Hackers with the Chinese unit have been active for years, using online handles such as "UglyGorilla," Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai:
—RECRUITING THE SPIES: Unit 61398, alleged to be one of several hacking operations run by China's military, recruits directly from universities. It favours high computer expertise and English language skills. A notice dated 2003 on the Chinese Internet said the unit was seeking master's degree students from Zhejiang University's College of Computer Science and Technology. It offered a scholarship, conditional on the student reporting for work at Unit 61398 after graduation.
—CYBERSPY WORKPLACE: Mandiant says it traced scores of cyberattacks on U.S. defence and infrastructure companies to a neighbourhood in Shanghai's Pudong district that includes the 12-story building where Unit 61398 is known to be housed. The building has office space for up to 2,000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand. The surrounding neighbourhood is filled with apartment buildings, tea houses, shops and karaoke bars.
—THE UNIT 61398 COMMUNITY: While the building's activities may be top secret, Unit 61398's status in the community as a military division is not. It turns up in numerous Chinese Internet references to community events, including a 2010 accord with the local government to set up a joint outreach centre on family planning. Other articles describe mass weddings for officers, badminton matches and even discussion of the merits of the "Unit 61398 Kindergarten." Other support facilities include a clinic, car pool, and guesthouse — all standard for the military's often self-contained communities across China.
—THE PIPELINE: The Mandiant report describes a special arrangement made with China Telecom for a fiber optic communication infrastructure in the Unit 61398 neighbourhood, pointing to its need for bandwidth and its elite status. The contract between the two refers to Unit 61398 as belonging to the General Staff Department 3rd Department, 2nd Bureau, and says China Telecom agreed to the military's suggested price due to "national defence construction" concerns.
—MODUS OPERANDUS: The cyberspies typically enter targeted computer networks through "spearfishing" attacks, in which a company official receives a creatively disguised email and is tricked into clicking on a link or attachment that then opens a secret door for the hackers, Mandiant says. The cyberspies would steal and retransmit data for an average of just under a year, but in some cases more than four years. Information technology companies were their favourite targets, followed by aerospace firms, pointing to a key area of interest as China seeks to develop its own cutting-edge civilian and military aircraft.
—ONLINE HANDLES: Mandiant identifies three of the unit's hackers by their screen names. It says one of them, "UglyGorilla," was first detected in a 2004 online forum posing a question to a cybersecurity expert about whether China needed a dedicated force to square off against an online cohort being mustered by the United States. The user of another screen name, "Dota," appears to be a fan of Harry Potter; Mandiant said references to the book and movie character appear as answers to his computer security questions.
Unit 61398 hackers were sometimes identified as the "Comment Crew" by security companies due to their practice of inserting secret backdoors into systems by using code embedded in comments on websites.
—REVEALING TWEETS: And what helped Mandiant track down the source of hacking into more than 140 companies and organizations from the U.S. and elsewhere? Facebook and Twitter.
China's "Great Firewall" of Internet filtering blocks those U.S.-based social networks, but Unit 61398 operators got around that by accessing them directly from the unit's system. Mandiant was able to see that Facebook and Twitter accounts were being accessed from Internet Protocol addresses connected to the unit. It's not clear whether those accounts aided in hacking or were simply for the hackers' personal use.
"These actors have made poor operational security choices, facilitating our research and allowing us to track their activities," the report says.