APT1 Exposing One of China’s Cyber Espionage Units

Mandiant APT1 www.mandiant.com

Contents

Executive Summary ……………………………………………………………………………………………. 2

China’s Computer Network Operations Tasking to PLA Unit 61398 (61398部队) ……………….. 7

APT1: Years of Espionage ………………………………………………………………………………….. 20

APT1: Attack Lifecycle ………………………………………………………………………………………. 27

APT1: Infrastructure …………………………………………………………………………………………. 39

APT1: Identities ………………………………………………………………………………………………. 51

Conclusion ……………………………………………………………………………………………………… 59

Appendix A: How Does Mandiant Distinguish Threat Groups? ………………………………………. 61

Appendix B: APT and the Attack Lifecycle………………………………………………………………. 63

Appendix C (Digital): The Malware Arsenal ……………………………………………………………… 66

Appendix D (Digital): FQDNs ……………………………………………………………………………….. 67

Appendix E (Digital): MD5 Hashes ……………………………………………………………………….. 68

Appendix F (Digital): SSL Certificates ……………………………………………………………………. 69

Appendix G (Digital): IOCs ………………………………………………………………………………….. 70

Appendix H (Digital): Video …………………………………………………………………………………. 74

Mandiant APT1 1 www.mandiant.com

“China’s economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy.

Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop. Combined, the United States and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge.”1

— U.S. Rep. Mike Rogers, October, 2011

“ It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.”2

— Chinese Defense Ministry, January, 2013

1 “Mike Rogers, Statement to the U.S. House, Permanent Select Committee on Intelligence, Open Hearing: Cyber Threats and Ongoing Efforts to Protect the Nation, Hearing, October 4, 2011, http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/100411CyberHearingRogers. pdf, accessed February 6, 2013. 2 “Chinese hackers suspected in attack on The Post’s computers.” The Washington Post, Feb. 1, 2013, http://www.washingtonpost.com/business/ technology/chinese-hackers-suspected-in-attack-on-the-posts-computers/2013/02/01/d5a44fde-6cb1-11e2-bd36-c0fe61a205f6_story.html, accessed Feb. 1, 2013.

Mandiant APT1 2 www.mandiant.com

exeCutIve suMMary

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.” Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.3

Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this report.

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.

3 Our conclusions are based exclusively on unclassified, open source information derived from Mandiant observations. None of the information in this report involves access to or confirmation by classified intelligence.

Mandiant APT1 3 www.mandiant.com

KEY FINDINGS

aPt1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队). »» The nature of “Unit 61398’s” work is considered by China to be a state secret; however, we believe it engages in

harmful “Computer Network Operations.”

»» Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.

»» We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.

»» China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defense.

»» Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.

»» Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.

aPt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.4

»» Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.

»» APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.

»» Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.

»» APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET.

»» APT1 maintained access to victim networks for an average of 356 days.5 The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

»» Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.

»» In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries.

4 We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has conducted. Therefore, Mandiant is establishing the lower bounds of APT1 activities in this report. 5 This is based on 91 of the 141 victim organizations. In the remaining cases, APT1 activity is either ongoing or else we do not have visibility into the last known date of APT1 activity in the network.

Mandiant APT1 4 www.mandiant.com

aPt1 focuses on compromising organizations across a broad range of industries in english-speaking countries. »» Of the 141 APT1 victims, 87% of them are headquartered in countries where English is the native language.

»» The industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.

aPt1 maintains an extensive infrastructure of computer systems around the world. »» APT1 controls thousands of systems in support of their computer intrusion activities.

»» In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109).

»» In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses.

»» Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system.

»» In the last several years we have confirmed 2,551 FQDNs attributed to APT1.

In over 97% of the 1,905 times Mandiant observed aPt1 intruders connecting to their attack infrastructure, aPt1 used IP addresses registered in shanghai and systems set to use the simplified Chinese language. »» In 1,849 of the 1,905 (97%) of the Remote Desktop sessions APT1 conducted under our observation, the APT1

operator’s keyboard layout setting was “Chinese (Simplified) — US Keyboard”. Microsoft’s Remote Desktop client configures this setting automatically based on the selected language on the client system. Therefore, the APT1 attackers likely have their Microsoft® operating system configured to display Simplified Chinese fonts.

