Inside China's hackers

  • Updated: May 22, 2014 - 9:43 PM

Five were indicted this week for breaking into U.S. companies’ computers.

A wanted poster for five Chinese hackers who were charged by the U.S. Justice Department with economic espionage and theft of trade secrets.

Photo: New York Times,

CameraStar Tribune photo galleries

Cameraview larger


– One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot.”

Another, Sun Kailiang, also known as Jack Sun, grew up in wealthy Pei County in eastern China, the home of a peasant who founded the ancient Han dynasty and was idolized by Mao. They and three others were indicted by the U.S. Justice Department this week, charged with being part of a Chinese military unit that has hacked the computers of prominent U.S. companies to steal commercial secrets, presumably to aid Chinese companies.

Much about them remains murky. But Chinese websites, as well as interviews with cybersecurity experts and former hackers inside and outside of China, reveal some common traits among the hackers and their operations and show that China’s hacking culture is a mosaic of shifting motivations, employers and allegiances.

Many of the hackers employed directly by the Chinese government are men in their 20s and 30s who have been trained at universities run by the People’s Liberation Army and are employed by the state in myriad ways. Those working directly for the military usually follow a 9-to-5 weekday schedule and are not well paid, experts said. Some military and government employees moonlight as mercenaries and do more hacking on their own time, selling their skills to state-owned and private companies. Some belong to the same online social networking groups.

“There are many types of relationships,” said Adam Segal, a China and cybersecurity scholar at the Council on Foreign Relations in New York. “Some PLA hackers offer their services under contract to state-owned enterprises. For some critical technologies, it is possible that PLA hackers are tasked with attacks on specific foreign companies.”

U.S. accused of espionage

The Obama administration makes a distinction between hacking to protect national security, which it calls fair play, and hacking to obtain trade secrets that would give an edge to corporations, which it says is illegal. China and other nations accuse the United States of being the biggest perpetrator of both kinds of espionage.

In what may be an element of Chinese retaliation for the indictments, a state agency announced plans Thursday for tighter checks on Internet companies that do business in China. The State Internet Information Office said the government would establish new procedures to assess potential security problems with Internet technology and with services used by sectors “related to national security and the public interest,” reported Xinhua, the state-run news agency.

In the indictments, unsealed Monday, the United States accused Wang, Sun and three others of working in the Chinese Army’s Unit 61398, which a report last year by Mandiant, a cybersecurity company in Alexandria, Va., said operated out of a 12-story white tower on the outskirts of Shanghai. That unit is now the most infamous of China’s suspected hacking groups, and the Western cybersecurity industry variously calls it the Comment Crew, the Shanghai Group and APT1.

The Comment Crew is not the only big player in China, where hacking is as common in the corporate and criminal worlds as in the government. It is even promoted at trade shows, in classrooms and on Internet forums.

Western cybersecurity experts usually focus on hackers with state ties. FireEye, a cybersecurity company in Milpitas, Calif., that bought Mandiant in January, is tracking at least 25 “active Chinese-based threat groups,” of which 22 support the state in some way, said Darien Kindlund, the company’s manager of threat intelligence. At least five appear to be tied directly to one or more military groups, Kindlund said, adding that this was a conservative estimate.

Traced back to Beijing

Joe Stewart, a cybersecurity expert at Dell SecureWorks, said that as of last year, the Comment Crew and a unit he called the Beijing Group were using “the lion’s share” of 25,000 suspicious online domains he had been tracking. The Beijing Group, he said, used a dedicated block of IP addresses that could be traced to the Chinese capital and to the network of China Unicom, one of the three biggest state-owned Internet telecommunications companies.

“There’s espionage activity coming out of that,” Stewart said. He added that he had seen no evidence of the Beijing Group working with China Unicom or other state entity.

A man who answered a China Unicom spokesperson’s phone declined to comment.

The targets pursued by the Comment Crew and the Beijing Group overlap — both go after foreign corporations and government agencies, for example — but the Beijing unit also takes aim at “activist types,” Stewart said, including ethnic Tibetan and Uighur exile groups. The two units are responsible for creating most of the 300 known families of malware, he added.

  • get related content delivered to your inbox

  • manage my email subscriptions


Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters