Hubbry Logo
search
logo
PLA Unit 61398 avatar
PLA Unit 61398
PLA Unit 61398
current hub
637600

PLA Unit 61398

logo
Community Hub0 Subscribers
Read side by side
PLA Unit 61398
View on Wikipedia
from Wikipedia

People's Liberation Army Unit 61398
61398部队
Emblem of the People's Liberation Army
Active2002–present
Country China
Allegiance Chinese Communist Party
BranchPeople's Liberation Army Cyberspace Force
TypeCyber force, Cyber-espionage Unit
RoleCyber warfare
Electronic warfare
Part of People's Liberation Army
Garrison/HQTonggang Road, Pudong, Shanghai
Nicknames
  • APT 1
  • Comment Crew
  • Comment Panda
  • GIF89a
  • Byzantine Candor
  • Group 3
  • Threat Group 8223
Engagements

PLA Unit 61398 (also known as APT1, Comment Crew, Comment Panda, GIF89a, or Byzantine Candor; Chinese: 61398部队, Pinyin: 61398 bùduì) is the military unit cover designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks.[2][3][4] The unit is stationed in Pudong, Shanghai,[5] and has been cited by US intelligence agencies since 2002.

History

[edit]
From left, Chinese military officers Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu indicted on cyber espionage charges.
See also: Chinese information operations and information warfare and Cyberwarfare and China

A report by the computer security firm Mandiant stated that PLA Unit 61398 is believed to operate under the 2nd Bureau of the People's Liberation Army General Staff Department (GSD) Third Department (总参三部二局)[1] and that there is evidence that it contains, or is itself, an entity Mandiant calls APT1, part of the advanced persistent threat that has attacked a broad range of corporations and government entities around the world since at least 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New Area. It is one of more than 20 APT groups with origins in China.[1][6] The Third and Fourth Department, responsible for electronic warfare, are believed to comprise the PLA units mainly responsible for infiltrating and manipulating computer networks.[7]

2014 indictment

[edit]

On 19 May 2014, the US Department of Justice announced that a federal grand jury had returned an indictment of five 61398 officers on charges of theft of confidential business information and intellectual property from U.S. commercial firms and of planting malware on their computers.[8][9] The five are Huang Zhenyu (黄振宇), Wen Xinyu (文新宇), Sun Kailiang (孙凯亮), Gu Chunhui (顾春晖), and Wang Dong (王东). Forensic evidence traces the base of operations to a 12-story building off Datong Road in a public, mixed-use area of Pudong in Shanghai.[2] The group is also known by various other names including "Advanced Persistent Threat 1" ("APT1"), "the Comment group" and "Byzantine Candor", a codename given by US intelligence agencies since 2002.[10][11][12][13]

The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group".[14][15] The collective has stolen trade secrets and other confidential information from numerous foreign businesses and organizations over the course of seven years such as Lockheed Martin, Telvent, and other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.[11]

Dell SecureWorks says it believed the group includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam, were targeted.[2]

The attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go back at least to 2002, according to incident reports and investigators. In 2012, FireEye, Inc. stated that they had tracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000 organizations.[12]

Most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private hackers inspired by patriotic passions.[7]

A 2020 report in Daily News and Analysis stated that the unit was eyeing information related to defense and research in India.[16]

Public position of the Chinese government

[edit]

Until 2013, the government of China has consistently denied that it is involved in hacking.[17] In response to the Mandiant Corporation report about Unit 61398, Hong Lei, a spokesperson for the Chinese foreign ministry, said such allegations were "unprofessional".[17][4]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

PLA Unit 61398

View on Grokipedia
from Grokipedia
PLA Unit 61398, formally the Second Bureau of the Third Department of the People's Liberation Army General Staff Department, is a Chinese military signals intelligence and cyber operations unit headquartered in a 12-story facility in Pudong, Shanghai.[1][2] The unit specializes in computer network exploitation, conducting advanced persistent threat operations to gather intelligence and intellectual property from foreign targets, primarily in the United States and other Western nations.[2][3] In 2013, cybersecurity firm Mandiant attributed to Unit 61398—designated as APT1—a multi-year espionage campaign compromising at least 141 organizations across 20 industries, exfiltrating hundreds of terabytes of data including blueprints, formulas, and proprietary research to support Chinese military and economic advantages.[2] This attribution relied on forensic analysis linking malicious infrastructure, malware signatures, and operational patterns to the unit's physical location and personnel.[2] The following year, the U.S. Department of Justice indicted five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—on charges of hacking U.S. corporations in sectors such as nuclear energy, metals, and solar technology, as well as labor organizations, to steal trade secrets benefiting Chinese state interests.[3][4] These actions exemplified state-sponsored economic espionage, prompting international scrutiny of China's cyber practices despite official denials from Beijing asserting no government involvement.[3] Following PLA reforms in 2015–2016, the unit's structure was integrated into the People's Liberation Army Strategic Support Force, though its legacy persists in attributions of ongoing cyber threats.