»» 817 of the 832 (98%) IP addresses logging into APT1 controlled systems using Remote Desktop resolved back to China.

»» We observed 767 separate instances in which APT1 intruders used the “HUC Packet Transmit Tool” or HTRAN to communicate between 614 distinct routable IP addresses and their victims’ systems using their attack infrastructure. Of the 614 distinct IP addresses used for HTRAN communications:

»− 614 of 614 (100%) were registered in China.

»− 613 (99.8%) were registered to one of four Shanghai net blocks.

Mandiant APT1 5 www.mandiant.com

the size of aPt1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators. »» We conservatively estimate that APT1’s current attack infrastructure includes over 1,000 servers.

»» Given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.

»» APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping).

In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with aPt1 activity. »» The first persona, “UglyGorilla”, has been active in computer network operations since October 2004. His activities

include registering domains attributed to APT1 and authoring malware used in APT1 campaigns. “UglyGorilla” publicly expressed his interest in China’s “cyber troops” in January 2004.

»» The second persona, an actor we call “DOTA”, has registered dozens of email accounts used to conduct social engineering and spear phishing attacks in support of APT1 campaigns. “DOTA” used a Shanghai phone number while registering these accounts.

»» We have observed both the “UglyGorilla” persona and the “DOTA” persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1.

»» The third persona, who uses the nickname “SuperHard,” is the creator or a significant contributor to the AURIGA and BANGAT malware families which we have observed APT1 and other APT groups use. “SuperHard” discloses his location to be the Pudong New Area of Shanghai.

Mandiant is releasing more than 3,000 indicators to bolster defenses against aPt1 operations. »» Specifically, Mandiant is providing the following:

»− Digital delivery of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.

»− Sample Indicators of Compromise (IOCs) and detailed descriptions of over 40 families of malware in APT1’s arsenal of digital weapons.

»− Thirteen (13) X.509 encryption certificates used by APT1.

»− A compilation of videos showing actual attacker sessions and their intrusion activities.

»» While existing customers of Mandiant’s enterprise-level products, Mandiant Managed Defense and Mandiant Intelligent Response®, have had prior access to these APT1 Indicators, we are also making them available for use with Redline™, our free host-based investigative tool. Redline can be downloaded at http://www.mandiant.com/ resources/download/redline.

Mandiant APT1 6 www.mandiant.com

Conclusion

The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398. However, we admit there is one other unlikely possibility:

A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.

Why We Are Exposing APT1

The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group. It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively. The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.

At the same time, there are downsides to publishing all of this information publicly. Many of the techniques and technologies described in this report are vastly more effective when attackers are not aware of them. Additionally, publishing certain kinds of indicators dramatically shortens their lifespan. When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy. It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way.

We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism.

Mandiant APT1 7 www.mandiant.com

ChIna’s CoMPuter network oPeratIons taskInG to PLa unIt

61398 (61398部队 )

Our research and observations indicate that the Communist Party of China (CPC,中国共产党) is tasking the Chinese People’s Liberation Army (PLA,中国人民解放军) to commit systematic cyber espionage and data theft against organizations around the world. This section provides photos and details of Unit 61398 facilities, Chinese references discussing the unit’s training and coursework requirements, and internal Chinese communications documenting the nature of the unit’s relationship with at least one state-owned enterprise. These details will be particularly relevant when we discuss APT1’s expertise, personnel, location, and infrastructure, which parallel those of Unit 61398.

The Communist Party of China

The PLA’s cyber command is fully institutionalized within the CPC and able to draw upon the resources of China’s state- owned enterprises to support its operations. The CPC is the ultimate authority in Mainland China; unlike in Western societies, in which political parties are subordinate to the government, the military and government in China are subordinate to the CPC. In fact, the PLA reports directly to the CPC’s Central Military Commission (CMC, 中央军事委 员会).6 This means that any enterprise cyber espionage campaign within the PLA is occurring at the direction of senior members of the CPC.

