Shane Harris reports: North Korea’s limited connection to the Internet was temporarily severed Monday, just three days after President Barack Obama promised a “proportional” response for what he said was Pyongyang’s brazen hacking of Sony.
It’s too soon to say whether the United States knocked the Hermit Kingdom offline, or persuaded China to do it, or whether the North Koreans did it to themselves. One hacktivist group appears to be taking responsibility for the denial-of-service strike that targeted mostly North Korean government-operated sites.
But the outage has raised the question of what that proportional response would look like, and whether it would be legal. [Continue reading…]
Category Archives: cyberwarfare
How hackers almost toppled the Sheldon Adelson gambling empire
Bloomberg Businessweek reports: Investigators from Dell SecureWorks working for [Sheldon Adelson’s casino empire, Las Vegas] Sands have concluded that the February attack was likely the work of “hacktivists” based in Iran, according to documents obtained by Bloomberg Businessweek. The security team couldn’t determine if Iran’s government played a role, but it’s unlikely that any hackers inside the country could pull off an attack of that scope without its knowledge, given the close scrutiny of Internet use within its borders. “This isn’t the kind of business you can get into in Iran without the government knowing,” says James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. Hamid Babaei, a spokesman for Iran’s Permanent Mission to the United Nations, didn’t return several phone calls and e-mails.
The perpetrators released their malware early in the morning on Monday, Feb. 10. It spread through the company’s networks, laying waste to thousands of servers, desktop PCs, and laptops. By the afternoon, Sands security staffers noticed logs showing that the hackers had been compressing batches of sensitive files. This meant that they may have downloaded — or were preparing to download — vast numbers of private documents, from credit checks on high-roller customers to detailed diagrams and inventories of global computer systems. Michael Leven, the president of Sands, decided to sever the company entirely from the Internet.
It was a drastic step in an age when most business functions, from hotel reservations to procurement, are handled online. But Sands was able to keep many core operations functioning — the hackers weren’t able to access an IBM (IBM) mainframe that’s key to running certain parts of the business. Hotel guests could still swipe their keycards to get into their rooms. Elevators ran. Gamblers could still drop coins into slot machines or place bets at blackjack tables. Customers strolling the casino floors or watching the gondolas glide by on the canal in front of the Venetian had no idea anything was amiss.
Leven’s team quickly realized that they’d caught a major break. The Iranians had made a mistake. Among the first targets of the wiper software were the company’s Active Directory servers, which help manage network security and create a trusted link to systems abroad. If the hackers had waited before attacking these machines, the malware would have made it to Sands’ extensive properties in Singapore and China. Instead, the damage was confined to the U.S. [Continue reading…]
Powerful, highly stealthy Linux trojan may have infected victims for years
Ars Technica reports: Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.
The previously undiscovered malware represents a missing puzzle piece tied to “Turla,” a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.
Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems. [Continue reading…]
Cybersecurity unit drives Israeli Internet economy
Jeff Moskowitz reports: Over the summer, in the middle of a two-month-long Israeli-Palestinian war, representatives of some of the biggest names in tech crammed into the stairwell of a Tel Aviv skyscraper to wait out Hamas rocket fire. Wearing Sequoia Capital name tags and TechCrunch T-shirts, they squeezed against one another, passing the time by talking about the Paris startup scene and the success rate of Iron Dome, Israel’s missile defense system.
They came to Tel Aviv for the demo day of a uniquely Israeli brand of startup incubator: one conducted by graduates of Israel Defense Forces Unit 8200 – the Israeli NSA. It was a fitting reminder of the close ties between Israel’s Silicon Wadi (the nickname for Israel’s startup ecosystem) and the country’s military establishment.
The 8200 is the largest unit in the Israeli army. It’s responsible for signals intelligence, eavesdropping and wiretapping, as well as advanced technical jobs and translating work. It is also widely acknowledged as producing a disproportionately high percentage of Israel’s tech executives and startup founders, including the brains behind Check Point Software Technologies, NICE Systems, and Mirabilis (creator of the proto-instant messaging system ICQ) – three of the biggest Israeli tech companies. [Continue reading…]
Is Russia’s cyberwar heating up amid new Cold War?
