May 20, 2013
China’s PLA Hackers Pick Up Where They Left Off
Michael Harper for redOrbit.com — Your Universe Online
Earlier this year, security firm Mandiant released a report which found a rash of cyber attacks against companies from the US and other English-speaking countries. These attacks were all believed to be launched from China, specifically a branch of the People´s Liberation Army (PLA) called Unit 61398, located in one 12-story building on the edge of Shanghai.
In the weeks following this report´s release, cyber activity from Unit 61398 had been slow, even though the Chinese government denied any participation in the attacks on hundreds of companies. Yesterday, the New York Times released a second report claiming that the Unit is back at work, and this time they´re using different techniques to avoid being spotted.
“They dialed it back for a little while, though other groups that also wear uniforms didn´t even bother to do that,” said Kevin Mandia, the chief executive of Mandiant, in an interview with the Times.
“I think you have to view this as the new normal.”
Mandiant has once again reported hacking activity, and though they did not disclose the PLA´s targets, they did say several of them were attacked during the last round of cyberattacks. The New York Times itself was a target of the earlier attacks and hired Mandiant to investigate.
The Obama administration has commented on this new uptick in hacking attempts, saying they need to have another conversation with the Chinese government and let them know “there is a real cost to this kind of activity.”
Shortly after being discovered in February, the hackers not only ceased their attacks but also removed any spying tools that they had used or left behind. Mandiant has kept an eye on the Unit, however, and now says they´ve been slowly ramping up their attacks over the past two months. To hide their tracks, the Chinese hackers have begun to use new servers with which to carry out their strikes as well as other spy tools which allow them to steal private information without being detected.
Mandiant believes these hackers have been able to operate at “60 to 70 percent” of the level they were at before they shut down operations in February. The security firm watched as the Unit was essentially dismantled and hackers dispersed. Online detectives worked to find these hackers and link their online pseudonyms with their real identities.
One hacker in particular operated under the assumed name “UglyGorilla.” Online detectives later linked him back to a man named “Wang Dong” who blogged about his experiences as a low-paid and hungry hacker for the PLA.
The PLA hackers only took a few weeks off from their strikes before slowly picking up again where they left off. The new attacks are still originating from the same building in Shanghai, and Mandiant claims most of the Chinese hackers are taking advantage of small Internet Service Providers (ISPs) who aren´t aware of their presence.
Mandiant also found the hackers are still using the same malware as before, though the code has been slightly altered.
Thomas Donilon, President Obama´s national security advisor, is expected to talk about these attacks and more during an upcoming visit to China.