Overview

Establishment and Mandate

PLA Unit 61398 serves as the military unit cover designator for the Second Bureau of the People's Liberation Army (PLA) General Staff Department's Third Department, also known as the Technical Reconnaissance Department, which is tasked with signals intelligence (SIGINT) collection.[1] The Third Department's mandate encompasses intercepting and analyzing foreign communications to support national security objectives, including military and economic intelligence gathering through technical means such as electronic surveillance and cyber operations.[3] This bureau-level entity operates from a facility in Shanghai's Pudong district, equipped for advanced network operations.[5] While the precise establishment date of Unit 61398 remains undisclosed in open sources, its operational infrastructure, including a 12-story headquarters building, was constructed starting around 2007, aligning with the expansion of China's cyber capabilities during that period.[6] U.S. intelligence assessments trace the unit's cyber activities to at least 2006, involving persistent intrusions into foreign networks for data exfiltration, though the underlying SIGINT functions likely predate these digital efforts as part of the PLA's longstanding reconnaissance apparatus.[6] The unit's role extends beyond offensive cyber espionage to include training in linguistics, computer programming, and covert communications, enabling targeted intelligence operations against perceived strategic adversaries.[1] Chinese authorities have denied that Unit 61398 engages in hacking or espionage, asserting that the unit focuses on routine military communications and research, while dismissing Western attributions as politically motivated.[7] However, evidence from cybersecurity analyses and U.S. Department of Justice indictments of five unit members in May 2014 for computer hacking and economic espionage underscores its alleged mandate to acquire proprietary information from U.S. corporations in sectors like defense, energy, and technology, supporting China's state-directed industrial policies.[3] These activities are framed by U.S. sources as part of a broader PLA strategy to close technological gaps through non-traditional intelligence methods.[6]

Organizational Affiliation

PLA Unit 61398 serves as the military unit cover designator (MUCD) for the Second Bureau of the Third Department within the General Staff Department (GSD) of the People's Liberation Army (PLA).[3][1] The Third Department, established in the early 1990s, holds primary responsibility for signals intelligence collection, technical reconnaissance, and electronic warfare support across the PLA's seven military regions.[8] This bureau-level entity operates from a large facility in the Pudong district of Shanghai, housing an estimated 1,000 to 2,000 personnel focused on cyber and network operations. The Second Bureau's affiliation underscores its integration into the PLA's intelligence apparatus, where it functions as one of multiple sub-bureaus conducting specialized technical tasks under centralized GSD oversight.[9] U.S. indictments in 2014 explicitly identified five indicted hackers as officers assigned to Unit 61398 within this structure, linking their activities to state-directed espionage.[3] Infrastructure analysis, including IP addresses and fiber-optic connections provided by China Telecom, further corroborates the unit's PLA embedding, with operations tied to government-allocated resources. Prior to the 2015-2016 PLA reforms, which reorganized the GSD into the Joint Staff Department and transferred cyber functions to the Strategic Support Force, Unit 61398 exemplified the PLA's pre-reform emphasis on department-level technical bureaus for information operations.[10] These reforms dispersed some Third Department elements but preserved core affiliations with PLA intelligence directorates, maintaining continuity in operational mandates.[1]

Historical Development

Pre-2013 Operations

PLA Unit 61398 initiated cyber espionage activities targeting foreign networks at least as early as 2006, with evidence of custom malware backdoors dating to that year and earlier compilation timestamps from 2004.[11] These operations focused on infiltrating corporate and government systems to exfiltrate intellectual property and strategic data, primarily in English-speaking countries.[11] By early 2013, the unit had compromised at least 141 organizations across 20 industries, including aerospace, defense, energy, and information technology, with annual intrusion rates increasing over time.[11] Intruders employed spear-phishing emails to deliver custom malware, such as the WEBC2 backdoor and tools for email harvesting like GETMAIL, enabling prolonged access with an average dwell time of 356 days per victim and up to 1,764 days in extreme cases.[11] Data exfiltration reached hundreds of terabytes across victims, including a single instance of 6.5 terabytes stolen over 10 months from one organization.[11] Unit personnel, including officers Wang Dong and Sun Kailiang, targeted U.S. firms such as Alcoa in February to June 2008 and U.S. Steel in 2010, using malware to access technical specifications, bid proposals, and internal communications.[3] Similar tactics struck Westinghouse Electric Company between 2010 and 2011, yielding nuclear plant design data and business strategies.[3] Supporting infrastructure included over 900 command-and-control servers hosted on hundreds of IP addresses, many registered to Shanghai-based entities near the unit's physical location, facilitating simultaneous operations against dozens of targets as observed in early 2011.[11] Officer Huang Zhenyu contributed programming for state-owned enterprise tools between 2006 and 2009, including database creation for data management.[3] These efforts aligned with broader patterns of economic espionage, prioritizing high-value sectors for competitive advantage rather than immediate disruptive effects.[11]

