Chinese Elite Hacking Unit 61398

Chinese Elite Hacking Unit 61398

As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”

Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.

“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.

The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”

Advertisements

One Comment on “Chinese Elite Hacking Unit 61398”

  1. ChasL says:

    Has anyone fact checked Mandiant’s attribution? The APT1 report is full of holes:

    1) Mandiant claims Hebei is part of Shanghai, but it’s actually 500 miles and 3 provinces away.

    2) The address Mandiant claims is Unit 61398 central building on page 11, 208 Datong Road, is the address of the Unit 61398 Kindergarten. (Ref. Google “site:starbaby.cn 61398”)

    3) One the hacker cited, DOTA, was outted by Anonymous back in 2011. (Ref. Google “d0ta010 2j3c1k HBGary”).

    Who’d be dumb enough to reuse compromised identity?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s