Jump to content

PLA Unit 61398

Coordinates:31°20′57.43″N121°34′24.74″E/ 31.3492861°N 121.5735389°E/31.3492861; 121.5735389
From Wikipedia, the free encyclopedia

People's Liberation Army Unit 61398
61398 bộ đội
Emblem of the People's Liberation Army
Active2014-Present
CountryPeople's Republic of China
AllegianceChinese Communist Party
BranchPeople's Liberation Army Strategic Support Force
TypeCyber force,Cyber-espionage Unit
RoleCyber warfare
Electronic warfare
Part ofPeople's Liberation Army
Garrison/HQTonggang Road,Pudong,Shanghai
Nickname(s)
  • APT 1
  • Comment Crew
  • Comment Panda
  • GIF89a
  • Byzantine Candor
  • Group 3
  • Threat Group 8223
Engagements

PLA Unit 61398(also known asAPT1,Comment Crew,Comment Panda,GIF89a,orByzantine Candor;Chinese:61398 bộ đội,Pinyin:61398bùduì) is theMilitary Unit Cover Designator(MUCD)[1]of aPeople's Liberation Armyadvanced persistent threatunit that has been alleged to be a source of Chinesecomputer hackingattacks.[2][3][4]The unit is stationed inPudong,Shanghai,[5]and has been cited by US intelligence agencies since 2002.

History[edit]

From left, Chinese military officers Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu indicted on cyber espionage charges.
See also:Chinese information operations and information warfareandCyberwarfare by China

A report by thecomputer securityfirmMandiantstated that PLA Unit 61398 is believed to operate under the 2nd Bureau of thePeople's Liberation Army General Staff Department(GSD)Third Department[broken anchor]( tổng tham tam bộ nhị cục )[1]and that there is evidence that it contains, or is itself, an entity Mandiant callsAPT1,part of the advanced persistent threat that has attacked a broad range of corporations and government entities around the world since at least 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New Area. It is one of more than 20 APT groups with origins in China.[1][6]The Third andFourth Department[broken anchor],responsible forelectronic warfare,are believed to comprise the PLA units mainly responsible for infiltrating and manipulating computer networks.[7]

2014 indictment[edit]

On 19 May 2014, theUS Department of Justiceannounced that a Federalgrand juryhad returned an indictment of five 61398 officers on charges of theft of confidential business information and intellectual property from U.S. commercial firms and of plantingmalwareon their computers.[8][9]The five are Huang Zhenyu ( hoàng chấn vũ ), Wen Xinyu ( văn tân vũ ), Sun Kailiang ( tôn khải lượng ), Gu Chunhui ( cố mặt trời mùa xuân ), andWang Dong( vương đông ). Forensic evidence traces the base of operations to a 12-story building off Datong Road in a public, mixed-use area ofPudongin Shanghai.[2]The group is also known by various other names including "Advanced Persistent Threat 1" ( "APT1" ), "the Comment group" and "Byzantine Candor", a codename given by US intelligence agencies since 2002.[10][11][12][13]

The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group".[14][15]The collective has stolentrade secretsand other confidential information from numerous foreign businesses and organizations over the course of seven years such asLockheed Martin,Telvent,and other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.[11]

Dell SecureWorkssays it believed the group includes the same group of attackers behindOperation Shady RAT,an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam, were targeted.[2]

The attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go back at least to 2002, according to incident reports and investigators. In 2012,FireEye, Inc.stated that they had tracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000 organizations.[12]

Most activity betweenmalwareembedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private hackers inspired by patriotic passions.[7]

A 2020 report inDaily News and Analysisstated that the unit was eyeing information related to defense and research in India.[16]

Public position of the Chinese government[edit]

Until 2013, theGovernment of Chinahas consistently denied that it is involved in hacking.[17]In response to theMandiantCorporation report about Unit 61398,Hong Lei,a spokesperson for theChinese foreign ministry,said such allegations were "unprofessional".[17][4]

See also[edit]

References[edit]