2013 Mandiant Attribution

In February 2013, cybersecurity firm Mandiant published the report APT1: Exposing One of China's Cyber Espionage Units, attributing a sophisticated cyber espionage campaign—designated APT1—to the People's Liberation Army (PLA) Unit 61398.[2][12] The report detailed APT1's operations dating back to at least 2006, involving the compromise of over 140 organizations, predominantly in the United States across sectors including technology, aerospace, and energy.[2] Mandiant's analysis drew from forensic investigations of victim networks, malware reverse-engineering, and infrastructure mapping, concluding with high confidence that APT1 operated from within Unit 61398 based on overlapping location, operational scale, and mission alignment.[2] Key evidence centered on geographic and infrastructural correlations. APT1's command-and-control infrastructure was heavily concentrated in Shanghai, with 709 of 849 traced IP addresses registered in China—primarily to China Unicom blocks in the city—and 22% of 107 analyzed domains explicitly listing Shanghai addresses.[2] Two of APT1's four primary "home" net blocks were allocated in the Pudong New Area, the same district housing Unit 61398's headquarters in a 12-story, 130,663-square-foot facility on Datong Road in Gaoqiaozhen, completed in early 2007 and equipped with specialized fiber-optic lines by China Telecom.[2][5] Operator personas associated with APT1, such as "Ugly Gorilla" (linked to malware uploads and domains registered as early as October 25, 2004), self-identified online as residing in Pudong, further tying activities to the unit's locale.[2] The scale and expertise required for APT1's sustained intrusions—estimated to involve dozens to hundreds of direct operators plus extensive support staff—mirrored Unit 61398's structure.[2] The unit, subordinate to the PLA General Staff Department's Third Department (signals intelligence) and Second Bureau, was assessed to employ hundreds to thousands of personnel trained in computer network operations, English-language analysis, and covert communications, enabling multi-year campaigns against foreign targets.[2][13] Mandiant noted APT1's professional tactics, including custom malware deployment and data exfiltration volumes exceeding gigabytes per victim, aligned with a state-sponsored military entity's resources rather than independent actors.[2] Mandiant emphasized that while no single "smoking gun" like internal documents directly confirmed the link, the cumulative evidence—encompassing infrastructure proximity, equivalent operational tempo (e.g., over 1,000 servers in hop chains), and shared focus on economic espionage—made alternative explanations improbable.[2] The report posited that a non-PLA entity replicating this activity from the same confined Shanghai area would require implausibly similar capabilities and motivations.[2] This attribution marked a rare public naming of a specific Chinese military unit in cyber operations, prompting international scrutiny and later influencing U.S. policy responses.[5]

2014 US Indictment

On May 19, 2014, the United States Department of Justice unsealed an indictment returned by a federal grand jury in the Western District of Pennsylvania, charging five officers of the People's Liberation Army (PLA) Unit 61398 with offenses related to cyber espionage against American entities.[3] The defendants—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—were identified as members of the Third Department of the PLA, specifically operating from Unit 61398 in Shanghai.[3] [4] This marked the first time the U.S. government publicly indicted members of a foreign military for conducting cyber intrusions into private sector networks to steal trade secrets.[3] The 31-count indictment alleged a conspiracy spanning from 2006 to 2014, involving computer hacking, economic espionage, identity theft, and wire fraud, with the defendants purportedly using spear-phishing emails and malware to gain unauthorized access to victim networks.[3] [4] Specific actions included stealing proprietary technical data, such as turbine models from Westinghouse Electric Company during nuclear plant bid preparations, and design specifications from SolarWorld AG related to solar panels.[3] The hackers also targeted communications between U.S. labor organizations and members of Congress to access strategy documents on trade negotiations with China.[3] Victims named in the indictment included six American companies and organizations across the nuclear power, metals, and solar industries—Westinghouse Electric Co., United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (AFSCME), Allegheny Technologies Inc., U.S. Steel Corp., and SolarWorld AG—as well as their subsidiaries.[3] [4] The U.S. authorities asserted that the intrusions were state-sponsored efforts to provide competitive advantages to Chinese entities, building on prior attributions like the 2013 Mandiant report linking Unit 61398 to advanced persistent threat (APT1) activities.[3] None of the defendants have been extradited or appeared in U.S. court as of the announcement, rendering the indictment largely symbolic in terms of immediate legal enforcement but significant for public attribution and diplomatic signaling.[3]

Post-2015 PLA Reforms and Evolution

In late 2015, the People's Liberation Army (PLA) initiated comprehensive structural reforms under Central Military Commission (CMC) Chairman Xi Jinping, abolishing the four general departments—including the 3rd Department responsible for technical reconnaissance and cyber operations—and redistributing their functions to new entities directly under the CMC and joint theater commands.[14][15] Unit 61398, previously affiliated with the 3rd Department's 2nd Bureau and linked to cyber espionage activities, was integrated into the newly established PLA Strategic Support Force (SSF) in December 2015, specifically under its Network Systems Department, which centralized cyber, electronic warfare, and network operations previously dispersed across PLA branches.[16][17] This reorganization aimed to enhance joint operations and information dominance but also reduced the visibility of specific units like 61398, contributing to a perceived decline in attributable PLA-linked cyber intrusions traceable to pre-reform identifiers.[14] The SSF's formation marked a shift toward "informatized" warfare, with Unit 61398's personnel—estimated at over 2,000 engineers and technicians focused on hacking and malware development—retained for advanced persistent threat (APT) activities, though operations became more compartmentalized and less tied to geographic bases like the unit's Pudong facility.[18] Post-reform, U.S. intelligence assessments noted continuity in tactics, techniques, and procedures (TTPs) associated with APT1 (the Mandiant designation for 61398-linked actors), including spear-phishing and exploitation of zero-day vulnerabilities, but with evolving tools to evade detection, such as custom malware variants observed in campaigns targeting U.S. defense contractors as late as 2018.[18] These changes aligned with Xi's emphasis on military-civil fusion, potentially incorporating civilian talent from state-linked firms, though direct evidence of Unit 61398's exact post-2015 subunit designation remains opaque due to PLA opacity.[14] Further evolution occurred in April 2024, when the CMC dissolved the SSF amid reported internal issues, including corruption purges, and elevated its components into three independent forces: the Cyberspace Force for offensive and defensive cyber missions, the Aerospace Force for space operations, and the Information Support Force for integrated networks and electronic warfare.[15][19] Unit 61398's cyber elements were reportedly centralized under the new Cyberspace Force, reflecting Xi's push for "intelligentized" warfare with AI-enhanced capabilities, though this structure may further obscure attribution by emphasizing domain-specific commands over legacy units.[20] These reforms have not halted espionage allegations; for instance, U.S. officials attributed 2023-2024 intrusions on critical infrastructure to PLA-affiliated actors exhibiting TTPs consistent with pre-reform Unit 61398 operations, underscoring adaptation rather than cessation.[14]

