Chinese Military Linked to Advanced Hacking Group That Tried to Bring Down U.S. Infrastructure
The New York Times is reporting that members of China's most advanced hacking group have been traced to the same small neighborhood as a Chinese Army base, a revelation that all but confirms that the Chinese military is behind the attacks. The hackers, known as the "Comment Crew," have targeted various parts of the U.S. government as well as major corporations like Coca-Cola and, more troubling, a company that has remote access to more than 60 percent of the oil and gas pipelines in North America. Mandiant, the same American computer security company the Times used to rid its networks of hackers last year, traced hundreds of attacks — 90% of the ones they examined — to the Shanghai neighborhood that houses the base, called P.L.A. Unit 61398.
"Either they are coming from inside Unit 61398," said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, "or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood."
The Times received an advance copy of Mandiant's 60-page report, and they tested its results with other private computer security companies as well as with officials in the U.S. government. The White House said it was "aware" of the report, and a spokesperson for the National Security Council said they had "repeatedly raised concerns" about hacking attacks against the military. Starting Tuesday, the U.S. government is reportedly escalating its defense against Chinese hacking groups, and they will share sensitive information gathered about the attacks with various internet service providers.
But other government officials noted a reluctance by the U.S. to connect the hacking attacks to the Chinese government. "There are huge diplomatic sensitivities here," one official told the Times. Another government official, a high ranking member of the Defense Department, said the hacking attacks created a tension not seen since the Cold War.
"In the cold war, we were focused every day on the nuclear command centers around Moscow," one senior defense official said recently. "Today, it's fair to say that we worry as much about the computer servers in Shanghai."
Chinese officials denied any involvement in the hacking attacks and claimed their government was also the victim of hackers. The same official then noted that there are many hacking groups inside the U.S., which is of course true. (The U.S. also collaborated with Israel on the Stuxnet virus, which was used to attack Iran in 2011).
Mandiant also traced attacks from the Comment Group to Digitial Bond (a company that has access to a major power plant and a mining company), the Chertoff Group (former Department of Homeland head Michael Chertoff's company, which has run simulations of cyber attacks against the U.S.) as well as contractors for the National Geospatial-Intelligence Agency. But the main concern expressed by experts was about Telvent, the company with access to 60% of North America's gas and oil pipelines. According to the report, Telvent was attacked in September of last year and project files were stolen before the hackers' access was cut off, preventing them from gaining control of of the company's systems.
"This is terrifying because - forget about the country - if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent," Mr. Peterson of Digital Bond said. "It's the holy grail."
As for the accuracy of their report, Mandiant seemed confident enough to joke about the only other possible conclusions.
The only other possibility, the report concludes with a touch of sarcasm, is that "a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398's gates."
Here's a video from Mandiant that shows what a hacking attack looks like: