The Canadian Press - ONLINE EDITION

Badminton, Harry Potter and Facebook: A look at Chinese unit accused of huge hacking operation

  • Print

BEIJING, China - Unit 61398 of the People's Liberation Army has been recruiting computer experts for at least a decade. It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a U.S. Internet security firm accused it of conducting a massive hacking campaign against North American targets.

Hackers with the Chinese unit have been active for years, using online handles such as "UglyGorilla," Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai:

—RECRUITING THE SPIES: Unit 61398, alleged to be one of several hacking operations run by China's military, recruits directly from universities. It favours high computer expertise and English language skills. A notice dated 2003 on the Chinese Internet said the unit was seeking master's degree students from Zhejiang University's College of Computer Science and Technology. It offered a scholarship, conditional on the student reporting for work at Unit 61398 after graduation.

—CYBERSPY WORKPLACE: Mandiant says it traced scores of cyberattacks on U.S. defence and infrastructure companies to a neighbourhood in Shanghai's Pudong district that includes the 12-story building where Unit 61398 is known to be housed. The building has office space for up to 2,000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand. The surrounding neighbourhood is filled with apartment buildings, tea houses, shops and karaoke bars.

—THE UNIT 61398 COMMUNITY: While the building's activities may be top secret, Unit 61398's status in the community as a military division is not. It turns up in numerous Chinese Internet references to community events, including a 2010 accord with the local government to set up a joint outreach centre on family planning. Other articles describe mass weddings for officers, badminton matches and even discussion of the merits of the "Unit 61398 Kindergarten." Other support facilities include a clinic, car pool, and guesthouse — all standard for the military's often self-contained communities across China.

—THE PIPELINE: The Mandiant report describes a special arrangement made with China Telecom for a fiber optic communication infrastructure in the Unit 61398 neighbourhood, pointing to its need for bandwidth and its elite status. The contract between the two refers to Unit 61398 as belonging to the General Staff Department 3rd Department, 2nd Bureau, and says China Telecom agreed to the military's suggested price due to "national defence construction" concerns.

—MODUS OPERANDUS: The cyberspies typically enter targeted computer networks through "spearfishing" attacks, in which a company official receives a creatively disguised email and is tricked into clicking on a link or attachment that then opens a secret door for the hackers, Mandiant says. The cyberspies would steal and retransmit data for an average of just under a year, but in some cases more than four years. Information technology companies were their favourite targets, followed by aerospace firms, pointing to a key area of interest as China seeks to develop its own cutting-edge civilian and military aircraft.

—ONLINE HANDLES: Mandiant identifies three of the unit's hackers by their screen names. It says one of them, "UglyGorilla," was first detected in a 2004 online forum posing a question to a cybersecurity expert about whether China needed a dedicated force to square off against an online cohort being mustered by the United States. The user of another screen name, "Dota," appears to be a fan of Harry Potter; Mandiant said references to the book and movie character appear as answers to his computer security questions.

Unit 61398 hackers were sometimes identified as the "Comment Crew" by security companies due to their practice of inserting secret backdoors into systems by using code embedded in comments on websites.

—REVEALING TWEETS: And what helped Mandiant track down the source of hacking into more than 140 companies and organizations from the U.S. and elsewhere? Facebook and Twitter.

China's "Great Firewall" of Internet filtering blocks those U.S.-based social networks, but Unit 61398 operators got around that by accessing them directly from the unit's system. Mandiant was able to see that Facebook and Twitter accounts were being accessed from Internet Protocol addresses connected to the unit. It's not clear whether those accounts aided in hacking or were simply for the hackers' personal use.

"These actors have made poor operational security choices, facilitating our research and allowing us to track their activities," the report says.

Fact Check

Fact Check

Have you found an error, or know of something we’ve missed in one of our stories?
Please use the form below and let us know.

* Required
  • Please post the headline of the story or the title of the video with the error.

  • Please post exactly what was wrong with the story.

  • Please indicate your source for the correct information.

  • Yes

    No

  • This will only be used to contact you if we have a question about your submission, it will not be used to identify you or be published.

  • Cancel

Having problems with the form?

Contact Us Directly
  • Print

You can comment on most stories on winnipegfreepress.com. You can also agree or disagree with other comments. All you need to do is be a Winnipeg Free Press print or e-edition subscriber to join the conversation and give your feedback.

You can comment on most stories on winnipegfreepress.com. You can also agree or disagree with other comments. All you need to do is be a Winnipeg Free Press print or e-edition subscriber to join the conversation and give your feedback.

Have Your Say

New to commenting? Check out our Frequently Asked Questions.

Have Your Say

Comments are open to Winnipeg Free Press print or e-edition subscribers only. why?

Have Your Say

Comments are open to Winnipeg Free Press Subscribers only. why?

The Winnipeg Free Press does not necessarily endorse any of the views posted. By submitting your comment, you agree to our Terms and Conditions. These terms were revised effective April 16, 2010.

letters

Make text: Larger | Smaller

LATEST VIDEO

Winnipeg Cheapskate: Cheap summer weekends

View more like this

Photo Store Gallery

  • A young goose gobbles up grass at Fort Whyte Alive Monday morning- Young goslings are starting to show the markings of a adult geese-See Bryksa 30 day goose challenge- Day 20– June 11, 2012   (JOE BRYKSA / WINNIPEG FREE PRESS)
  • An American White Pelican takes flight from the banks of the Red River in Lockport, MB. A group of pelicans is referred to as a ‘pod’ and the American White Pelican is the only pelican species to have a horn on its bill. May 16, 2012. SARAH O. SWENSON / WINNIPEG FREE PRESS

View More Gallery Photos

Poll

What should the city do with the 102-year-old Arlington Street bridge?

View Results

View Related Story

Ads by Google