We believe that the PLA’s strategic cyber command is situated in the PLA’s General Staff Department (GSD,总参谋 部), specifically its 3rd Department (总参三部).7 The GSD is the most senior PLA department. Similar to the U.S. Joint Chiefs of Staff, the GSD establishes doctrine and provides operational guidance for the PLA. Within the GSD, the 3rd Department has a combined focus on signals intelligence, foreign language proficiency, and defense information

6 James C. Mulvenon and Andrew N. D. Yang, editors, The People’s Liberation Army as Organization: Reference Volume v1.0, (Santa Monica, CA: RAND Corporation, 2002), 96, http://www.rand.org/pubs/conf_proceedings/CF182.html, accessed February 6, 2013. 7 Bryan Krekel, Patton Adams, and George Bakos, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” Prepared for the U.S.-China Economic and Security Review Commission by Northrop Grumman Corp (2012): 10, http://www. uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf, accessed February 6, 2013.

Mandiant APT1 8 www.mandiant.com

systems.8 It is estimated to have 130,0009 personnel divided between 12 bureaus (局), three research institutes, and 16 regional and functional bureaus.10 We believe that the GSD 3rd Department, 2nd Bureau (总参三部二局), is the APT group that we are tracking as APT1. Figure 1 shows how close the 2nd Bureau sits to the highest levels of the CPC. At this level, the 2nd Bureau also sits atop a large-scale organization of subordinate offices.

Communist Party of China (Central Military Commission,

)

PLA General Staff Department ( )

PLA General Political Department ( )

PLA General Logistics Department ( )

PLA General Armaments Department ( )

GSD 1st Department ( ) Operations

GSD 2nd Department ( ) Intelligence

GSD 3rd Department ( )

SIGINT/CNO

7 Military Regions PLA Airforce (PLAA) PLA Navy (PLAN)

1st Bureau (总参三部一局)

2nd Bureau (总参三部二局)

Unit 61398

12 Total Bureaus 3 Research Institutes

FIGure 1: unit 61398’s position within the PLa11

8 The 3rd department’s mission is roughly a blend of the missions assigned to the U.S. National Security Agency, the Defense Language Institute, and parts of the Defense Information Systems Agency. 9 Bryan Krekel, Patton Adams, and George Bakos, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” Prepared for the U.S.-China Economic and Security Review Commission by Northrop Grumman Corp (2012): 47, http://www. uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf, accessed February 6, 2013. 10 Ian Easton and Mark A. Stokes, “China’s Electronic Intelligence Satellite Developments: Implications for U.S. Air and Naval Operations,” Project 2049 Institute (2011): 5, http://project2049.net/documents/china_electronic_intelligence_elint_satellite_developments_easton_stokes.pdf, accessed February 6, 2013. 11 James C. Mulvenon and Andrew N. D. Yang, editors, The People’s Liberation Army as Organization: Reference Volume v1.0, (Santa Monica, CA: RAND Corporation, 2002), 96, http://www.rand.org/pubs/conf_proceedings/CF182.html, accessed February 6, 2013.

Mandiant APT1 9 www.mandiant.com

Inferring the Computer Network Operations Mission and Capabilities of Unit 61398 (61398部队)

Publicly available references confirm that the PLA GSD’s 3rd Department, 2nd Bureau, is Military Unit Cover Designator (MUCD) 61398, more commonly known as Unit 61398.12 They also clearly indicate that Unit 61398 is tasked with computer network operations (CNO).13 The Project 2049 Institute reported in 2011 that Unit 61398 “appears to function as the Third Department`s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.”14 Our research supports this and also suggests Unit 61398’s CNO activities are not limited to the U.S. and Canada, but likely extend to any organization where English is the primary language.

Identifying GsD 3rd Department, 2nd Bureau as unit 61398 The care with which the PLA maintains the separation between the GSD 3rd Department, 2nd Bureau, and the MUCD 61398 can be partially observed by searching the Internet for official documents from the Chinese government that refer to both the 2nd Bureau and Unit 61398. Figure 2 shows the results of one of these queries.

FIGure 2: no results found for searching for “GsD 3rd Department 2nd Bureau” and “unit 61398” on any Chinese government websites

Despite our challenges finding a link between the Chinese Government and Unit 61398 online, our searches did find references online indicating that the GSD 3rd Department, 2nd Bureau, is actually Unit 61398. Specifically, Google indexed references to Unit 61398 in forums and resumes. Once these references were discovered by CPC censors, these postings and documents were likely modified or removed from the Internet. Figure 3 shows Google search results

