BEIJING – One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot.”
Another, Sun Kailiang, also known as Jack Sun, grew up in wealthy Pei County in eastern China, the home of a peasant who founded the ancient Han dynasty and was idolized by Mao. They and three others were indicted by the U.S. Justice Department this week, charged with being part of a Chinese military unit that has hacked the computers of prominent U.S. companies to steal commercial secrets, presumably to aid Chinese companies.
Much about them remains murky. But Chinese websites, as well as interviews with cybersecurity experts and former hackers inside and outside of China, reveal some common traits among the hackers and their operations and show that China’s hacking culture is a mosaic of shifting motivations, employers and allegiances.
Many of the hackers employed directly by the Chinese government are men in their 20s and 30s who have been trained at universities run by the People’s Liberation Army and are employed by the state in myriad ways. Those working directly for the military usually follow a 9-to-5 weekday schedule and are not well paid, experts said. Some military and government employees moonlight as mercenaries and do more hacking on their own time, selling their skills to state-owned and private companies. Some belong to the same online social networking groups.
“There are many types of relationships,” said Adam Segal, a China and cybersecurity scholar at the Council on Foreign Relations in New York. “Some PLA hackers offer their services under contract to state-owned enterprises. For some critical technologies, it is possible that PLA hackers are tasked with attacks on specific foreign companies.”
U.S. accused of espionage
The Obama administration makes a distinction between hacking to protect national security, which it calls fair play, and hacking to obtain trade secrets that would give an edge to corporations, which it says is illegal. China and other nations accuse the United States of being the biggest perpetrator of both kinds of espionage.
In what may be an element of Chinese retaliation for the indictments, a state agency announced plans Thursday for tighter checks on Internet companies that do business in China. The State Internet Information Office said the government would establish new procedures to assess potential security problems with Internet technology and with services used by sectors “related to national security and the public interest,” reported Xinhua, the state-run news agency.
In the indictments, unsealed Monday, the United States accused Wang, Sun and three others of working in the Chinese Army’s Unit 61398, which a report last year by Mandiant, a cybersecurity company in Alexandria, Va., said operated out of a 12-story white tower on the outskirts of Shanghai. That unit is now the most infamous of China’s suspected hacking groups, and the Western cybersecurity industry variously calls it the Comment Crew, the Shanghai Group and APT1.
The Comment Crew is not the only big player in China, where hacking is as common in the corporate and criminal worlds as in the government. It is even promoted at trade shows, in classrooms and on Internet forums.
Western cybersecurity experts usually focus on hackers with state ties. FireEye, a cybersecurity company in Milpitas, Calif., that bought Mandiant in January, is tracking at least 25 “active Chinese-based threat groups,” of which 22 support the state in some way, said Darien Kindlund, the company’s manager of threat intelligence. At least five appear to be tied directly to one or more military groups, Kindlund said, adding that this was a conservative estimate.
Traced back to Beijing
Joe Stewart, a cybersecurity expert at Dell SecureWorks, said that as of last year, the Comment Crew and a unit he called the Beijing Group were using “the lion’s share” of 25,000 suspicious online domains he had been tracking. The Beijing Group, he said, used a dedicated block of IP addresses that could be traced to the Chinese capital and to the network of China Unicom, one of the three biggest state-owned Internet telecommunications companies.
“There’s espionage activity coming out of that,” Stewart said. He added that he had seen no evidence of the Beijing Group working with China Unicom or other state entity.
A man who answered a China Unicom spokesperson’s phone declined to comment.
The targets pursued by the Comment Crew and the Beijing Group overlap — both go after foreign corporations and government agencies, for example — but the Beijing unit also takes aim at “activist types,” Stewart said, including ethnic Tibetan and Uighur exile groups. The two units are responsible for creating most of the 300 known families of malware, he added.
Western cybersecurity experts saw a surge of online espionage attacks on corporations starting in late 2006. Before that, attacks had been aimed mostly at government agencies or contractors. The experts said much of the initial wave of corporate espionage was traced to China and specifically to the Comment Crew. About a year later, the Beijing Group appeared on the scene.
A smaller unit, the Kunming Group, whose attacks have been traced to IP addresses in Kunming, the capital of Yunnan province, seemed focused on targets in Vietnam, Stewart said. It deployed malware and so-called spear phishing attacks that tried to entice victims to click on messages and links in Vietnamese.
It is unclear exactly what the Kunming Group sought to achieve, but tensions between China and Vietnam have been rising in recent years over territorial disputes in the South China Sea. China moved an oil rig near Vietnam this month, a move Vietnam has protested. Vietnam is also working with foreign oil companies to drill and explore in that sea.
Foreign agencies breached
Although the Obama administration has focused on exposing corporate espionage, hackers suspected of working for the Chinese government have breached a wide range of foreign government agencies, cybersecurity experts say.
For example, FireEye said it had observed spying attacks on Taiwanese government agencies and on a professor in India who held pro-Tibet views. The company called the attackers the Shiqiang Gang. A mainland Chinese group also carried out attacks on Japanese government agencies and companies in September by putting commands on Japanese media websites that would infect users.
Kindlund, the FireEye executive, said people in his industry looked at a variety of factors to determine whether a hacker was a state employee or private contractor. One is the hacker’s security methods: Military hackers are less sloppy. Another is the victims: If the hacker jumps among wildly divergent victims, he said, he is likely to be a contractor. In recent months, FireEye observed a hacker who took aim at foreign defense and aerospace companies, then hacked an online entertainment company. It appeared the hacker was a private contractor, Kindlund said.
There is no proven method of getting a Chinese hacking unit to back down. In early 2013, U.S. officials hoped that the release of the Mandiant report and loud criticism of Chinese cyberespionage by the Obama administration would silence the Comment Crew.
The unit went dormant but resurfaced within five months, Kindlund said. Now, its attacks are at pre-2013 levels. “They’re using similar tactics but launching attacks from different infrastructure,” he said. “The tools are only slightly modified. Overall, most of the changes are very minor.”