Moscow Times reports: A recent influx of reports about Russian electronic espionage activity has prompted fresh concerns that the Kremlin may be gunning for a cyberwar with the West.
Not everyone is convinced: Russian IT analysts interviewed by The Moscow Times were more inclined to blame the spike in attack reports on media hype and cybersecurity companies exploiting clients’ fears.
But Russia’s leading expert on domestic security services, Andrei Soldatov, said the pattern of the attacks indicated that the Russian government may be mounting a covert Internet offensive.
Experts could not say, however, whether heavy guns with the FSB electronic espionage agencies have been deployed.
“All government-linked attacks so far have been carried out by people on the market: the cyber-mercenaries,” Soldatov, editor-in-chief of the Agentura.ru website, said Wednesday. [Continue reading…]
‘Regin’ malware comes from Western intelligence agency, say experts
The Guardian reports: Regin is the latest malicious software to be uncovered by security researchers, though its purpose is unknown, as are its operators. But experts have told the Guardian it was likely spawned in the labs of a western intelligence agency.
None of the targets of the Regin hackers reside on British soil, nor do any live in the US. Most victims are based in Russia and Saudi Arabia – 28% and 24% respectively.
Ireland had the third highest number of targets – 9% of overall detected infections. The infections lists doesn’t include any “five eyes” countries – Australia, Canada, New Zealand, the UK and the US.
“We believe Regin is not coming from the usual suspects. We don’t think Regin was made by Russia or China,” Mikko Hypponen, chief research officer at F-Secure, told the Guardian. His company first spied Regin hiding on a Windows server inside a customer’s IT infrastructure in Northern Europe.
Only a handful of countries are thought capable of creating something as complex as Regin. If China and Russia are ruled out, that would leave the US, UK or Israel as the most likely candidates. [Continue reading…]
U.S. firm helped the spyware industry build a potent digital weapon for sale overseas
Barton Gellman reports: CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.
As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.
His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.
According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.
Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.
CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation. [Continue reading…]
MonsterMind: Automated cyberwarfare
In “The most wanted man in the world,” his feature article for Wired on Edward Snowden, James Bamford writes: The massive surveillance effort was bad enough, but Snowden was even more disturbed to discover a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country — a “kill” in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement. That’s a problem, Snowden says, because the initial attacks are often routed through computers in innocent third countries. “These attacks can be spoofed,” he says. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?”
In addition to the possibility of accidentally starting a war, Snowden views MonsterMind as the ultimate threat to privacy because, in order for the system to work, the NSA first would have to secretly get access to virtually all private communications coming in from overseas to people in the US. “The argument is that the only way we can identify these malicious traffic flows and respond to them is if we’re analyzing all traffic flows,” he says. “And if we’re analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”
Inside Anonymous’ cyberwar against the Israeli government
Mother Jones reports: The shadowy hacker collective known as Anonymous has announced it will launch a round of cyber-attacks this Friday against the Israeli government, in retaliation for Israel’s ongoing military intervention in Gaza. This onslaught would add to a wave of cyber assaults staged in recent weeks by hackers largely from the Middle East, Asia, and South America, who are supporting “OpSaveGaza,” an Anonymous-backed campaign targeting Israeli government websites that has succeeded in temporarily taking down the sites of the Israeli defense ministry and the Tel Aviv police department.
This isn’t the first time Anonymous has zeroed in on Israel; the collective has been launching cyber-attacks against the country for several years, with mixed results. “As a collective ‘Anonymous’ does not hate Israel, it hates that Israel’s government is committing genocide & slaughtering unarmed people in Gaza to obtain more land at the border,” an Anonymous spokesperson, using the Twitter handle @YourAnonCentral, tells Mother Jones. The spokesperson notes that there has never been any Anonymous action taken against Palestinian targets, including Hamas, the outfit governing Gaza and launching rocket attacks against Israel.
