Next Score View the next score

    Chinese army base unit linked to hacking attacks in US

    NEW YORK — On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, a People’s Liberation Army base has been established for China’s growing corps of cyberwarriors. The building off Datong Road is the headquarters of PLA Unit 61398.

    A growing body of digital forensic evidence — confirmed by US intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on US corporations, organizations, and government agencies originate in and around the white tower.

    An unusually detailed 60-page study, to be released Tuesday by Mandiant, a US computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as ‘‘Comment Crew’’ or ‘‘Shanghai Group’’ — to the doorstep of the military unit’s headquarters.


    The firm was not able to place the hackers inside the 12-story building, but it makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.

    Get Today's Headlines in your inbox:
    The day's top stories delivered every morning.
    Thank you for signing up! Sign up for more newsletters here

    ‘‘Either they are coming from inside Unit 61398,’’ said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, ‘‘or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.’’

    A recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the US intelligence agencies, makes a strong case that many of these hacking groups are run by People’s Liberation Army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.

    Mandiant provided an advance copy of its report to The New York Times, saying it hoped to ‘‘bring visibility to the issues addressed in the report.’’ (Mandiant was hired by The New York Times Co. to investigate a sophisticated Chinese-origin attack on the news operations, and concluded it was not the work of Comment Crew, but another Chinese group.)

    While Comment Crew has drained terabytes of data from such companies as Coca-Cola, increasingly its focus is on firms involved in the critical infrastructure of the United States — its electrical power grid, gas lines, and waterworks.


    According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.

    The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.

    Contacted Monday, Chinese officials at the embassy in Washington again insisted that its government does not engage in computer hacking and that such activity is illegal. They describe China as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States.

    But in recent years the Chinese attacks have grown significantly, security researchers say.

    Mandiant has detected more than 140 Comment Crew intrusions since 2006.