5/25/2014 U.S. Case Offers Glimpse Into Chinas Hacker Army - NYTimes.

com
http://www.nytimes.com/2014/05/23/world/asia/us-case-offers-glimpse-into-chinas-hacker-army.html?rref=technology&module=Ribbon&version=origin&region= 1/5
http://nyti.ms/1mbJZSl
ASIA PACIFIC | NYT NOW
U.S. Case Offers Glimpse Into Chinas Hacker
Army
By EDWARD WONG MAY 22, 2014
BEIJING One man accused of being a hacker for the Chinese military,
Wang Dong, better known as UglyGorilla, wrote in a social media profile
that he did not have much ambition but wanted to wander the world
with a sword, an idiot.
Another, Sun Kailiang, also known as Jack Sun, grew up in wealthy
Pei County in eastern China, the home of a peasant who founded the
ancient Han dynasty and was idolized by Mao.
They and three others were indicted by the United States Justice
Department this week, charged with being part of a Chinese military unit
that has hacked the computers of prominent American companies to steal
commercial secrets, presumably for the benefit of Chinese companies.
Much about them remains murky. But Chinese websites, as well as
interviews with cybersecurity experts and former hackers inside and
outside China, reveal some common traits among those and other hackers,
and show that Chinas hacking culture is a complex mosaic of shifting
motivations, employers and allegiances.
Many hackers working directly for the Chinese government are men in
their 20s and 30s who have been trained at universities run by the Peoples
Liberation Army and are employed by the state in myriad ways. Those
working directly for the military usually follow a 9-to-5 weekday schedule
and are not well paid, experts and former hackers said. Some military and
5/25/2014 U.S. Case Offers Glimpse Into Chinas Hacker Army - NYTimes.com
http://www.nytimes.com/2014/05/23/world/asia/us-case-offers-glimpse-into-chinas-hacker-army.html?rref=technology&module=Ribbon&version=origin&region= 2/5
government employees moonlight as mercenaries and do more hacking on
their own time, selling their skills to state-owned and private companies.
Some belong to the same online social networking groups.
There are many types of relationships, said Adam Segal, a China
and cybersecurity scholar at the Council on Foreign Relations in New York.
Some P.L.A. hackers offer their services under contract to state-owned
enterprises. For some critical technologies, it is possible that P.L.A.
hackers are tasked with attacks on specific foreign companies.
The Obama administration makes a distinction between hacking to
protect national security, which it calls fair play, and hacking to obtain
trade secrets that would give an edge to corporations, which it says is
illegal. China and other nations accuse the United States of being the
biggest perpetrator of both kinds of espionage.
In what may be Chinese retaliation for the indictments, a state agency
announced plans on Thursday for tighter checks on Internet companies
that do business in China. The State Internet Information Office said the
government would establish new procedures to assess potential security
problems with Internet technology and with services used by sectors
related to national security and the public interest, reported Xinhua, the
state-run news agency.
In the indictments, unsealed on Monday, the United States accused
Mr. Wang, Mr. Sun and three others of working in the Chinese Armys
Unit 61398, which a report last year by Mandiant, a cybersecurity
company in Alexandria, Va., said operated out of a 12-story white tower on
the outskirts of Shanghai. That unit is now the most infamous of Chinas
suspected hacking groups, and the Western cybersecurity industry
variously calls it the Comment Crew, the Shanghai Group and APT1.
Some members are active on Chinese social media. Mr. Wang, Mr.
Sun and another of the men indicted, Wen Xinyu, are part of a group on
QQ, a social networking and messaging tool, that calls itself Poor Folks
Fed by Public Funds, according to an Internet search.
The group, which has 24 members, also includes Mei Qiang, a
5/25/2014 U.S. Case Offers Glimpse Into Chinas Hacker Army - NYTimes.com
http://www.nytimes.com/2014/05/23/world/asia/us-case-offers-glimpse-into-chinas-hacker-army.html?rref=technology&module=Ribbon&version=origin&region= 3/5
hacking suspect named in the Mandiant report whose alias is SuperHard.
Another member, Xu Yaoling, has the same name as someone from the
P.L.A. University of Science and Technology, a military institution in
Nanjing, who has written papers on hacking and cybersecurity.
Mr. Wang posted messages on an official Chinese military forum in
2004 under the alias Green Field. He called himself a military enthusiast
and asked in one thread, Does our military have the capabilities to fight
against American troops? His forum profile listed an English name, Jack
Wang, and an email address; messages sent this week to that address went
unanswered. He has been known to leave a signature, ug, on malware he
has created.
I think theyre soldiers with some training in computer technology,
not technology people drafted into the military, said a former hacker who
has done what he calls defensive work for the Chinese Army and security
agencies.
