TOPICS > World

U.S. Security Firm Report Says Chinese Hackers Targeted Over 140 Victims

February 19, 2013 at 12:00 AM EDT
Though China denies the allegations, security firm Mandiant has issued a report detailing years of prolific cyber-espionage against the U.S. by a Chinese military unit. Mandiant's Richard Bejtlich and Christopher Johnson from the Center for Strategic and International Studies join Judy Woodruff to discuss what was stolen.

JUDY WOODRUFF: For more on this, we turn to Richard Bejtlich. He’s the chief security officer for Mandiant, the firm that issued the report. And Christopher Johnson, a senior adviser who closely watches China at the Center for Strategic and International Studies.

And we welcome you both to the program.

So, let me start with you, Richard Bejtlich. What did this study uncover that wasn’t known earlier?

RICHARD BEJTLICH, Mandiant: The study found evidence that linked it to a Chinese military unit.

Prior to this report, anything you would see coming from a security company or even from the government would indicate Chinese hackers. And with that, you could think of patriotic hackers, people working in the underground. There was never a direct link. And we found through our research that we could not only tie this not only a military unit, but a location, their headquarters, their building located near Shanghai.

JUDY WOODRUFF: And what did you find exactly is going on inside this building?

RICHARD BEJTLICH: If you were to walk inside this building, you would likely to see thousands of computers.

You would see teams of individuals working on maintaining access to and stealing information from Western companies. They do this as their job. This is a directed activity. This is not for recreational purposes. And it’s been going on for, at least with this one group, APT1, for the last seven years.

JUDY WOODRUFF: And one of the terms you use in the report, one of the most prolific efforts or operations of its kind. How do you measure something like that?


We measure it in several ways. We track about two dozen of these different APT groups from around the world, not just China.


RICHARD BEJTLICH: Yes, standing for advanced persistent threat. It’s a term that was coined by the Air Force in 2006.

And these groups, they have different characteristics. Sometimes, we measure them by the number of industries they go after. Sometimes we measure by the amount of data we take them — see. In the case of APT1, which is the focus of today’s report, they are in 20 different industries, 141 different companies stealing terabytes of data.

JUDY WOODRUFF: Terabyte being a lot of …

RICHARD BEJTLICH: A lot of data, yes. That’s why we consider them prolific.

JUDY WOODRUFF: And we want to say to our audience that we did attempt to talk to Chinese spokesmen, government spokesmen to ask them to provide a guest to appear on the program. And we were not able to get an answer from them. We will continue to do that.

But, as I turn to you, Christopher Johnson, and we should say, as we just heard in the report, the Chinese are saying all this is groundless, nothing to it. But how does what Mandiant found in this report square with everything else you have seen in your reporting?

CHRISTOPHER JOHNSON, Center for Strategic and International Studies: Well, I think what’s exciting about the report is what we just heard, which is that this idea that for the first time we’re now seeing the critical role of the Chinese military in this process.

And also I think it will be increasingly difficult, given the study’s very firm methodology, for the Chinese to continue to issue these denials that says the report — such information is groundless and that there’s no evidence. Quite clearly, there’s substantial evidence of this activity.

JUDY WOODRUFF: And what is it — what’s the hard evidence as you see it?

CHRISTOPHER JOHNSON: Well, the way I see it, what’s unique about the report is, again, tracking this activity to a very narrow set of actors and just the number of opportunities in which these same actors were engaging in this kind of activity and the abundant evidence of what they were able to take through their cyber-activities.

JUDY WOODRUFF: And what ties it to the military?

CHRISTOPHER JOHNSON: Well, quite clearly, it’s this military designation that we have seen.


And all the PLA units, or the Chinese military units, have these designators. And so the fact that that’s in the report is very compelling.

JUDY WOODRUFF: And it’s interesting that there is this sort of name tag identity to what they’re doing, isn’t it?


