On Tuesday, February 19, the information technology security firm Mandiant released a report entitled APT1: Exposing One of China’s Cyber Espionage Units. The Mandiant report is alarming. It chronicles the activities of People’s Liberation Army Unit 61398, often appearing under the alias “Comment Crew” or “Shanghai Group.” According to the report, Unit 61398 began attacking American corporate and government computer networks in 2006; since then, the unit has attacked 141 companies. Victims have included government and non-governmental organizations, defense contractors, and private industries. The industries targeted by Unit 61398 also closely correspond with the sectors identified as “strategic” by China’s 12th Five-Year Plan.
The report comes after years of frustration with China’s ardent denials of cyber espionage and a concomitant inability to reach definitive attribution for cyber-attacks on U.S. entities. Mandiant’s investigation concludes that the Advanced Persistent Threat (APT) Group 1 “is likely government-sponsored and one of the most persistent of China’s cyber threat actors.” Richard Bejtlich, chief security officer at Mandiant, said, “At the government level, I see this [report] as a tool that they can use to have discussions with the Chinese, with allies, with others who are concerned about this problem and have an open dialogue without having to worry about sensitivities around disclosing classified information.”[i]
Some of the more concerning intrusions include cyber-attacks on U.S. infrastructure and supporting industries. In September of 2012, hackers stole project files from the Canadian arm of Telvent, a software design company for oil and gas lines that is currently owned by Schneider Electric — a firm involved in high-profile patent disputes with a Chinese company.[ii] Vulnerable systems included software used to remotely access valves, switches and security systems, as well as blueprints of over half the pipelines in North and South America. In order to prevent unauthorized control of the infrastructure, Telvent notified all its customers and shut down network access to prevent the hackers from taking control of Telvent’s systems.[iii]
Perhaps the most important finding in the report, as detailed by Mandiant executives in interviews, is that Chinese hacking organizations sometimes perform “due diligence” against U.S. companies immediately prior to take-over attempts by some of China’s largest state-owned enterprises.[iv] This has been described by other journalists as “as though Goldman Sachs were able to use the wiretapping expertise of the NSA in order to get a leg up on its overseas competitors.”[v]
Despite the difficulties associated with attribution[vi], the Mandiant report, many security firms, and a classified National Intelligence Estimate have all concluded and provided highly corroborated evidence that many these attacks are state-sponsored.[vii] A widely-publicized quote from the report notes that, if the cyber-attacks of APT1 are not state-sponsored, then this means that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.” The report concludes that the only way such a group could function is with the “full knowledge and cooperation” of the Chinese government.[viii]
Now authorities must determine the U.S. response. The Obama administration and many members of Congress are acutely aware of the national security risks. President Obama addressed these concerns in his State of the Union speech when he said, “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic systems. We cannot look back years from now and wonder why we did nothing.”[ix]Action is expected in the coming weeks. Obama administration officials say they plan to warn China’s new leaders that the recent developments in cyber attacks threaten the fundamental relationship between Washington and Beijing.[x] February 20, the Obama administration announced new strategies to deter cybertheft of data.[xi]
The Strategic Materials Advisory Council is concerned by these new developments. The Council recognizes a clear Chinese strategy to dominate world markets in those industries identified as “strategic” by senior Chinese leaders and economic plans. As China rises toward superpower status, it is using any means necessary to secure competitive advantages over U.S. companies and the U.S. military. Though the Council supports continued trade with China, it is concerned by lawless abuse of the international system. Whether through legal acquisition of American companies or through illegal cyber-attack, the loss of American resources, intellectual property, and information security poses a tremendous risk to U.S. national security. President Obama must address these concerns with the Chinese government, though this problem will require more than words. The President will need the full support of Congress and the public to confront this multi-faceted security and industrial base challenge. The Strategic Materials Advisory Council will continue to provide news and analysis of the cyber security developments in legislation, defense, and private industry, and continue advocating for a strong and prosperous America. ©