Chinese Elite Hacking Unit 61398Posted: 27 February 2013 Filed under: Uncategorized | Tags: malware, security, web application security 1 Comment
Chinese Elite Hacking Unit 61398
As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”
Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.
“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.
The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”
Has anyone fact checked Mandiant’s attribution? The APT1 report is full of holes:
1) Mandiant claims Hebei is part of Shanghai, but it’s actually 500 miles and 3 provinces away.
2) The address Mandiant claims is Unit 61398 central building on page 11, 208 Datong Road, is the address of the Unit 61398 Kindergarten. (Ref. Google “site:starbaby.cn 61398”)
3) One the hacker cited, DOTA, was outted by Anonymous back in 2011. (Ref. Google “d0ta010 2j3c1k HBGary”).
Who’d be dumb enough to reuse compromised identity?