Your Source for NPR News & Music
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

U.S. Security Company Tracks Hacking To Chinese Army Unit

The building housing Unit 61398 of the People's Liberation Army is on the outskirts of Shanghai. A U.S. security firm claims that cyberattacks against more than 140 targets in the U.S. and other countries have been traced to the Chinese military unit in the building.
AP
The building housing Unit 61398 of the People's Liberation Army is on the outskirts of Shanghai. A U.S. security firm claims that cyberattacks against more than 140 targets in the U.S. and other countries have been traced to the Chinese military unit in the building.

Cyberattacks on dozens of American companies have been traced to an area on the outskirts of Shanghai that houses a Chinese military unit, according to a report out Tuesday by Mandiant, a U.S. cybersecurity company.

The 60-page document, first reported by The New York Times, says the group behind the attacks — nicknamed "Comment Crew" — is the most prolific the company has ever tracked and has been hacking U.S. companies since at least 2006.

Mandiant says the hackers' real identity is Unit 61398 of China's People's Liberation Army, or PLA.

The unit sits near the Yangtze River in Shanghai's sprawling Pudong district, which is home to more than 5 million people. The walled compound stands out in an otherwise typical Shanghai neighborhood of restaurants, karaoke clubs and grocery stores.

The complex, which covers nearly three acres, has a 12-story tower with satellite dishes on the top and few signs other than those that indicate it's run by China's military.

Photos and filming are not permitted, and a BBC reporter was detained Tuesday after trying to videotape the complex.

When an NPR reporter showed up, a plainclothes police officer in a blue down coat was pacing the sidewalk out front, scanning the street and looking agitated as he spoke on a cellphone.

Wide-Ranging Attacks

Mandiant says the hackers have stolen hundreds of terabytes of data, including technology blueprints, proprietary manufacturing processes, business plans and partnership agreements.

"They've compromised over 141 corporations across 20 different industries and stolen just a wealth of intellectual property," says Dan McWhorter, who oversees Mandiant's threat intelligence business unit. Most of the companies were American.

McWhorter says the hackers appeared to be trying to steal intellectual property to help Chinese companies compete against U.S. and other foreign firms.

"In China, the government is very intimately involved in industry," McWhorter says, "so I think the PLA is motivated to take these documents for huge economic gain."

At a briefing Tuesday, China's Foreign Ministry dismissed Mandiant's report. Hong Lei, the ministry spokesman, questioned anyone's ability to track down hackers with certainty.

"Cyberattacks are anonymous and transnational, and it is hard to trace the origin," said Hong, "so I don't know how the findings of the report are credible."

Hong said that China has also suffered from cyberattacks, and that in 2012, foreign hackers seized control of 14 million Chinese computers. Hong seemed to point the finger at America, if not the U.S. government.

"China is also a victim of cyberattacks," he said. "In the attacks mentioned above, the number of attacks originating from the U.S. ranks first."

A Long-Running Operation

McWhorter says tracking the attacks to the PLA wasn't that hard, because the volume of data stolen was enormous, and the operation has been going on for so long.

"We just followed the data, followed the breadcrumbs," says McWhorter. "All the network communication kept going back to Shanghai, again and again."

Mandiant says it tracked the hackers back to four large networks in Shanghai, two in the Pudong area where Unit 61398 is located.

"We started doing our research as far as what kind of organizations could be that large doing this type of activity," says McWhorter, "and that's what led us to discover Unit 61398."

Beyond corporate espionage, Mandiant found hacking that was more worrisome, such as the infiltration of crucial U.S. infrastructure, including electric power grids and gas lines.

McWhorter says there is no sign that Chinese hackers tried to disable such operations, but the capability existed.

"If you have the ability to steal the documents, you could have just as easily crashed the hard drives," he said. "From a national security standpoint, that's very scary."

In his State of the Union address, President Obama alluded to this threat without directly naming China.

"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," Obama said.

The president said the nation could not look back years from now and wonder why it didn't do anything to stop it.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

Frank Langfitt is NPR's London correspondent. He covers the UK and Ireland, as well as stories elsewhere in Europe.
Related Stories