12 Mark A. Stokes, Jenny Lin, and L.C. Russell Hsiao, “The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure,” Project 2049 Institute (2011): 8, http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf, accessed February 6, 2013. 13 U.S. Department of Defense defines Computer Network Operations as “Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations. Also called CNO. • computer network attack. Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA. • computer network defense. Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within the Department of Defense information systems and computer networks. Also called CND. • computer network exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE.” U.S. Department of Defense, The Dictionary of Military Terms (New York: Skyhorse Publishing, Inc.), 112. 14 Mark A. Stokes, Jenny Lin, and L.C. Russell Hsiao, “The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure,” Project 2049 Institute (2011): 8, http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf, accessed February 6, 2013.

what is a MuCD? Chinese military units are given MUCDs, five-digit numerical sequences, to provide basic anonymity for the unit in question and as a standardized reference that facilitates communications and operations (e.g., “Unit 81356 is moving to the objective,” versus “1st Battalion, 125th Regiment, 3rd Division, 14th Group Army is moving to the objective”). Military Unit Cover Designators are also used in official publications and on the Internet to refer to the unit in question. The MUCD numbers are typically displayed outside a unit’s barracks, as well as on the unit’s clothing, flags, and stationary.

Source: The Chinese Army Today: Tradition and Transformation for the 21st Century — Dennis J. Blasko

Mandiant APT1 10 www.mandiant.com

for unit 61398 and some responsive “hits” (note that the links that appear in these search results will likely have been removed by the time you read this report):

FIGure 3: Google search results that show unit 61398 attribution “leaks”

unit 61398’s Personnel requirements Unit 61398 appears to be actively soliciting and training English speaking personnel specializing in a wide variety of cyber topics. Former and current personnel from the unit have publicly alluded to these areas of emphasis. For example, a graduate student of covert communications, Li Bingbing (李兵兵), who openly acknowledged his affiliation with Unit 61398, published a paper in 2010 that discussed embedding covert communications within Microsoft® Word documents. Another example is English linguist Wang Weizhong’s (王卫忠) biographical information, provided to the Hebei (河北) Chamber of Commerce, which describes the training he received as an English linguist while assigned to Unit 61398. These and other examples that demonstrate Unit 61398’s areas of expertise are listed in Table 1 below.15

taBLe 1: Chinese sources referring to the areas of expertise contained in unit 61398.16.17.18.19

type of expertise in unit 61398 (部队) source Describing that expertise in unit 61398 Covert Communications Article in Chinese academic journal. Second author Li Bingbing (李兵兵)

references Unit 61398 as the source of his expertise on the topic.15

English Linguistics Bio of Hebei Chamber of Commerce member Wang Weizhong (王卫忠). He describes that he received his training as an English linguist during his service in Unit 61398. (Hebei is a borough in Shanghai.)16

Operating System Internals Article in Chinese academic journal. Second author Yu Yunxiang (虞云翔) references Unit 61398 as the source of his expertise on the topic.17

Digital Signal Processing Article in Chinese academic journal. Second author Peng Fei (彭飞) references Unit 61398 as the source of his expertise on the topic.18

Network Security Article in Chinese academic journal. Third author Chen Yiqun (陈依群) references Unit 61398 as the source of his expertise on the topic.19

15 Li Bing-bing, Wang Yan-Bo, and Xu Ming, “An information hiding method of Word 2007 based on image covering,” Journal of Sichuan University (Natural Science Edition) 47 (2010), http://www.paper.edu.cn/journal/downCount/0490-6756(2010)S1-0031-06, accessed February 6, 2013. 16 Hebei Chamber of Commerce, Bio of member Wang Weizhong (2012), http://www.hbsh.org/shej_ejsheqmsg. aspx?mid=26&uid=06010000&aid=06, accessed February 6, 2013. 17 Zeng Fan-jing, Yu Yun-xiang, and Chang Li, “The Implementation of Overlay File System in Embedded Linux,” Journal of Information Engineering University 7 (2006), http://file.lw23.com/9/98/984/98401889-9da6-4c38-b9d2-5a5202fd1a33.pdf, accessed February 6, 2013. 18 Zhao Ji-yong, Peng Fei, and Geng Chang-suo, “ADC’s Performance and Selection Method of Sampling Number of Bits,” Journal of Military Communications Technology 26, (2005), http://file.lw23.com/f/f1/f14/f14e7b60-3d60-4184-a48f-4a50dd21927c.pdf, accessed February 6, 2013. 19 Chen Qiyun, Chen Xiuzhen, Chen Yiqun, and Fan Lei, “Quantization Evaluation Algorithm for Attack Graph Based on Node Score,” Computer Engineering 36 (2010), http://www.ecice06.com/CN/article/downloadArticleFile.do?attachType=PDF&id=19627, accessed February 7, 2013.

