Security firm Mandiant this week published evidence that it said ties the Chinese government to a six-year campaign of hack attacks that have compromised 141 businesses across 20 industries. Washington-based Mandiant's 74-page report covers only one of the dozens of cyber-espionage groups around the world, including more than 20 in China, that the company said use advanced persistent threats (APTs) -- including spear-phishing attacks -- to compromise their targets. Mandiant refers to the group in its report as "APT1."
"From our observations, it is one of the most prolific cyber-espionage groups in terms of the sheer quantity of information stolen," according to Mandiant's report. "The scale and impact of APT1's operations compelled us to write this."
[ Want more on U.S. cybersecurity defense? Read White House Cybersecurity Executive Order: What It Means. ]
Based on Mandiant's research, as well as reaction from security experts and the Chinese government, here's what's known -- and what remains in question -- about the activities of the APT1 hacking group:
1. Mandiant Traces APT1 Attacks To Shanghai
Mandiant's report wasn't notable for the fact that it accused the Chinese government of supporting APT attacks at U.S. businesses, but rather for the volume of evidence -- albeit circumstantial -- that it presented. Furthermore, Mandiant accused APT1 of not just being supported by the Chinese government, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit.
Mandiant's conclusions come in part from tracing IP addresses used in attacks to a specific, 12-story, beige building in the Pudong district of Shanghai, where Mandiant found that China Telecom had "provided a special fiber optic communications infrastructure." Mandiant also cited documents from China Telecom noting that the facility had been built together with Unit 61398, which the documents also referred to as "GSD 3rd Department, 2nd Bureau," which refers to the PLA General Staff Department's 3rd Department, which is -- again -- also known as PLA Unit 61398.
Adding to the intrigue, a BBC correspondent reported that he'd been briefly detained Tuesday after attempting to visit the building.
2. Symantec Says Attacks Began In 2006
Security software vendor Symantec said that the activities of the APT1 group, which it calls the Comment Crew -- because the group has hidden attack commands inside HTML comments -- began more than six years ago. "The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec," according to a blog post from Symantec Security Response. "We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks."
According to Symantec, APT1's attacks often involve spear-phishing emails with such subject lines as "U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip" and "New contact sheet of the AN-UYQ-100 contractors.pdf." The attacks have targeted businesses in numerous industries, "including finance, information technology, aerospace, energy, telecommunications, manufacturing, transportation, media and public services," it said.
The Mandiant report, however, didn't break any new ground in the Comment Crew discussion. "There really wasn't much new that came out of that Mandiant report, except for them identifying a specific building and putting all these details on that in there," said former Gartner Group analyst John Pescatore, who last month became the director of emerging security trends at the SANS Institute, speaking by phone.
3. Chinese Government: Allegations Are "Baseless"
The Chinese government has dismissed Mandiant's allegations. In particular, the Xinhua News Agency -- which is the Chinese government's official press agency -- published a "commentary" Wednesday that dismissed the Mandiant report as "amateurish," saying its conclusions were "baseless and revealing," including its tying of Shanghai IP addresses to a specific Chinese government military unit, although it offered no evidence to refute the allegations.
"One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers," according to the commentary. "Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located."