The most recent round of cyber-attacks began in early July, and the Anonymous spokesperson claims that collective members sabotaged “thousands” of Israeli websites. Several of the sites targeted were indeed down recently. The International Business Times reported last week that “numerous Israeli government homepages have been replaced by graphics, slogans, and auto-playing audio files.” On Monday, hackers leaked a list of log-in details they claim belong to Israeli government officials, but the government hasn’t confirmed this. [Continue reading…]
How Russian hackers stole the Nasdaq
Bloomberg Businessweek reports: In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq. It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.
As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis — and many less well known or understood players — all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once — in Nasdaq.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate.
Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.”
Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director in Charge George Venizelos. “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong. [Continue reading…]
Ukraine crisis proves cyber conflict is a reality of modern warfare
Jarno Limnéll writes: A hundred years ago, World War I moved warfare into the skies. Today no nation regards its security as complete without an air force, and no serious future conflict will lack a cyber aspect, either.
Russia and Ukraine apparently traded cyber attacks during the referendum on Crimea. Media reports indicate NATO and Ukrainian media websites suffered DDoS (denial of service) assaults during the vote, and that servers in Moscow took apparently retaliatory – and bigger – strikes afterward.
Observers tend to miss, though, that these are relatively modest skirmishes in cyber space. They routinely break out among competing states, even without concurrent political or military hostilities. Angling to hobble an opponent’s web resources by clogging networks with junk traffic? Another day at the office.
I see three distinct levels or “rings” to contemporary cyber conflicts. Only the first is clearly apparent in the Ukraine crisis. Full-blown cyber war is not yet occurring. The prospect of escalation, however, is real and worrisome. The West should watch carefully, because developments in Ukraine offer a model for contemporary conflicts worldwide – which will henceforth have integral cyber elements for all but the least developed nations.
By observing Ukraine we can deduce not only the capabilities of cyber weapons, but the goals and policies behind their use. [Continue reading…]
U.S. cyberwarfare force to grow significantly, defense secretary says
The Washington Post reports: The Pentagon is significantly growing the ranks of its cyberwarfare unit in an effort to deter and defend against foreign attacks on crucial U.S. networks, Defense Secretary Chuck Hagel said Friday.
In his first major speech on cyber policy, Hagel sought to project strength but also to tame perceptions of the United States as an aggressor in computer warfare, stressing that the government “does not seek to militarize cyberspace.”
His remarks, delivered at the retirement ceremony of Gen. Keith Alexander, the outgoing director of the National Security Agency and Cyber Command, come in advance of Hagel’s trip to China next week, his first as defense secretary. The issues of cyberwarfare and cyber-espionage have been persistent sources of tensions between Washington and Beijing.
Hagel said that the fighting force at U.S. Cyber Command will number more than 6,000 people by 2016, making it one of the largest such forces in the world. The force will help expand the president’s options for responding to a crisis with “full-spectrum cyber capabilities,” Hagel said, a reference to cyber operations that can include destroying, damaging or sabotaging an adversary’s computer systems and that can complement other military operations.
But, Hagel said, the military’s first purpose is “to prevent and de-escalate conflict.” The Pentagon will maintain “an approach of restraint to any cyber operations outside of U.S. government networks.”
Although some U.S. adversaries, notably China and Russia, which also have formidable cyber capabilities, may view his remarks with skepticism, Hagel said the Pentagon is making an effort to be “open and transparent” about its cyberforces and doctrine. The hope, senior officials said, is that transparency will lead to greater stability in cyberspace. [Continue reading…]
After reports on NSA, China urges end to spying
The New York Times reports: The Chinese government called on the United States on Monday to explain its actions and halt the practice of cyberespionage after news reports said that the National Security Agency had hacked its way into the computer systems of China’s largest telecommunications company.