Alleged Activities and Capabilities

Methods and Tools Employed

APT1, linked to PLA Unit 61398, primarily gained initial access through spear-phishing emails containing malicious attachments, such as ZIP files disguised as legitimate documents (e.g., "2012ChinaUSAviationSymposium.zip"), or hyperlinks leading to exploit kits.[2][21] Additional vectors included strategic web compromises, or watering holes, targeting vulnerable Internet-facing web servers to deploy webshells.[2] The group deployed a diverse arsenal of over 40 malware families, including custom backdoors like WEBC2 variants (e.g., WEBC2-TABLE, WEBC2-QBP), BISCUIT, and SEASALT for remote access and control; remote access trojans (RATs) such as Poison Ivy, Gh0st RAT, AURIGA, and BANGAT for keystroke logging and screen capture; and specialized tools like GETMAIL and MAPIGET for automated email collection.[2][21] These were often customized, with some incorporating public tools like Mimikatz for credential dumping from LSASS memory and PsExec for lateral movement via pass-the-hash techniques.[21] Execution frequently involved Windows Command Shell and batch scripts, while defense evasion included masquerading malware as legitimate processes (e.g., naming files AcroRD32.exe).[21] Command and control (C2) operations relied on HTTP/HTTPS protocols with SSL encryption, custom encrypted channels, and tools like HTRAN for traffic proxying through compromised hop points; infrastructure encompassed 937 servers across 849 IP addresses (709 in China) and 2,551 fully qualified domain names (FQDNs), many registered dynamically or hijacked from legitimate domains.[2] Persistence was achieved via registry run keys, multiple redundant backdoors, and exploitation of stolen VPN or PKI credentials.[2][21] Lateral movement utilized Remote Desktop Protocol (RDP), Windows Task Scheduler, and network discovery commands (e.g., net user, net group).[21] Data exfiltration involved compressing files into password-protected RAR, ZIP, or 7-ZIP archives—often split into 200 MB chunks—transmitted via FTP, custom backdoors, or existing C2 channels, with one documented instance extracting 6.5 terabytes from a single victim.[2][21] These tactics supported sustained intrusions averaging 356 days, with a maximum of 1,764 days across 141 compromised organizations since 2006.[2]

Targeted Sectors and Victims

Mandiant's 2013 report attributed to PLA Unit 61398, designated as APT1, the targeting of 141 organizations across at least 20 industries since 2006, with 115 victims headquartered in the United States.[2] These industries included information technology, aerospace, public administration, satellites and telecommunications, scientific research and consulting services, energy, transportation, construction and manufacturing, engineering services, high-technology electronics, international organizations, legal services, media and entertainment, navigation, chemicals, financial services, food and agriculture, healthcare, metals and mining, and education.[2] The operations focused heavily on sectors aligned with China's strategic priorities, such as those outlined in its 12th Five-Year Plan, emphasizing intellectual property theft to support economic and technological advancement.[2] The U.S. Department of Justice's 2014 indictment of five individuals affiliated with Unit 61398 provided specific examples of victims in high-value industrial sectors.[3] Targeted entities included Westinghouse Electric Company in the nuclear power sector, U.S. subsidiaries of SolarWorld AG in solar energy manufacturing, United States Steel Corporation, Allegheny Technologies Inc., and Alcoa Inc. in metals and steel production, as well as the United Steelworkers labor union.[3] These intrusions, spanning 2006 to 2014, aimed to exfiltrate trade secrets, technical specifications, and competitive intelligence to benefit Chinese state-owned enterprises.[3] Broader patterns highlighted aerospace and telecommunications as frequently targeted areas, including companies involved in satellite services, radar technology, avionics, and sensor systems, reflecting a pattern of economic espionage rather than purely military intelligence gathering.[22] While most victims remained anonymous to protect ongoing operations, the scale involved sustained access—averaging over a year per intrusion—and the theft of hundreds of terabytes of data across these sectors.[2]