Mandiant APT1 11 www.mandiant.com

Additionally, there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology (哈尔滨工业大学) and Zhejiang University School of Computer Science and Technology (浙江大学计算机学院). The majority of the “profession codes” (专业代码) describing positions that Unit 61398 is seeking to fill require highly technical computer skills. The group also appears to have a frequent requirement for strong English proficiency. Table 2 provides two examples of profession codes for positions in Unit 61398, along with the required university courses and proficiencies associated with each profession.20

taBLe 2: two profession codes and university recommended courses for students intending to apply for positions in unit 61398

Profession Code required Proficiencies

080902 — Circuits and Systems »» 101 — Political

»» 201 — English

»» 301 — Mathematics

»» 842 — Signal and Digital Circuits (or) 840 – Circuits

»» Interview plus a small written test:

»− Circuits and Systems-based professional knowledge and comprehensive capacity

»− Team spirit and ability to work with others to coordinate

»− English proficiency

081000 — Information and Communications Engineering

»» 101 – Political

»» 201 – British [English]

»» 301 – Mathematics

»» 844 – Signal Circuit Basis

size and Location of unit 61398’s Personnel and Facilities Based on the size of Unit 61398’s physical infrastructure, we estimate that the unit is staffed by hundreds, and perhaps thousands. This is an extrapolation based on public disclosures from within China describing the location and physical installations associated with Unit 61398. For example, public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group (江苏龙海建工集团有限公司) completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai (上海市浦东新区高桥镇大同路208号),21 which is referred to as the “Unit 61398 Center Building” (61398部队中心大楼). At 12 stories in height, and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people. Figure 4 through Figure 7 provide overhead views and street-level views of the building and its location, showing its size. This is only one of the unit’s several buildings, some of which are even larger.

20 Two Chinese universities hosting Unit 61398 recruiting events: • Zhejiang University: http://www.cs.zju.edu.cn/chinese/redir.php?catalog_id=101913&object_id=106021 • Harbin Institute of Technology: http://today.hit.edu.cn/articles/2004/2-23/12619.htm 21 See http://www.czzbb.net/czzb/YW_Info/YW_ZiGeYS/BaoMingInfo.aspx?YW_RowID=41726&BiaoDuanBH=CZS20091202901&enterprise_ id=70362377-3 for documentation of the contract award to Jiangsu Langhai Construction Engineering Group for Unit 61398’s Center Building, among several other buildings; accessed February 5, 2013.

Mandiant APT1 12 www.mandiant.com

FIGure 4: Datong circa 2006 (prior to unit 61398 Center Building construction) Image Copyright 2013 DigitalGlobe

Mandiant APT1 13 www.mandiant.com

FIGure 5: Datong Circa 2008 (unit 61398 Center Building visible at 208 Datong) Image Copyright 2013 DigitalGlobe

Mandiant APT1 14 www.mandiant.com

FIGure 6: unit 61398 Center Building (main gate, soldiers visible) Image Copyright 2013 city8.com

Mandiant APT1 15 www.mandiant.com

FIGure 7: unit 61398 Center Building 208 Datong (rear view, possible generator exhausts visible) Image Copyright 2013 city8.com

Mandiant APT1 16 www.mandiant.com

Unit 61398 also has a full assortment of support units and associated physical infrastructure, much of which is located on a stretch of Datong Road (大同路) in Gaoqiaozhen (高桥镇), in the Pudong New Area (浦东新区) of Shanghai (上 海).22 These support units include a logistics support unit, outpatient clinic, and kindergarten, as well as guesthouses located both in Gaoqiaozhen and in other locations in Shanghai.23 These amenities are usually associated with large military units or units at higher echelons. The close proximity of these amenities supports the contention that Unit 61398 occupies a high-level position in the PLA organizational hierarchy (see Figure 1: Unit 61398’s positions within the PLA).24