The reports, based on documents provided by the former security contractor Edward J. Snowden, related how the spy agency penetrated servers owned by the company, Huawei, and monitored communications by its senior executives in an effort to discover whether the executives had links to the Chinese military. The operation also sought to exploit the company’s technology and gain access to the communications of customers who use Huawei cellphones, fiber optic cables and network hubs.
American officials have been working to block Huawei from entering the American telecommunications market because of concerns that its equipment could provide Chinese hackers with a “back door” for stealing American corporate and government secrets.[Continue reading…]
Can we trust an Internet that’s become a weapon of governments?
MIT Technology Review: Security experts have been warning for some time that computer networks are not secure from intruders. But in 2013, we learned that the mayhem has become strategic. Governments now write computer viruses. And if they can’t, they can purchase them. A half-dozen boutique R&D houses, like Italy’s Hacking Team, develop computer vulnerabilities and openly market them to government attackers.
Criminals use common computer weaknesses to infect as many machines as possible. But governments assemble large research teams and spend millions patiently pursuing narrow objectives. Costin Raiu, who investigates such “advanced persistent threats” as director of research and analysis for anti-virus company Kaspersky Lab, says he logs on to his computer assuming he is not alone. “I operate under the principle that my computer is owned by at least three governments,” he says.
That is a threat mainstream technology companies are grappling with. The U.S. government circumvented Google’s security measures and secretly collected customer data. British spies scooped up millions of webcam images from Yahoo. In December, on Microsoft’s official blog, the company’s top lawyer, Brad Smith, said he had reason to view surreptitious “government snooping” as no different from criminal malware. Microsoft, along with Google and Yahoo, has responded by greatly widening its use of encryption (see “The Year of Encryption”).
“We’re living in a very interesting time, where companies are becoming unwilling pawns in cyberwarfare,” says Menny Barzilay, a former Israeli intelligence officer now working in IT security for the Bank Hapoalim Group, in Tel Aviv. In this new context, nobody can say where the responsibilities of a company may end and those of a nation might begin. Should a commercial bank be expected to expend resources to defend itself when its attacker is a country? “This is not a ‘maybe’ situation. This is happening right now,” says Barzilay. “And this is just the beginning.” [Continue reading…]
Cyber-war: In deed and desire, Iran emerging as a major power
Christian Science Monitor reports: As high-level international talks in Vienna over Iran’s nuclear program edged closer to a deal last fall, something curious happened – massive cyber-attacks that had hammered Wall Street bank websites repeatedly for about a year slowed to a near stop.
While banking industry officials were relieved, others wondered why those Iran-linked “distributed denial of service” attacks that had so regularly flooded bank websites with bogus Internet traffic were shut off like a faucet. One likely reason, say US experts on cyber-conflict: to reduce friction, at least temporarily, at the Vienna nuclear talks.
Yet, even as the “distributed denial of service” attacks abated for apparently diplomatic reasons, overall Iranian cyber-spying on US military and energy corporation networks has surged, these experts say.
Iran was fingered last fall, for instance, for infiltrating the US Navy Marine Corps Intranet. It then took the Navy nearly four months to root out the Iranian hackers infesting its largest unclassified computer network, the Wall Street Journal reported in February.
This litany of Iranian activity is evidence, say experts, that after years as a cyber also-ran, Iran is morphing swiftly into a major threat in the rapidly evolving era of cyber-conflict. [Continue reading…]
Is this Russia’s Stuxnet? Experts analyze Snake, Uroburos, Turla malware samples dating back to 2005
Techworld reports: The mysterious ‘Uroburos’ cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.
German firm G Data’s recent analysis dubbed it ‘Uroburos’ while it is also known to some security firms as ‘Turla’. BAE Systems’ Applied Intelligence division, which today published its own research, prefers the catchier ‘Snake’ but under any name the picture is alarming.
According to BAE Systems, It now transpires that Snake has been slithering silently around networks in the US and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.