Scale of Operations

Mandiant's analysis of APT1, attributed to PLA Unit 61398, documented a sustained cyber espionage campaign active since at least 2006, spanning over seven years by the time of the 2013 report. The unit compromised at least 141 organizations across 20 industries, including aerospace, energy, information technology, and high-tech electronics, with 87% of targets in English-speaking countries.[2] These intrusions targeted entities aligned with China's strategic priorities, such as those in its 12th Five-Year Plan for emerging industries.[2] The operations involved exfiltrating hundreds of terabytes of data, with one documented case extracting 6.5 terabytes from a single victim over 10 months. Access persistence averaged 356 days per intrusion, extending up to 1,764 days in the longest observed instance, enabling systematic data theft rather than disruptive attacks.[2][23] Unit 61398 supported these efforts through extensive infrastructure, including 937 command-and-control servers on 849 IP addresses across 13 countries and over 2,500 fully qualified domain names. The unit's physical facility, a 130,663-square-foot complex in Shanghai's Pudong district, is estimated to house hundreds to thousands of personnel, many trained in network operations, underscoring the enterprise-scale resources dedicated to these activities.[2][11]

Accusations and Evidentiary Basis

Key Reports and Intelligence Assessments

In February 2013, cybersecurity firm Mandiant released its report "APT1: Exposing One of China's Cyber Espionage Units," attributing a sustained cyber espionage campaign to Advanced Persistent Threat 1 (APT1), which it linked to the People's Liberation Army's Unit 61398 based in Pudong, Shanghai.[2] The 70-page analysis detailed APT1's infiltration of at least 141 organizations across 20 industries—primarily in the United States—over six years, involving the exfiltration of hundreds of terabytes of data through custom malware, spear-phishing, and command-and-control infrastructure traceable to IP addresses near the unit's reported 12-story facility.[12] Mandiant's attribution relied on forensic indicators such as malware code similarities, operational timing aligned with Chinese work hours, and online personas of suspected unit members boasting hacking skills in English on Chinese forums, though the firm noted challenges in definitive state sponsorship proof absent insider access.[2] On May 19, 2014, the U.S. Department of Justice unsealed an indictment from the Western District of Pennsylvania charging five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—with conspiracy to commit computer hacking, economic espionage, and identity theft targeting six U.S. victims, including Westinghouse Electric, U.S. Steel, Allegheny Technologies, Alcoa, and the United Steelworkers Union.[3] The 31-count indictment, supported by FBI investigations, alleged intrusions from 2006 to 2014 that stole nuclear plant designs, steel technology, and union negotiation data, with hackers using malware variants akin to those in Mandiant's findings and routing traffic through leased servers masking origins in China.[3] U.S. officials described Unit 61398 as a cyber warfare arm employing over 2,000 personnel trained in network operations, marking the first public U.S. criminal charges against named PLA members for economic espionage.[24] Subsequent U.S. intelligence assessments have reinforced these attributions, with the MITRE ATT&CK framework classifying APT1 (also known as Comment Panda) as tied to the PLA's 3rd Department, 2nd Bureau, citing persistent tactics like backdoor implantation and data staging observed in Mandiant and DOJ evidence.[21] Annual U.S. government reports, such as those from the Office of the Director of National Intelligence, have highlighted PLA units including 61398 in broader Chinese cyber threats, though without new unit-specific indictments post-2014 amid reported operational shifts following PLA reforms.[18] These reports emphasize the unit's role in state-directed intelligence collection, drawing on corroborated digital footprints rather than public confessions, while acknowledging attribution limitations in deniable cyber operations.[25]

Specific Incidents Linked to the Unit

In May 2014, the U.S. Department of Justice indicted five officers from PLA Unit 61398—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for their roles in a conspiracy involving computer hacking and economic espionage against U.S. corporations and a labor organization from approximately 2006 to 2014.[3] The charges specified intrusions into networks of six victims, primarily via spear-phishing emails delivering malware, to exfiltrate trade secrets benefiting Chinese state-owned enterprises.[3] One key incident involved Alcoa Inc. in mid-2008, shortly after the company announced a partnership with a Chinese state-owned enterprise; hackers stole thousands of emails and attachments containing proprietary information on aluminum production technologies.[3] In 2010, Westinghouse Electric Co. was targeted, resulting in the theft of technical specifications and design drawings for AP1000 nuclear power plants, along with sensitive executive emails that could inform competitive bidding.[3] That same year, U.S. Steel Corp. suffered a spear-phishing attack leading to malware deployment and exfiltration of network hostnames, computer descriptions, and other infrastructural data.[3] Further incidents in 2012 included hacks against U.S. subsidiaries of SolarWorld AG, where thousands of files on cash flow projections, manufacturing metrics, production costs, and legal strategies were stolen amid competition from Chinese solar firms.[3] Allegheny Technologies Inc. lost network login credentials for nearly all employees, enabling broad access to superalloy and titanium technologies used in aerospace and defense.[3] The United Steelworkers union was also compromised, with hackers accessing emails detailing negotiation strategies against Chinese steel dumping, and maintaining persistence into early 2013.[3] Mandiant's 2013 attribution of APT1 operations to Unit 61398 highlighted additional examples, such as a multi-year intrusion from 2008 to 2010 into an unnamed U.S. wholesale industry victim, where over 2.5 years of files and executive emails were exfiltrated, correlating with Chinese government negotiations that forced a price reduction on the victim's goods.[2] In September 2012, APT1 tools were used in a breach at Telvent Canada Ltd. (now part of Schneider Electric), compromising energy sector systems potentially linked to supervisory control and data acquisition infrastructure.[2] These cases, supported by forensic indicators like IP addresses traced to Unit 61398's Shanghai facility, underscore targeted economic intelligence gathering.[2][3]

