It looks innocent enough  ... the 12-story headquarters of Unit 61398 of the People's Liberation Army in Shanghai - and home to the most sophisticated of the Chinese hacking groups. (The New York Times)
It looks innocent enough ... the 12-storey headquarters of Unit 61398 of the People's Liberation Army in Shanghai. Photo: The New York Times
ON THE outskirts of Shanghai, in a rundown neighbourhood dominated by a 12-storey white office tower, sits a People's Liberation Army base for China's growing corps of cyber warriors.
Increasing digital forensic evidence - confirmed by US intelligence officials who say they have tapped into the activity of PLA Unit 61398 for years - leaves little doubt that an overwhelming percentage of the attacks on US corporations, organisations and government agencies originate in and around the white tower.
A 60-page study, due to have been released on Tuesday by Mandiant, a US computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups - known to many of its victims in the US as ''Comment Crew'' or ''Shanghai Group'' - to the doorstep of the military unit's headquarters.
The company was not able to place the hackers inside the white tower but it says there is no other plausible way to explain why so many attacks come out of one comparatively small area.
Advertisement
''Either they are coming from inside Unit 61398,'' Kevin Mandia, the founder of Mandiant, said, ''or the people who run the most-controlled, most-monitored internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood''.
While Comment Crew has drained terabytes of data from companies such as Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the US - its electrical power grid, gas lines and waterworks.
According to the security researchers, one target was a company with remote access to more than 60 per cent of oil and gas pipelines in North America.
Contacted on Monday, Chinese embassy officials in Washington again insisted their government did not engage in computer hacking, and that such activity was illegal. They described China as a victim of hacking, and pointed out, accurately, that there are many hacking groups inside the US.
But security researchers say the Chinese attacks have multiplied in recent years. Mandiant has detected more than 140 Comment Crew intrusions since 2006. US intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.
The White House said it was ''aware'' of the Mandiant report, and the spokesman for the National Security Council, Tommy Vietor, said: ''We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so.''
US officials say a combination of diplomatic concerns and the desire to follow the unit's activities have kept the government from going public until now.
For more than six years, Mandiant tracked the actions of Comment Crew, so named for the attackers' penchant for embedding hidden code or comments into web pages.
Based on the digital crumbs the group left behind, Mandiant followed 141 attacks by the group. It discovered that two sets of IP addresses used in the attacks were registered in the same neighbourhood as the Unit 61398 building.
''It's where more than 90 per cent of the attacks we followed come from,'' Mr Mandia said.
What most worries US investigators is that the latest attacks focus on obtaining the ability to manipulate critical infrastructure. The President, Barack Obama, alluded to this concern in his State of the Union address delivered last week, without mentioning China.
The New York Times