To be clear, this isn’t any old malware. Snake is just too long-lived, too targeted, too sophisticated, too evasive, too innovative. It appears to be on par with any of the complex cyberweapons attributed to the US such as Flame, first analysed by Kaspersky Lab in 2012.
After several months of research, the UK firm takes what we know a lot further, offering for the first time some objective data on targets. Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.
These are very small numbers but BAE Systems believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively.
In a week Russia planted boots on the ground in the Crimean region of the Ukraine, this is an unfortunate coincidence because while BAE Systems refused to name the state as the culprit, G Data and others are convinced that the links are suspicious.
Hints of the malware’s provenance have surfaced from time to time. In 2008, the US Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. [Continue reading…]
The 2008 attack targeted U.S. Central Command. A few days ago, threats coming from the Syrian Electronic Army via Twitter were also directed at #CENTCOM, an indication perhaps that this group, linked to the Assad regime, has its roots in Russia.
Softpedia reports: “SEA advises the terrorist Obama to think very hard before attempting ‘cyberattacks’ on Syria,” the hackers wrote on Twitter. “We know what Obama is planning and we will soon make him understand that we can respond.”
So far, the Syrian hacktivists have mainly targeted media organizations whose reporting they don’t like. Social media accounts have been compromised, and websites have been defaced. However, they claim that their attacks against the US government will not be of “the same kind.”
“The next attack will prove that the entire US command structure was a house of cards from the start. #SEA #CENTCOM,” reads the last tweet they posted.
The #CENTCOM hashtag suggests that the hackers’ next target is the US Central Command (centcom.mil).
The Syrian Electronic Army’s announcement comes shortly after the New York Times published an article about the United States’ intention to develop a battle plan against Syria. The use of cyber weapons is being taken into consideration.
Cyberattacks rise as Ukraine crisis spills to internet
The New York Times reports: The crisis in Ukraine has spread to the Internet, where hackers from both sides are launching large cyberattacks against opposing news organizations.
Security experts say that they are currently witnessing unusually large denial-of-service attacks, also called DDoS attacks, in which hackers flood a website with traffic to knock it offline. The attacks have been directed at both pro-Western and pro-Russian Ukrainian news sites.
In at least one case, hackers successfully defaced the website of the Kremlin-financed news network Russia Today, replacing headlines and articles containing the word “Russia” with the word “nazi.”
Experts say the attacks on pro-Western Ukrainian news sites closely resemble the attacks on Chechnyan news sites, which security experts say are under almost constant siege.
Matthew Prince, the chief executive and a co-founder of Cloudflare, a San Francisco company that helps websites speed up performance and mitigate DDoS attacks, said in an interview Tuesday that while this week’s attacks were similar to the attacks on Chechnyan news sites that use Cloudflare, it was not clear who was responsible for the attacks. [Continue reading…]
Inside ‘Unit 61398’: Portrait of accused Chinese cyberspying group emerges
The Associated Press reports: Unit 61398 of the People’s Liberation Army has been recruiting computer experts for at least a decade. It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a U.S. Internet security firm accused it of conducting a massive hacking campaign against North American targets.
Hackers with the Chinese unit have been active for years, using online handles such as “UglyGorilla,” Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai:
—RECRUITING THE SPIES: Unit 61398, alleged to be one of several hacking operations run by China’s military, recruits directly from universities. It favors high computer expertise and English language skills. A notice dated 2003 on the Chinese Internet said the unit was seeking master’s degree students from Zhejiang University’s College of Computer Science and Technology. It offered a scholarship, conditional on the student reporting for work at Unit 61398 after graduation.
—CYBERSPY WORKPLACE: Mandiant says it traced scores of cyberattacks on U.S. defense and infrastructure companies to a neighborhood in Shanghai’s Pudong district that includes the 12-story building where Unit 61398 is known to be housed. The building has office space for up to 2,000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand. [Continue reading…]