Attribution Challenges and Counterarguments

Attributing cyber operations to PLA Unit 61398 encounters technical and methodological hurdles inherent to cyberspace, where perpetrators routinely mask origins through proxy servers, virtual private networks, and compromised infrastructure hosted in neutral jurisdictions. Such obfuscation enables plausible deniability, as IP addresses tied to attacks—such as those Mandiant traced to the Pudong district in Shanghai—can be rented or hijacked without direct control by the implicated entity.[26] Forensic attribution demands correlating multiple indicators like malware signatures, tactics, techniques, and procedures (TTPs), and linguistic artifacts, yet these remain probabilistic rather than conclusive, vulnerable to mimicry by non-state actors or rival states employing false flags.[27] Specific to Unit 61398, evidentiary linkages in reports like Mandiant's 2013 APT1 analysis depend on geospatial clustering of command-and-control servers near the unit's reported facility at 208 Jiayuqiao Street, alongside consistent TTPs observed in over 140 intrusions since 2006.[2] However, skeptics note the absence of intercepted communications, defectors, or physical artifacts directly implicating personnel, rendering claims reliant on private-sector intelligence without independent governmental corroboration beyond U.S. assessments.[28] The unit's formal role in signals intelligence under the PLA's 3rd Department further muddies distinctions between defensive monitoring and offensive espionage, as similar infrastructure could support legitimate military functions.[18] Chinese government rebuttals dismiss these attributions as fabricated, with the Foreign Ministry labeling the 2014 U.S. indictment of five Unit 61398 officers "groundless and absurd," arguing it lacked verifiable proof and served political motives to hinder bilateral ties.[29] Officials contended that the unit, if existent in the described capacity, focuses on internal security rather than extraterritorial hacking, and accused the U.S. of hypocrisy given documented American cyber intrusions into Chinese networks, such as those revealed by Edward Snowden in 2013.[30] Beijing has highlighted mutual espionage dynamics, asserting that Western indictments ignore comparable activities by U.S. entities like the NSA, which conducted operations against Huawei and Chinese infrastructure.[31] Post-2015 PLA reforms, which reorganized cyber elements into the Strategic Support Force and emphasized contractor proxies, have amplified attribution opacity by dispersing operations across civilian firms and non-military actors, potentially rendering pre-reform linkages to Unit 61398 outdated or misdirected.[32] Counterarguments also invoke the risk of over-attribution, where clustered activity in China's tech hubs like Shanghai—home to thousands of IT firms—might coincidentally align with state facilities, as evidenced by private-sector espionage mimicking military TTPs near Unit 61398's vicinity.[27] Indictments' limited deterrent effect, with no arrests and continued intrusions post-2014, underscores enforcement challenges absent extradition treaties or allied cooperation.[31]

Official Chinese Perspectives

Government Denials and Rebuttals

The Chinese government has repeatedly denied allegations linking PLA Unit 61398 to cyber espionage. Following the release of the Mandiant APT1 report on February 19, 2013, which attributed widespread hacking to the unit, Foreign Ministry spokesman Hong Lei dismissed the claims as "groundless," arguing that hacking is "transnational and anonymous" and that attributing such attacks to a specific country without conclusive proof is unprofessional.[33][34] In response to the U.S. Department of Justice's May 19, 2014, indictments of five officers from Unit 61398—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for economic espionage targeting U.S. firms including Westinghouse Electric, SolarWorld, and Allegheny Technologies, the Foreign Ministry labeled the charges "absurd" and based on "fabricated facts," stating they undermined mutual trust and cooperation between the two nations.[35][36] The ministry further suspended activities of the Sino-U.S. cyber working group established earlier that year, citing the indictments as a violation of bilateral agreements.[37] China's Defense Ministry echoed these denials by summoning the U.S. defense attaché on May 20, 2014, to protest the indictments as actions that "seriously violated norms of international relations" and jeopardized military ties.[38][39] Officials maintained that the unit was not involved in offensive cyber operations and portrayed the accusations as politically motivated, while deflecting by highlighting U.S. cyber activities, such as those revealed by Edward Snowden regarding NSA surveillance.[36][40] No admissions of involvement have been made, and subsequent PLA reforms in 2015–2017, which restructured cyber units under the Strategic Support Force, were not presented by Beijing as acknowledgments of prior misconduct.[25]