They use — the Chinese military uses these five-digit codes to refer to individual units. And they don’t necessarily tie them directly to the, say, third department second bureau of the PLA. So we were able to unearth documents doing open source research — all of this is unclassified — that showed, for example, a letter from China Telecom to set up a circuit, in other words, to get Internet access into this new headquarters building when it was constructed in 2007.

And it said, we need to put a circuit in for 61398. And, by the way, if you don’t know how important they are, they’re the third department second bureau of the PLA. So they outed themselves in this document. So by finding those sorts of ties, we were able to center exactly what’s going on there.

JUDY WOODRUFF: And what does all this tell you about what they’re looking for? What do they want in all of this searching?

RICHARD BEJTLICH: Well, we know exactly what they’re looking for.

This particular unit, we have seen them take financial plans, product developments, user names, passwords, e-mail. They’re trying to find out what these companies have, what they can use in their own sorts of products. They’re trying to use them in negotiations. It’s very interesting, the sorts of information that they take.

JUDY WOODRUFF: So, principally, Christopher Johnson, principally, economic-, financial-driven, rather than security or military?

CHRISTOPHER JOHNSON: Well, that’s what’s so …

JUDY WOODRUFF: In the classic sense.

CHRISTOPHER JOHNSON: Right. And that’s what’s so interesting about the report is that you have to Chinese military conducting this economic espionage.

I think there’s also been a view that national security things, probing defense networks, this sort of thing, that is what you would expect an opposition enemy, military to be doing. But in this case, it’s economic espionage, which is quite interesting.

JUDY WOODRUFF: And do we have a sense of how much damage has been done by this?

CHRISTOPHER JOHNSON: Well, I think the report highlights that significant damage has been done. As Richard pointed out, terabytes of data have been removed.

JUDY WOODRUFF: And adding up to what? What does that cost the companies, the organizations that have been hacked into?

RICHARD BEJTLICH: It’s a difficult question to answer.

When the military encountered this same problem, they had to stand up a separate unit just for the purposes of saying this is the information that was stolen, what is the value, do we have to change a defense contract? Do we have to reengineer a plane? What are the things that we have to do?

And that’s the sort of thinking that we need to get the private sector engaged in.

JUDY WOODRUFF: Well, that’s what I want to finally ask both of you about. And that is, what can be done about this? Is it clear what can be done?

CHRISTOPHER JOHNSON: I don’t think it’s particularly clear, but certainly basic steps such as increasing computer hygiene among employees of companies, for example, being more mindful of these phishing attacks.

One thing that was really striking about the report was that in almost every instance, it started off as one of these spear-phishing attack e-mails. It looked legitimate and was sent to a senior corporate executive in a lot of cases.

In terms of what the Obama administration can do, I think that this gives us — them the opportunity and significant leverage with the Chinese to increase the amount of transparency and debate on cyber and especially to increase the dialogue with the People’s Liberation Army on the subject.

JUDY WOODRUFF: Is it the sort of thing that a company or an individual can, say, sign up for some security software and prevent?

RICHARD BEJTLICH: I wouldn’t worry necessarily as an individual, but as a company I would download the report, I would take it to my I.T. or security staff and say what are we doing about the issues in this report?

And then at the higher level, at the strategic level, I would say, what is my government doing about this? What is the position that we’re going to take with the Chinese? The government now has a tool that they can use in discussion with our allies, with the Chinese government that is not classified. It’s unclassified. And they can discuss it in an open manner.

JUDY WOODRUFF: So, just very quickly, are we talking about legislation or are we talking about something that can be done by the executive branch?

RICHARD BEJTLICH: Well, Mandiant supports the legislation that Chairman Rogers has put forth on the HPSCI for intel sharing.

And I think for anyone who has privacy concerns, take a look at the report. You will not see personally identifiable information in that report. This is the sort of thing that could share — be shared amongst companies and help protect us all.

JUDY WOODRUFF: All right, well, gentlemen, it raises a lot of question. And we thank you both for being here.

Richard Bejtlich, Christopher Johnson, thank you.