China military hackers persist despite being outed by U.S.: report

WASHINGTON Wed Nov 6, 2013 6:44pm EST

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011. REUTERS/Jim Urquhart

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011.

Credit: Reuters/Jim Urquhart

WASHINGTON (Reuters) - The disclosure early this year of a secretive Chinese military unit believed to be behind a series of hacking attacks has failed to halt the cyber intrusions, a U.S. computer security company and congressional advisory panel said on Wednesday.

A report by the cybersecurity company Mandiant in February identified the People's Liberation Army's Shanghai-based Unit 61398 as the most likely culprit in hacking attacks on a wide range of industries. China's Defense Ministry denied the accusations.

The U.S.-China Economic and Security Commission, a panel which advises the U.S. Congress on China policy, said Mandiant's revelations brought only a brief pause in cyber intrusions by that PLA unit.

"There are no indications the public exposure of Chinese cyber espionage in technical detail throughout 2013 has led China to change its attitude toward the use of cyber espionage to steal proprietary economic and trade information," the commission said in a draft of their annual report to Congress.

The draft report, made available to Reuters on Wednesday, said Mandiant's revelations "merely led Unit 61398 to make changes to its cyber 'tools and infrastructure' (to make) future intrusions harder to detect and attribute."

The commission's report, to be released in final form later this month, quoted Mandiant experts as saying the Chinese military hackers decreased their activities for about a month following the February publication of that report.

DIFFERENT TOOLS

A Mandiant spokeswoman told Reuters that within a few weeks of the February report, the hacking levels from China had returned to about the same levels though the group was using some different tools.

"From what we can tell, they are still stealing the same type of data from the same industries," Mandiant spokeswoman Susan Helmick said on Wednesday.

"The focus appears to be the same but the methods and malware, they had to shift," Helmick said.

A spokesman for the Chinese embassy in Washington on Wednesday repeated China's response to the initial Mandiant report.

"Cyber attacks are transnational and anonymous," said spokesman Geng Shuang. "We don't know how the evidence is collected in this report."

Geng added: "China stands against cyber attacks and has done what it can to combat such activities in accordance with Chinese laws and regulations."

The February Mandiant report said PLA Unit 61398 is located in Shanghai's Pudong district, China's financial and banking hub, and is staffed by perhaps thousands of people proficient in English as well as computer programming and network operations.

It said the unit had stolen hundreds of terabytes of data from at least 141 organizations across a diverse set of industries - mostly in the United States, with smaller numbers in Canada and Britain.

The information stolen ranged from details on mergers and acquisitions to the emails of senior employees, the company said.

A report in July issued by the Commission on the Theft of American Intellectual Property said theft of business and industrial secrets cost the U.S. economy some $300 billion a year and that China was responsible for most of it.

In June, President Barack Obama and his Chinese counterpart, Xi Jinping, agreed to launch a bilateral working group to discuss cybersecurity issues. The group has met twice since July.

The U.S.-China Economic and Security Commission said it was told by experts that former U.S. National Security Agency contractor Edward Snowden's revelations of NSA cyber-operations against targets in China and Hong Kong would set back efforts to address Chinese cyber attacks by six months to a year.

(Editing by Mohammad Zargham)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (6)
WJL wrote:
Close down the NSA!!!!!!

Nov 06, 2013 7:25pm EST  --  Report as abuse
Kailim wrote:
Mandiant is a cyber security firm. It has to promote the need for its services as all insurance salesman do, and making use of China threat is fashionable.

Don’t store your valuable data by any internet accessible means, that’s the cheapest and most effective way of protecting them. Sorry Mandiant for wrecking your million dollars business.

Nov 06, 2013 8:09pm EST  --  Report as abuse
ChicagoFats wrote:
Weasel words vs. weasel words. Love it.

You could swap uniforms between these two groups and not tell the difference.

Nov 06, 2013 8:28pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.