The Comment Crew is not the only big player in China, where hacking
is as common in the corporate and criminal worlds as in the government.
It is even promoted at trade shows, in classrooms and on Internet forums.
Western cybersecurity experts usually focus on hackers with state ties.
FireEye, a cybersecurity company in Milpitas, Calif., that bought
Mandiant in January, is tracking at least 25 active Chinese-based threat
groups, of which 22 support the state in some way, said Darien Kindlund,
the companys manager of threat intelligence. At least five appear to be
tied directly to one or more military groups, Mr. Kindlund said, adding
that this was a conservative estimate.
Joe Stewart, a cybersecurity expert at Dell SecureWorks, said that as
of last year, the Comment Crew and a unit he called the Beijing Group
were using the lions share of 25,000 suspicious online domains he had
been tracking. The Beijing Group, he said, used a dedicated block of I.P.
addresses that could be traced to the Chinese capital and to the network of
China Unicom, one of the three biggest state-owned Internet
telecommunications companies.
5/25/2014 U.S. Case Offers Glimpse Into Chinas Hacker Army - NYTimes.com
http://www.nytimes.com/2014/05/23/world/asia/us-case-offers-glimpse-into-chinas-hacker-army.html?rref=technology&module=Ribbon&version=origin&region= 4/5
Theres espionage activity coming out of that, Mr. Stewart said,
though he added that he had seen no evidence of the Beijing Groups
working with China Unicom or any other state entity.
A man who answered a China Unicom spokesmans cellphone
declined to comment.
The targets pursued by the Comment Crew and the Beijing Group
overlap both go after foreign corporations and government agencies, for
example but the Beijing unit also takes aim at activist types, Mr.
Stewart said, including ethnic Tibetan and Uighur exile groups. The two
units are responsible for creating most of the worlds 300 known families
of malware, he added.
Western cybersecurity experts saw a surge of online espionage attacks
on corporations starting in late 2006. Before that, attacks had been aimed
mostly at government agencies or contractors. The experts said much of
the initial wave of corporate espionage was traced to China, and
specifically to the Comment Crew. About a year later, the Beijing Group
appeared on the scene.
A smaller unit, the Kunming Group, whose attacks have been traced
to I.P. addresses in Kunming, the capital of Yunnan Province, seemed
focused on targets in Vietnam, Mr. Stewart said. It deployed malware and
so-called spear phishing attacks that tried to entice victims to click on
messages and links in Vietnamese.
It is unclear exactly what the Kunming Group sought to achieve, but
tensions between China and Vietnam have been rising in recent years over
territorial disputes in the South China Sea. China moved an oil rig near
Vietnam this month, an action Vietnam has protested. Vietnam is also
working with foreign oil companies to drill and explore in that sea.
Though the Obama administration has focused on exposing corporate
espionage, hackers suspected of working for the Chinese government have
breached a wide range of foreign government agencies, cybersecurity
experts say.
For example, FireEye said it had observed spying attacks on
5/25/2014 U.S. Case Offers Glimpse Into Chinas Hacker Army - NYTimes.com
http://www.nytimes.com/2014/05/23/world/asia/us-case-offers-glimpse-into-chinas-hacker-army.html?rref=technology&module=Ribbon&version=origin&region= 5/5
Taiwanese government agencies and on a professor in India who held pro-
Tibet views. The company called the attackers the Shiqiang Gang. A
mainland Chinese group also carried out attacks on Japanese government
agencies and companies last September by putting commands on
Japanese news media websites that would infect users.
Mr. Kindlund, the FireEye executive, said people in his industry
looked at a variety of factors to determine whether a hacker was a state
employee or private contractor. One is the hackers security methods:
Military hackers are less sloppy. Another is the victims: A hacker who
jumps among wildly divergent victims, he said, is likely to be a contractor.
In recent months, FireEye observed a hacker who took aim at foreign
defense and aerospace companies, then hacked an online entertainment
company. It appeared the hacker was a private contractor, Mr. Kindlund
said.
There is no proven method of getting a Chinese hacking unit to back
down. In early 2013, American officials hoped that the release of the
Mandiant report and loud criticism of Chinese cyberespionage by the
Obama administration would silence the Comment Crew. The unit went
dormant but resurfaced within five months, Mr. Kindlund said. Now, its
attacks have returned to pre-2013 levels.
Theyre using similar tactics but launching attacks from different
infrastructure, Mr. Kindlund said. The tools are only slightly modified.
Over all, most of the changes are very minor.
Jonathan Ansfield and Chris Buckley contributed reporting, and Kiki Zhao and Mia Li contributed
research.
A version of this article appears in print on May 23, 2014, on page A1 of the New York edition with
the headline: U.S. Case Offers Glimpse Into Chinas Hacker Army.
2014 The New York Times Company