Claims of Mutual Espionage

In response to United States indictments against members of PLA Unit 61398 for alleged cyber espionage, Chinese Foreign Ministry spokespersons asserted that the U.S. government has itself conducted extensive cyber spying operations against China, citing disclosures by former NSA contractor Edward Snowden in 2013.[41] Snowden's leaks revealed that the NSA infiltrated major Chinese telecommunications firms such as China Mobile, hacked servers at Tsinghua University, and targeted Huawei Technologies for intelligence collection, including efforts to insert backdoors into Huawei equipment used globally.[42] These activities, according to Chinese statements, demonstrate U.S. hypocrisy in accusing China while engaging in comparable or greater-scale intrusions, with the NSA's global surveillance programs like PRISM enabling the theft of intellectual property and sensitive data from foreign entities.[43] Following the May 19, 2014, U.S. Department of Justice indictment of five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—on charges including economic espionage against U.S. firms in nuclear, energy, and aerospace sectors, Foreign Ministry spokesman Qin Gang described the allegations as "fabricated" and emphasized mutual culpability in cyberspace.[3] He stated that "the U.S. has also long been engaged in large-scale cyber theft and spying activities against other countries, including China," directly invoking Snowden's evidence of NSA penetration into Chinese networks since at least 2009.[35] Chinese officials framed this as part of a broader pattern, arguing that the U.S. maintains a monopoly on cyber capabilities while portraying itself as a victim, and urged bilateral dialogue on cybersecurity norms rather than unilateral accusations.[44] Such claims align with recurring Chinese government narratives portraying the nation as a frequent target of foreign cyber threats, with state media outlets like Xinhua reporting that over 38,000 foreign IP addresses—many traced to the U.S.—launched attacks on Chinese websites daily in 2013, coinciding with the Mandiant APT1 report linking Unit 61398 to U.S.-targeted intrusions.[34] However, independent analyses, including those from U.S. cybersecurity firms and intelligence assessments, have noted that while NSA operations focused primarily on national security intelligence rather than commercial theft, the distinction does not negate the espionage element, though Chinese rebuttals often conflate the two to deflect scrutiny.[45] Beijing's position, disseminated through official channels, consistently rejects attribution to state-sponsored units like 61398 while advocating for "peaceful use" of cyberspace, positioning mutual restraint as essential amid escalating bilateral tensions.[46]

Broader Implications

Strategic Role in Chinese National Security

PLA Unit 61398, operating under the Third Department of the People's Liberation Army (PLA) General Staff Department, serves as a primary instrument for conducting cyber espionage to acquire foreign technologies critical to China's military modernization and national security objectives.[2] This unit, identified by cybersecurity firm Mandiant as APT1, has systematically targeted industries aligned with China's strategic priorities, such as aerospace, energy, and pharmaceuticals, extracting intellectual property to bridge technological gaps and support the PLA's informatization efforts.[2] [32] Such operations facilitate the transfer of stolen data to state-owned enterprises and military research entities, enabling rapid indigenous innovation under initiatives like "Made in China 2025," which intertwine economic competitiveness with defense capabilities. In the broader framework of Chinese national security, Unit 61398's activities exemplify the PLA's emphasis on "information dominance" as a core pillar of active defense strategy, where cyber intrusions provide actionable intelligence for geopolitical decision-making and deterrence.[47] The unit's role extends to supporting military-civil fusion, wherein espionage-derived technologies enhance both civilian sectors and PLA weapon systems, reducing reliance on imported components vulnerable to sanctions or supply disruptions. This integration underscores a causal link between cyber theft and China's pursuit of comprehensive national power, as articulated in PLA doctrinal writings prioritizing network-centric warfare.[48] The 2015 PLA reforms restructured cyber units, including those linked to 61398, under the Strategic Support Force (SSF), which consolidates space, cyber, and electronic warfare to deliver unified strategic information support.[47] This evolution positions such operations at the nexus of offensive cyber capabilities and national security resilience, enabling the Chinese Communist Party to maintain advantages in potential conflicts over Taiwan or the South China Sea by preemptively degrading adversaries' technological edges.[16] Empirical evidence from attributed intrusions, including IP addresses traced to Shanghai facilities housing the unit, corroborates its enduring operational tempo despite public exposures.[2]

Impact on International Relations

The attribution of cyber espionage to PLA Unit 61398, culminating in the U.S. Department of Justice's May 19, 2014, indictments of five unit members—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for hacking U.S. firms including Alcoa, U.S. Steel, Westinghouse, Allegheny Technologies, SolarWorld, and the United Steelworkers Union, marked the first formal U.S. charges against Chinese military personnel for economic espionage.[3] [4] These indictments, alleging theft of trade secrets worth billions via spear-phishing and malware from 2006 to 2014, represented a direct escalation in public confrontation over state-sponsored hacking, prompting China to denounce them as "groundless" and "absurd" acts of "hegemonism" that sabotaged mutual trust-building efforts.[3] [49] In immediate response, China's Foreign Ministry summoned U.S. Ambassador Max Baucus for a formal demarche and briefly halted participation in the U.S.-China Cybersecurity Working Group, signaling heightened bilateral friction amid ongoing economic dialogues.[28] This episode intensified scrutiny of Chinese cyber practices in multilateral forums, influencing allies like the European Union to voice concerns over intellectual property theft and reinforcing U.S.-led calls for international cyber norms against commercial espionage.[24] [50] The tensions fed into the June 7-8, 2014, Obama-Xi summit at Sunnylands, where leaders agreed to establish a bilateral Internet Working Group and confidence-building measures to mitigate military cyber misunderstandings, though commercial espionage remained a flashpoint.[51] These steps contributed to the September 25, 2015, U.S.-China cyber agreement, in which both sides pledged not to conduct or support cyber-enabled theft of intellectual property for commercial advantage—a direct outcome of sustained U.S. pressure via attribution and indictments, despite China's prior denials of Unit 61398's role.[52] [53] However, the agreement's implementation faltered amid subsequent incidents, perpetuating distrust that has shaped U.S. export controls, investment screening, and technology decoupling policies toward China.[23] [54] Internationally, the Unit 61398 case established indictments as a tool of cyber diplomacy, encouraging similar actions against state actors and elevating global awareness of supply-chain vulnerabilities, though it also drew Chinese accusations of mutual espionage, complicating cooperation on non-competitive threats like ransomware.[55] [53]

