) of the Remote Desktop sessions APT1 conducted under our observation, the APT1
operator’s keyboard layout setting was “Chinese (Simplified) — US Keyboard”. Microsoft’s Remote Desktop client
configures this setting automatically based on the selected language on the client system. Therefore, the APT1
attackers likely have their Microsoft®
operating system configured to display Simplified Chinese fonts.
» 817 of the 832 (98%) IP addresses logging into APT1 controlled systems using Remote Desktop resolved back to
» We observed 767 separate instances in which APT1 intruders used the “HUC Packet Transmit Tool” or HTRAN
to communicate between 614 distinct routable IP addresses and their victims’ systems using their attack
infrastructure. Of the 614 distinct IP addresses used for HTRAN communications:
− 614 of 614 (100%) were registered in China.
− 613 (99.8%) were registered to one of four Shanghai net blocks.

The Obama Administration has its hands full with this.  More so perhaps than they let on.  China has not only been studying its Mahan, but its Clausewitz, too.   We are unquestionably looking at the “admixture of other means”, just as they promised us.

China’s intent is clear, and has been for some time.   This Administration, unlike its predecessors, will have to face a technologically and militarily mature China that is increasingly emboldened and bellicose.   Talk of China as a benign partner and potential ally in any endeavor in which US national interests are at stake needed to have ceased some time ago.

3 thoughts on “PLA Unit 61398”

  1. We know they’re doing it, they know they’re doing it, and we both know there will never be a way to PROVE they’re doing it to any uninterested third party. The question is, how the hell do you respond to these attacks? I don’t have the slightest idea. Glad I don’t have to.

  2. Probably someone we taught computer science to a US school 10-15 years ago. The ascendancy of recorded superior performance in math and science is noted.

  3. SFC points out the irony. We trained these people. The Universities whose butt they put in a chair as long as they get those tuition payments. University admins are worse than business men in that regard. Some businessmen will betray their country, but most will not. University admins will walk on their grandmothers grave before they dig her up if that gets them what they want.

Comments are closed.