  1. ^abc"APT1: Exposing One of China's Cyber Espionage Units"(PDF).Mandiant.Archived(PDF)from the original on 19 February 2013.Retrieved19 February2013.
  2. ^abcSanger, David E.;Barboza, David;Perlroth, Nicole (19 February 2013)."Chinese Army Unit Is Seen as Tied to Hacking Against U.S."The New York Times.ISSN0362-4331.Archivedfrom the original on 19 February 2013.Retrieved28 May2023.
  3. ^"Chinese military unit behind 'prolific and sustained hacking'".The Guardian.19 February 2013.Archivedfrom the original on 20 December 2013.Retrieved19 February2013.
  4. ^ab"Hello, Unit 61398".The Economist.19 February 2013.ISSN0013-0613.Archivedfrom the original on 28 May 2023.Retrieved28 May2023.
  5. ^"Quân giải phóng nhân dân Trung Quốc 61398 bộ đội tuyển nhận định hướng nghiên cứu sinh thông tri"[A notification of PLA Unit 64398 to recruit postgraduate students as PLA-funded scholarship student.].Zhe gian g University.13 May 2004. Archived fromthe originalon 2 December 2016.Retrieved5 January2019.
  6. ^Joe Weisenthal and Geoffrey Ingersoll (18 February 2013)."REPORT: An Overwhelming Number Of The Cyber-Attacks On America Are Coming From This Particular Army Building In China".Business Insider.Archivedfrom the original on 20 February 2013.Retrieved19 February2013.
  7. ^abBodeen, Christopher (25 February 2013)."Sign That Chinese Hackers Have Become Professional: They Take Weekends Off".The Huffington Post.Archivedfrom the original on 26 February 2013.Retrieved27 February2013.
  8. ^Finkle, J., Menn, J., Viswanatha, J.U.S. accuses China of cyber spying on American companies.Archived12 April 2017 at theWayback MachineReuters, 20 Nov 2014.
  9. ^Clayton, M.US indicts five in China's secret 'Unit 61398' for cyber-spying.Archived20 May 2014 at theWayback MachineChristian Science Monitor, 19 May 2014
  10. ^David Perera (6 December 2010)."Chinese attacks 'Byzantine Candor' penetrated federal agencies, says leaked cable".fiercegovernmentit.Fierce Government IT.Archivedfrom the original on 19 April 2016.
  11. ^abClayton, Mark (14 September 2012)."Stealing US business secrets: Experts ID two huge cyber 'gangs' in China".CSMonitor.Archivedfrom the original on 15 November 2019.Retrieved24 February2013.
  12. ^abRiley, Michael; Dune Lawrence (26 July 2012)."Hackers Linked to China's Army Seen From EU to D.C."Bloomberg.Bloomberg.Archivedfrom the original on 11 January 2015.Retrieved24 February2013.
  13. ^Michael Riley; Dune Lawrence (2 August 2012)."China's Comment Group Hacks Europe—and the World".Bloomberg Businessweek.Archived fromthe originalon 19 February 2013.Retrieved12 February2013.
  14. ^Martin, Adam (19 February 2013)."Meet 'Comment Crew,' China's Military-Linked Hackers".NYMag.New York Media.Archivedfrom the original on 22 February 2013.Retrieved24 February2013.
  15. ^Dave Lee (12 February 2013)."The Comment Group: The hackers hunting for clues about you".BBC News.Archivedfrom the original on 12 February 2013.Retrieved12 February2013.
  16. ^Shukla, Manish (3 August 2020)."Chinese Army's secret '61398' unit spying on India's defense and research, warns intelligence".DNA India.Archivedfrom the original on 20 November 2022.Retrieved6 January2024.
  17. ^abXu, Weiwei (20 February 2013)."China denies hacking claims".Morning Whistle.Archivedfrom the original on 29 June 2013.Retrieved8 April2013.

31°20′57.43″N121°34′24.74″E/ 31.3492861°N 121.5735389°E/31.3492861; 121.5735389

Retrieved from "https://en.wikipedia.org/w/index.php?title=PLA_Unit_61398&oldid=1226615636"