China Denies U.S. Hacking Accusations: 6 Facts

China Denies U.S. Hacking Accusations: 6 Facts

Mandiant report says that an elite Chinese military hacking unit is responsible for launching APT attacks against U.S. businesses. Chinese government cries foul.

---

Security firm Mandiant this week published evidence that it said
ties the Chinese government
to a six-year campaign of hack attacks that have compromised 141 businesses across 20 industries. Washington-based Mandiants
74-page report
covers only one of the dozens of cyber-espionage groups around the world, including more than 20 in China, that the company said use
advanced persistent threats
(APTs) -- including
spear-phishing attacks
-- to compromise their targets. Mandiant refers to the group in its report as APT1.
From our observations, it is one of the most prolific cyber-espionage groups in terms of the sheer quantity of information stolen, according to Mandiants report. The scale and impact of APT1s operations compelled us to write this.
[ Want more on U.S. cybersecurity defense? Read
White House Cybersecurity Executive Order: What It Means
. ]
Based on Mandiants research, as well as reaction from security experts and the Chinese government, heres whats known -- and what remains in question -- about the activities of the APT1 hacking group:
1. Mandiant Traces APT1 Attacks To Shanghai
Mandiants report wasnt notable for the fact that it accused the Chinese government of supporting APT attacks at U.S. businesses, but rather for the volume of evidence -- albeit circumstantial -- that it presented. Furthermore, Mandiant accused APT1 of not just being supported by the Chinese government, but actually part of the Peoples Liberation Army (PLA) Unit 61398, which is an elite military hacking unit.
Mandiants conclusions come in part from tracing IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai, where Mandiant found that China Telecom had provided a special fiber optic communications infrastructure. Mandiant also cited documents from China Telecom noting that the facility had been built together with Unit 61398, which the documents also referred to as GSD 3rd Department, 2nd Bureau, which refers to the PLA General Staff Departments 3rd Department, which is -- again -- also known as
PLA Unit 61398
.
Adding to the intrigue, a BBC correspondent
reported that hed been briefly detained
Tuesday after attempting to visit the building.
2. Symantec Says Attacks Began In 2006
Security software vendor Symantec said that the activities of the APT1 group, which it calls the
Comment Crew
-- because the group has hidden attack commands inside HTML comments -- began more than six years ago. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec, according to a
blog post from Symantec Security Response
. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks.
According to Symantec, APT1s attacks often involve spear-phishing emails with such subject lines as U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip and New contact sheet of the AN-UYQ-100 contractors.pdf. The attacks have targeted businesses in numerous industries, including finance, information technology, aerospace, energy, telecommunications, manufacturing, transportation, media and public services, it said.
The Mandiant report, however, didnt break any new ground in the Comment Crew discussion. There really wasnt much new that came out of that Mandiant report, except for them identifying a specific building and putting all these details on that in there, said former Gartner Group analyst John Pescatore, who last month became the director of emerging security trends at the SANS Institute, speaking by phone.
3. Chinese Government: Allegations Are Baseless
The Chinese government has dismissed Mandiants allegations. In particular, the Xinhua News Agency -- which is the Chinese governments official press agency -- published a commentary Wednesday that dismissed the Mandiant report as amateurish, saying its conclusions were baseless and revealing, including its tying of Shanghai IP addresses to a specific Chinese government military unit, although it offered no evidence to refute the allegations.
One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers, according to the commentary. Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located. The story further suggested that the report was little more than a commercial stunt by Mandiant CEO Kevin Mandia, and representative of a broader push by the U.S. cybersecurity lobby to sell more products and services. Next time, the CEO could simply say: See the Chinese hackers? Hurry up, come and buy our cybersecurity services, according to the Xinhua commentary.
4. Security Expert: Mandiant Failed At Attribution
Criticism of Mandiants conclusions has also come from information security circles. My problem with this report is not that I dont believe that China engages in massive amounts of cyber-espionage. I know that they do -- especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room,
said Jeffrey Carr, CEO of Taia Global
, in a blog post.
Carr also recently
criticized Mandiants report
that Chinese attackers hacked into
The New York Times
, and said that if the groups APT1 evidence had been submitted to a professional intelligence analyst, for example at the CIA, a more rigorous analysis -- for example by using the
Analysis of Competing Hypotheses
(ACH) vetting process -- would likely have failed to
prove attribution
.
My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges -- that there are multiple states engaging in this activity; not just China, Carr said. And that if youre going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.
5. U.S. Considers The Diplomacy Angle
After the Mandiant report went public, reporters began pressing U.S. government officials about what they planned to do about the perceived threat. On that front, the White House this week unveiled a new strategy aimed at
combating the theft of U.S. trade secrets
by hackers.
That strategy includes diplomatic efforts, which are already underway. Weve raised our concern at the highest level about cyberthreats from China, including the involvement of the military, said U.S. Department of State spokeswoman Victoria Nuland in a Tuesday media briefing, without commenting on whether the government sees the Chinese government as being behind the APT1 attacks. Without getting too deeply into the details of private diplomatic discussions were having, what we have been involved with is making clear that we consider this kind of activity a threat not only to our national security but also to our economic interests, and laying out our concerns specifically so that we can see if theres a path forward.
6. Follow The Money
Mandiant said that APT1 alone has stolen terabytes of data from at least 140 different businesses. But to what end? Furthermore, some commentators have asked why this potentially incendiary information security data is coming from a firm that sells information security services, rather than from the U.S. government? Shouldnt a military intelligence report about APT1 come from the government instead of an IT consultancy?
Dodgy, tweeted
Australia-based security engineer Vitaly Osipov.
Likewise, others have questioned whether a Chinese military agency would commit the sorts of
sloppy mistakes
that allowed Mandiant to trace the attacks back to their supposed origin.
Perhaps the question we should be asking isnt Who did it? but rather Who benefits?
said John Artman
, a presenter and producer at China Radio International in Beijing, in a blog post. So far, it appears to be U.S. policymakers bent on beefing up cybersecurity legislation using China as the go-to bogeyman. Naturally, lots of media have fallen in step, regurgitating a tired, not-at-all subtle narrative that we should know better than to accept at face value.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security

▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

Cyber Security Categories

Google Dorks Database

Exploits Vulnerability

Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China Denies U.S. Hacking Accusations: 6 Facts