China Has Found A Brutally Simple Way To Steal Corporate Secrets




The Chinese army appears to be conducting cyberhacking and espionage against large U.S. corporations, according to an extensive report from computer security firm Mandiant.

The report even identifies the unit and the building behind the cyberwar.

Beijing has long been suspected of espionage costing global corporations billions of dollars — such as when a hacking incident at Lockheed Martin was followed by the appearance of suspiciously familiar Chinese jets — though it was hard to find evidence.

Indeed, it makes sense that China, in its breakneck push to become a world power, would use all available technology to catch the west.

Following Mandiant's 75-page report, however, the cyberwar is all but official.

We have distilled the alarming report and posted it below.

According to Mandiant, what China's hacking program coordinators do is seek students with outstanding English skills who are handpicked for "Advanced Persistent Threat" training (APT). The APT teams are broken down into groups and divided among locations in and around Shanghai, universities, commercial corridors, and largely innocuous places.

Wherever they go, each team is assigned a Military Unit Cover Designator (MUCD). The MUCD is a five-digit number by which the unit, its people, its location, and its work is referred to. The designation makes the teams more difficult to isolate and track.

MUCDs report all the way up to the Chinese equivalent to the Joint Chiefs of Staff, according to Mandiant. That implies this practice is part of China's overt military policy against foreign nations.

Mandiant offers an example of the type of expertise required:

  • Covert communications
  • English linguistics
  • Operating system internals
  • Digital signal processing
  • Network security

The needs are then broken down further into Profession Codes — such as 080902 for Circuits & Systems — Required Proficiencies — such as 101 for political, 201 for English, etc.

With hundreds or thousands of these teams lined up, the Chinese start phishing for passwords, according to Mandiant. The teams have refined and perfected dialogue, slang, and responses that appear nearly seamless to the colleagues they're trying to impersonate. In the beginning it all looks just like this:

Date: Wed, 18 Apr 2012 06:31:41 -0700
From: Kevin Mandia
Subject: Internal Discussion on the Press Release


Shall we schedule a time to meet next week

We need to finalize the press release.

Details click here.

Kevin Mandia

Victims who click that link will download a malicious ZIP file named, which contains a custom APT1 backdoor called WEBC2-TABLE.

Happening on such a large scale, these attacks presumably have government support. Mandiant writes: "The sheer scale and duration of these sustained attacks leave little doubt about the enterprise scale of the organization behind this campaign."

Not surprisingly, China is denying the report.

Chinese Foreign Ministry spokesman Hong Lei told reporters on Tuesday:

"To make groundless accusations based on some rough material is neither responsible nor professional."

Mandiant says it felt compelled to expose this hack despite possibly compromising its ability to collect information. Here's why:

"The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group.

It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively. The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.

We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches. At the same time, there are downsides to publishing all of this information publicly. Many of the techniques and, technologies described in this report are vastly more effective when attackers are not aware of them.

Additionally, publishing certain kinds of indicators dramatically shortens their lifespan. When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy. It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way. We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism."

Below this Mandiant APT1 Report are a couple of photos and a list of the hardest hit English-speaking industries.



One of the major MUCD locations



From farther out - same location

Indusries Targeted


List of most highly targeted industries

Now Watch: How Syria Might Have Gotten Its Chemical Weapons