PLa unit 61398 and state-owned enterprise China telecom are Co-building Computer network operations Infrastructure Mandiant found an internal China Telecom document online that provides details about the infrastructure provided to Unit 61398. The memo (in Figure 8) reveals China Telecom executives deciding to “co-build” with Unit 61398 to justify the use of their own inventory in the construction of fiber optic communication lines “based on the principle that national defense construction is important.” The letter also appears to indicate that this is a special consideration being made outside of China Telecom’s “normal renting method” for Unit 61398. Additionally, the memo clarifies the phrase “Unit 61398” with the comment “(GSD 3rd Department, 2nd Bureau).” The memo not only supports the identity of Unit 61398 as GSD’s 3rd Department 2nd Bureau, but also reveals the relationship between a “very important communication and control department” (Unit 61398) and a state-influenced enterprise.

22 Confirmation of several other Unit 61398 support facilities along Datong Road: Address: 上海市浦东新区大同路50号 (Pudong New Area, Shanghai, Datong Road 50) Building Name: 中国人民解放军第61398部队司令部 (People’s Liberation Army Unit 61398 Headquarters) Source: Chinese phone book listing building name and address; http://114.mingluji.com/minglu/%E4%B8%AD%E5%9B%BD%E4%BA%BA%E6

%B0%91%E8%A7%A3%E6%94%BE%E5%86%9B% E7%AC%AC61398%E9%83%A8%E9%98%9F%E5%8F%B8%E4%B- B%A4%E9%83%A8, accessed February 6, 2013.

Address: 上海市浦东新区大同路118弄甲 (Pudong New Area, Shanghai, Datong Road 118 A) Building Name: 中国人民解放军第61398部队司令部 (People’s Liberation Army Unit 61398 Headquarters)

Chinese phone book listing building name and address; http://114.mingluji.com/minglu/%E4%B8%AD%E5%9B%BD%E4%BA%BA%E6%B0% 91%E8%A7%A3%E6%94%BE%E5%86%9B%E7%AC%AC61398%E9%83%A8%E9%98%9F%E5%8F%B8%E4%BB%A4%E9%83%A8_0, accessed February 6, 2013.

Address: 上海市浦东新区高桥镇大同路135号 (Pudong New Area, Shanghai Gaoqiao Town, Datong Road 135) Building Name: 中国人民解放军第61398部队 (People’s Liberation Army Unit 61398)

Chinese phone book listing building name and address; http://114.mingluji.com/minglu/%E4%B8%AD%E5%9B%BD%E4%BA%BA%E6%B0%9 1%E8%A7%A3%E6%94%BE%E5%86%9B%E7%AC%AC61398%E9%83%A8%E9%98%9F_0, accessed February 6, 2013.

Address: 上海市浦东新区高桥镇大同路153号 (Pudong New Area, Shanghai Gaoqiao Town, Datong Road 153) Building Name: 中国人民解放军第61398部队 (People’s Liberation Army Unit 61398) Chinese phone book listing building name and address; http://114.mingluji.com/minglu/%E4%B8%AD%E5%9B%BD%E4%BA%BA%E6%B0%9

1%E8%A7%A3%E6%94%BE%E5%86%9B%E7%AC%AC61398%E9%83%A8%E9%98%9F, accessed February 6, 2013.

Address: 上海市浦东新区大同路305号 (Pudong New Area, Shanghai, Datong Road 305) Building Name: 中国人民解放军第61398部队后勤部 (Logistics Department of the Chinese People’s Liberation Army Unit 61,398)( Chinese phone book listing building name and address; http://114.mingluji.com/category/%E7%B1%B-

B%E5%9E%8B/%E4%B8%AD%E5%9B%BD%E4%BA%BA%E6%B0%91%E8%A7%A3%E6%94%BE%E5%86%9B?page=69, accessed February 6, 2013.

23 Unit 61398 Kindergarden Listed in Shanghai Pudong: http://www.pudong-edu.sh.cn/Web/PD/jyzc_school.aspx?SiteID=45&UnitID=2388 24 James C. Mulvenon and Andrew N. D. Yang, editors, The People’s Liberation Army as Organization: Reference Volume v1.0, (Santa Monica, CA: RAND Corporation, 2002), 125, http://www.rand.org/pubs/conf_proceedings/CF182.html, accessed February 6, 2013.

