China’s Cyber Threat
Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors.
Research and observations indicate that the Communist Party of China (CPC) is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world.
The PLA’s cyber command is fully institutionalized within the CPC and able to draw upon the resources of China’s stateowned enterprises to support its operations. The CPC is the ultimate authority in Mainland China; unlike in Western societies, in which political parties are subordinate to the government, the military and government in China are subordinate to the CPC. In fact, the PLA reports directly to the CPC’s Central Military Commission. This means that any enterprise cyber espionage campaign within the PLA is occurring at the direction of senior members of the CPC. It is believed that the PLA’s strategic cyber command is situated in the PLA’s General Staff Department, specifically the 2nd Bureau of the People’s Liberation Army General Staff Department’s (GSD) 3rd Department, most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.The GSD is the most senior PLA department. Similar to the U.S. Joint Chiefs of Staff, the GSD establishes doctrine and provides operational guidance for the PLA. Within the GSD, the 3rd Department has a combined focus on signals intelligence, foreign language proficiency, and defense information systems.
The nature of “Unit 61398’s” work is considered by China to be a state secret.
Unit 61398 is partially situated on Datong Road in Gaoqiaozhen, which is located in the Pudong New Area of Shanghai. The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007. Estimates are that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.
The size of the infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
Given the volume, duration and type of attack activity we have observed, Unit 61398 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors. Unit 61398 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics.
Unit 61398 also has a full assortment of support units and associated physical infrastructure, much of which is located on a stretch of Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai. These support units include a logistics support unit, outpatient clinic, and kindergarten, as well as guesthouses located both in Gaoqiaozhen and in other locations in Shanghai. These amenities are usually associated with large military units or units at higher echelons. The close proximity of these amenities supports the contention that Unit 61398 occupies a high-level position in the PLA organizational hierarchy
Unit 61398 is actively soliciting and training English speaking personnel specializing in a wide variety of cyber topics. Additionally, there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology. The majority of the “profession codes” describing positions that Unit 61398 is seeking to fill require highly technical computer skills. The group also appears to have a frequent requirement for strong English proficiency.
87% he organizations targeted by Unit 61398 primarily conduct their operations in English. This includes 115 victims located in the U.S. and seven in Canada and the United Kingdom. Of the remaining 19 victims, 17 use English as a primary language for operations. These include international cooperation and development agencies, foreign governments in which English is one of multiple official languages, and multinational conglomerates that primarily conduct their business in English.
Unit 61486 is the 12th Bureau of the PLA’s 3rd General Staff Department and is headquartered in Shanghai, China.
Unit 61486 is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of the US Defense and European satellite and aerospace industries. The PLA’s GSD Third Department is generally acknowledged to be China’s premier Signals Intelligence (SIGINT) collection and analysis agency, and the 12th Bureau Unit 61486, headquartered in Shanghai, supports China’s space surveillance network.
These are just 2 of around 20 similar units operating under the GSD’s Third Department, and alongside the Third Department are the Chinese regime’s other spy departments fighting against the West.
Estimates on the number of soldiers in each GSD varies, and most only focus on cyberspies in the Third Department. The Project 2049 Institute estimated in November 2011 there were 130,000 personnel under the Third Department. The Wall Street Journal estimated in July that the Third Department has 100,000 hackers, linguists, and analysts.