Unit 61398: Inside China’s State-Sponsored Cyber Warfare

Hacking for the state: Unmasking Unit 61398 and the chilling truth about China's State-Sponsored cyber warfare

By Neeraj Mahajan

Opinion


FBI Director Christopher Wray dropped a bomb shell during a House hearing in Washington DC on April 11, 2024 when he claimed that China was developing the ability to physically wreak havoc on critical US infrastructure and its hackers were waiting for just the right moment to deal a devastating blow. Chinese government-linked hackers have burrowed into US critical infrastructure in a wide range of sectors like telecommunications, energy,  water and other critical sectors and are waiting “for just the right moment to deal a devastating blow”, he warned.

China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing”, Wray said.

ads

 “Its plan is to land low blows against civilian infrastructure to try to induce panic,” he added.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray said.

congress

Echoing similar sentiment Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said, “This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes – all to ensure that they can incite societal panic and chaos and to deter our ability [to marshal a sufficient response].”

China’s hackers both state-sponsored and independent hacking groups operating within its borders, have been in the news in recent years for activities like intellectual property theft, espionage, and cyberattacks against foreign governments, organizations, and individuals.

big bang

The Chinese government is believed to have a complex network of cyber units, including the notorious Unit 61398 of the People’s Liberation Army (PLA), which has been linked to numerous high-profile cyberattacks on government agencies, defence contractors, technology companies, and human rights organizations.

Unit 61398, also known as APT1 (Advanced Persistent Threat 1), is a cyber-espionage unit of the People’s Liberation Army (PLA) that reportedly operates out of a 12-story building in Shanghai, China.

huges

The unit is believed to be part of the People’s Liberation Army (PLA) and specifically linked to the PLA’s 2nd Bureau of the General Staff Department’s 3rd Department, which is responsible for cyber operations.

Unit 61398 has been linked to numerous cyber-attacks against various targets, including governments, corporations, and organizations around the world.

police expo

Chinese government-linked hackers have burrowed into US critical infrastructure in a wide range of sectors like telecommunications, energy, water and other critical sectors and are waiting “for just the right moment to deal a devastating blow

Unit 61398, or APT1, gained significant attention in 2013 when a report by the cybersecurity firm Mandiant linked it to extensive cyber espionage operations targeting aerospace, energy, technology, and telecommunication companies. The Mandiant report revealed how the unit allegedly conducted sophisticated attacks, stealing intellectual property and sensitive information from its targets.

The modus operandi of Unit 61398 is to exploit network vulnerabilities to gain access to target networks, and steal large amount of data by dashing off spear-phishing emails, and planting malware (such as backdoors and remote access Trojans) on compromised systems using a variety of tools and techniques. The goal is to steal confidential data, including trade secrets, internal communications, and other sensitive business information.

Unit 61398, has been accused of engaging in state-sponsored cyber warfare and hacking activities targeting various organizations, including government agencies, businesses, and NGOs, primarily in the United States. The targets of these attacks were primarily located in the United States, but also included other countries. Unit 61398 primarily targets private sector entities in the United States for economic espionage. However, they have also been linked to attacks on government agencies and organizations worldwide. It targets companies in industries like nuclear power, metals, and solar energy. The objective was to steal intellectual property, business strategies, and other sensitive information.

The group’s operations are thought to be part of a broader strategy by the Chinese government to steal sensitive information and intellectual property for strategic, economic, and military purposes. This unit’s activities have raised significant concerns about cybersecurity and the threat posed by state-sponsored hacking.

The Unit 61398, has been linked to a wide range of hacking operations targeting various organizations around the world for many years. The operations conducted by Unit 61398 have had significant economic and strategic implications for targeted organizations and countries.

The history of PLA Unit 61398, also known as APT1, is largely shrouded in secrecy. Even though the exact timeline of its origin and early operations are not widely known, the Unit is believed to have been established in the early 2000s, possibly around 2006.

The unit’s activities began to attract attention in the late 2000s and early 2010s as cybersecurity firms and government agencies started to notice a pattern of cyber-attacks targeting various industries. These attacks were sophisticated and appeared to be aimed at stealing intellectual property and sensitive information.

The unit gained international notoriety in 2013 when the cybersecurity firm Mandiant released a detailed report linking it to extensive cyber espionage operations. The report provided evidence of Unit 61398’s activities and its alleged connection to the Chinese military. The Mandiant Report from 2013, titled “APT1: Exposing One of China’s Cyber Espionage Units,” was a ground-breaking document that provided detailed insights into the activities of the state-sponsored Chinese cyber espionage groups and underscored the need for enhanced cybersecurity measures and international cooperation to address the growing threat of cyberattacks.

China’s hackers both state-sponsored and independent hacking groups operating within its borders, have been in the news in recent years for activities like intellectual property theft, espionage, and cyberattacks against foreign governments, organizations, and individuals

According to the reports, the Unit 61398’s hackers are known for their persistence and sophisticated techniques like spear-phishing emails, zero-day exploits, and custom malware to gain access to target networks and steal sensitive information. Their tactics involves gaining access to target systems through methods like:

  • Spear phishing emails: These emails appear legitimate but contain malicious attachments or links that trick recipients into installing malware.
  • Network vulnerabilities: They exploit weaknesses in a network’s security to gain unauthorized access.
  • Watering hole attacks: They compromise legitimate websites frequented by targets, then infect visitors’ computers with malware when they visit the site.

Once inside a system, Unit 61398 aims to steal confidential data such as:

  • Trade secrets
  • Internal communications
  • Other sensitive business information

The Unit 61398 has allegedly been successful in stealing hundreds of terabytes of data from over 140 organizations across various sectors. Some significant events related to Unit 61398 include:

2013: FireEye, a cybersecurity firm, exposed Unit 61398’s operations, detailing their methods and malware in a report. This shed light on state-sponsored cyber espionage.

2014: The US indicted five individuals believed to be members of Unit 61398 on charges of cyber espionage.

Overall, Unit 61398’s cyber espionage operations represent a significant and ongoing challenge in the realm of cybersecurity, highlighting the need for robust defences and proactive measures to mitigate the risks posed by state-sponsored cyber threats.

–The writer is a seasoned media professional with over three decades of experience in print, electronic, and web media. He is presently Editor of Taazakhabar News. The views expressed are of the writer and do not necessarily reflect the views of Raksha Anirveda