Mandiant APT1 17 www.mandiant.com

FIGure 8: China telecom Memo discussing unit 61398 source: http://r9.he3.com.cn/%e8%a7%84%e5%88%92/%e9%81%93%e8%B7%aF%e5%8F%8a%e5%85%B6%e 4%BB%96%e8%a7%84%e5%88%92%e5%9B%Be%e7%Ba%B8/%e4%BF%a1%e6%81%aF%e5%9B%a D%e5%8C%Ba/%e5%85%B3%e4%Ba%8e%e6%80%BB%e5%8F%82%e4%B8%89%e9%83%a8%e4%B a%8C%e5%B1%80-%e4%B8%8a%e6%B5%B7005%e4%B8%aD%e5%BF%83%e9%9C%80%e4%BD%B- F%e7%94%a8%e6%88%91%e5%85%aC%e5%8F%B8%e9%80%9a%e4%BF%a1.pdf25

25 This link has Chinese characters in it which are represented in URL encoding

Mandiant APT1 18 www.mandiant.com

Market Department Examining Control Affairs Division Report

Requesting Concurrence Concerning the General Staff Department 3rd Department 2nd Bureau Request to Use Our Company’s Communication Channel

Division Leader Wu:

The Chinese People’s Liberation Army Unit 61398 (General Staff Department 3rd Department 2nd Bureau) wrote to us a few days ago saying that, in accordance with their central command “8508” on war strategy construction [or infrastructure] need, the General Staff Department 3rd Department 2nd Bureau (Gaoqiao Base) needs to communicate with Shanghai City 005 Center (Shanghai Intercommunication Network Control Center within East Gate Bureau) regarding intercommunication affairs. This bureau already placed fiber-optic cable at the East Gate front entrance [road pole]. They need to use two ports to enter our company’s East Gate communication channel. The length is about 30m. At the same time, the second stage construction (in Gaoqiao Base) needs to enter into our company’s Shanghai Nanhui Communication Park 005 Center (special-use bureau). This military fiber-optic cable has already been placed at the Shanghai Nanhui Communication Park entrance. They need to use 4 of our company ports inside the Nanhui Communication Park to enter. The length is 600m. Upon our division’s negotiation with the 3rd Department 2nd Bureau’s communication branch, the military has promised to pay at most 40,000 Yuan for each port. They also hope Shanghai Telecom will smoothly accomplish this task for the military based on the principle that national defense construction is important. After checking the above areas’ channels, our company has a relatively abundant inventory to satisfy the military’s request.

This is our suggestion: because this is concerning defense construction, and also the 3rd Department 2nd Bureau is a very important communication control department, we agree to provide the requested channels according to the military’s suggested price. Because this is a one-time payment, and it is difficult to use the normal renting method, we suggest our company accept one-time payment using the reason of “Military Co-Construction [with China Telecom] of Communication Channels” and provide from our inventory. The military’s co-building does not interfere with our proprietary rights. If something breaks, the military is responsible to repair it and pay for the expenses. After you agree with our suggestion, we will sign an agreement with the communication branch of 61398 and implement it.

Please provide a statement about whether the above suggestion is appropriate or not.

[Handwritten Note]Agree with the Market Department Examining Control Affairs Division suggestion; inside the agreement clearly […define? (illegible) …] both party’s responsibilities.

FIGure 9: english translation of China telecom Memo

Mandiant APT1 19 www.mandiant.com

Synopsis of PLA Unit 61398

The evidence we have collected on PLA Unit 61398’s mission and infrastructure reveals an organization that:

»» Employs hundreds, perhaps thousands of personnel

»» Requires personnel trained in computer security and computer network operations

»» Requires personnel proficient in the English language

»» Has large-scale infrastructure and facilities in the “Pudong New Area” of Shanghai

»» Was the beneficiary of special fiber optic communication infrastructure provided by state-owned enterprise China Telecom in the name of national defense

The following sections of this report detail APT1’s cyber espionage and data theft operations. The sheer scale and duration of these sustained attacks leave little doubt about the enterprise scale of the organization behind this campaign. We will demonstrate that the nature of APT1’s targeted victims and the group’s infrastructure and tactics align with the mission and infrastructure of PLA Unit 61398.

Mandiant APT1 20 www.mandiant.com

aPt1: years oF esPIonaGe

Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006. Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed.

