On Monday, the US Department of Justice (DoJ) took actions previously unseen in the world of computer security. The press release announcing the activity noted the following:
“A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”
The accompanying indictment begins with the following excerpt:
“From at least in or about 2006 up to and including at least in our about April 2014, members of the People’s Liberation Army, the military of the People’s Republic of China, conspired together and with each other to hack into the computers of commercial entities in the Western District of Pennsylvania and elsewhere in the United States.”
These two sentences are packed with meaning for anyone who has been working to counter the Chinese digital threat, either within, or on behalf of, victim organizations. First, the indictment zeroes in on the military aspect of the threat. DoJ isn’t talking about nebulous “Chinese hackers,” perhaps working as contractors for hire. These are PLA troops, some of whom are pictured in the indictment wearing their uniforms. Second, these sentences confirm the temporal span of the activity, roughly an eight year period. This is a sustained, persistent, resourced campaign. Third, they emphasize economic espionage against commercial American targets, not targets in the US military or intelligence communities. The US government has always been clear that it will not tolerate Chinese hacking to financially and scientifically accelerate Chinese economic growth.
For those of us who worked on exposing this threat over the years, the indictment contains many other relevant details. We read that the five defendants “worked together and with others known and unknown to the Grand Jury for the PLA’s General Staff, Third Department (“3PLA”), a signals intelligence component of the PLA, in a Unit known by the Military Unit Code Designator 61398 (“Unit 61398”), and in the vicinity of 208 Datong Road, Pudong District, Shanghai, China.” This is exactly the same unit, designation, and location identified in the 2013 Mandiant report,APT1: Exposing One of China’s Cyber Espionage Units. This statement is the first open, unclassified, official confirmation of the core attribution element in the Mandiant report. It shows that APT1 aka United 61398 aka the Second Bureau of the Third Department of the General Staff Directorate of the PLA is a threat to US economic and security interests.
There are many other aspects of the indictment that I find fascinating, but in the interest of time I will mention one other. Paragraph four states the following:
“During the period relevant to this Indictment, Chinese firms hired the same PLA Unit where the defendants worked to provide information technology services. For example, one SOE involved in trade litigation against some of the American victims mentioned herein hired the Unit, and one of the co-conspirators charged herein, to build a ‘secret’ database to hold corporate ‘intelligence.’”
This is a remarkable statement, because it may answer one of the burning questions those of us analyzing the problem have often asked: how does stolen Western data pass from the Chinese military to the Chinese private sector? According to the indictment, a State Owned Enterprise (SOE) simply hires Unit 61398 to provide IT services, and the military hackers leave the “intelligence” behind in a “database” for the benefit of the SOE.
As the story develops over the coming days, I will keep an eye on it and report back as newsworthy items appear.