APT1 Puts the “Persistent” in APT

Since 2006 we have seen APT1 relentlessly expand its access to new victims. Figure 10 shows the timeline of the 141 compromises we are aware of; each marker in the figure represents a separate victim and indicates the earliest confirmed date of APT1 activity in that organization’s network.26

With the ephemeral nature of electronic evidence, many of the dates of earliest known APT1 activity shown here underestimate the duration of APT1’s presence in the network.

FIGure 10: timeline showing dates of earliest known aPt1 activity in the networks of the 141 organizations in which Mandiant has observed aPt1 conducting cyber espionage.

26 Figure 10 shows that we have seen APT1 compromise an increasing number of organizations each year, which may reflect an increase in APT1’s activity. However, this increase may also simply reflect Mandiant’s expanding visibility into APT1’s activities as the company has grown and victims’ awareness of cyber espionage activity in their networks has improved.

2006

2007

2008

2009

2010

2011

2012

2013

Organizations compromised by APT1 over time

Mandiant APT1 21 www.mandiant.com

Longest time period within which APT1 has continued to access a victim’s network:

4 Years, 10 Months

Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years. For the organizations in Figure 10, we found that APT1 maintained access to the victim’s network for an average of 356 days.27 The longest time period APT1 maintained access to a victim’s network was at least 1,764 days, or four years and ten months. APT1 was not continuously active on a daily basis during this time period; however, in the vast majority of cases we observed, APT1 continued to commit data theft as long as they had access to the network.

APT1’s Geographic & Industry Focus

The organizations targeted by APT1 primarily conduct their operations in English. However, we have also seen the group target a small number of non-English speaking victims. A full 87% of the APT1 victims we have observed are headquartered in countries where English is the native language (see Figure 11). This includes 115 victims located in the U.S. and seven in Canada and the United Kingdom. Of the remaining 19 victims, 17 use English as a primary language for operations. These include international cooperation and development agencies, foreign governments in which English is one of multiple official languages, and multinational conglomerates that primarily conduct their business in English. Only two victims appear to operate using a language other than English. Given that English- language proficiency is required for many members of PLA Unit 61398, we believe that the two non-English speaking victims are anomalies representing instances in which APT1 performed tasks outside of their normal activities.

27 This is based on 91 of the 141 victim organizations shown. In the remaining cases, APT1 activity is either ongoing or else we do not have visibility into the last known date of APT1 activity in the network.

Mandiant APT1 22 www.mandiant.com

5 United Kingdom

1 Norway

1 France

1 South Africa

1 Japan

2 Singapore

2 Taiwan

3 India

1 UAE

3 Israel 2 Switzerland

1 Luxemborg

1 Belgium

115 United States

2 Canada

OBSERVED GLOBAL APT1 ACTIVITY

FIGure 11: Geographic location of aPt1’s victims. In the case of victims with a multinational presence, the location shown reflects either the branch of the organization that aPt1 compromised (when known), or else is the location of the organization’s headquarters.

APT1 has demonstrated the capability and intent to steal from dozens of organizations across a wide range of industries virtually simultaneously. Figure 12 provides a view of the earliest known date of APT1 activity against all of the 141 victims we identified, organized by the 20 major industries they represent. The results suggest that APT1’s mission is extremely broad; the group does not target industries systematically but more likely steals from an enormous range of industries on a continuous basis. Since the organizations included in the figure represent only the fraction of APT1 victims that we confirmed directly, the range of industries that APT1 targets may be even broader than our findings suggest.

Further, the scope of APT1’s parallel activities implies that the group has significant personnel and technical resources at its disposal. In the first month of 2011, for example, Figure 12 shows that APT1 successfully compromised 17 new victims operating in 10 different industries. Since we have seen that the group remains active in each victim’s network for an average of nearly a year after the initial date of compromise, we infer that APT1 committed these 17 new breaches while simultaneously maintaining access to and continuing to steal data from a number of previously compromised victims.

Mandiant APT1 23 www.mandiant.com

Aerospace

Chemicals

Construction and Manufacturing

Education

Energy

Engineering Services

Financial Services

Food and Agriculture

Healthcare

High-Tech Electronics

Information Technology

Legal Services

Media, Advertising and Entertainment

Metals and Mining

Navigation

Public Administration

Satellites and Telecommunications

Scientific Research and Consulting

Transportation

2006 2007 2008 2009 2010 2011 2012