Lessons for Cyber Defense and Attribution

The operations attributed to PLA Unit 61398, as detailed in Mandiant's 2013 APT1 report, underscore the necessity for organizations to prioritize proactive threat hunting and endpoint security to counter prolonged network intrusions. APT1 actors typically gained initial access via spear-phishing emails containing malicious attachments or links, exploiting unpatched software vulnerabilities such as those in Microsoft Office or Adobe Reader, and then deployed custom malware for data exfiltration over periods exceeding six months in many cases.[12][6] Effective defenses thus require mandatory multi-factor authentication, regular patching, and behavioral analytics to detect lateral movement and anomalous data flows, as passive perimeter defenses proved insufficient against these tactics.[6] Key defensive measures informed by Unit 61398-linked incidents include sharing indicators of compromise (IOCs) across sectors, as Mandiant released over 3,000 such indicators—including IP addresses traced to infrastructure near the unit's Shanghai facility—to enable widespread blocking and forensic correlation.[12] Network segmentation and zero-trust architectures emerged as critical responses, given APT1's exploitation of trusted internal systems for command-and-control via hijacked legitimate web servers, which evaded traditional signature-based detection.[6] The unit's focus on intellectual property theft from industries like aerospace, energy, and pharmaceuticals also highlights the value of supply-chain risk management and employee training to mitigate insider-enabled compromises.[3] Attribution to state-sponsored actors like Unit 61398 relies on converging technical evidence, such as malware code reuse, operational timing patterns aligned with Chinese work hours, and geolocated IP addresses from a specific Pudong district building housing the unit, but faces inherent challenges from proxy usage and infrastructure pivoting.[6][14] Following public disclosures, Chinese actors adapted by dispersing operations and enhancing obfuscation, rendering future attributions more resource-intensive and probabilistic, as confirmed by post-2013 shifts in PLA cyber structures.[14][32] The 2014 U.S. Department of Justice indictments of five Unit 61398 officers for hacking U.S. firms like Westinghouse and U.S. Steel demonstrated that legal mechanisms can publicize attributions and impose symbolic costs, yet yielded no extraditions due to China's non-cooperation, illustrating the limits of unilateral judicial responses absent multilateral enforcement.[3] Broader lessons emphasize integrating cyber intelligence with diplomatic signaling, as temporary reductions in similar intrusions followed U.S.-China pacts post-indictment, though persistent denials and mutual accusations of espionage complicate verifiable deterrence.[56] Effective attribution thus demands sustained investment in cross-domain intelligence fusion, beyond technical forensics, to counter plausible deniability in state-directed campaigns.[57]

References

  1. The PLA General Staff Department Third Department Second Bureau
  2. [PDF] APT1: Exposing One of China's Cyber Espionage Units | Mandiant
  3. U.S. Charges Five Chinese Military Hackers for Cyber Espionage ...
  4. Five Chinese Military Hackers Charged with Cyber Espionage ... - FBI
  5. Chinese Army Unit Is Seen as Tied to Hacking Against U.S.
  6. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
  7. China-U.S. cyber spying row turns spotlight back on shadowy Unit ...
  8. [PDF] The PLA General Staff Department Third Department Second Bureau
  9. [PDF] The PLA General Staff Department Third Department Second Bureau
  10. [PDF] An Organizational Overview of Unit 61398 - National Security Archive
  11. [PDF] APT1 - Exposing One of China's Cyber Espionage Units
  12. Mandiant Exposes APT1 – One of China's Cyber Espionage Units
  13. http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
  14. The PLA's Cyber Operations Go Dark - Lawfare
  15. The Reorganization of People's Liberation Army Command and ...
  16. China's Strategic Support Force: The New Home of the PLA's Cyber ...
  17. [PDF] The Strategic Support Force and the Future of Chinese Information ...
  18. [PDF] SECTION 2: CHINA'S CYBER CAPABILITIES: WARFARE ...
  19. China's new Information Support Force
  20. Operationalizing Intelligentized Warfare: Xi Replaces the Strategic ...
  21. APT1 - MITRE ATT&CK®
  22. Aerospace, Telecommunications Companies High on the List for ...
  23. Confronting China's Efforts to Steal Defense Information
  24. Indictment of PLA officers | CFR Interactives
  25. Cyber Operations Tracker - Council on Foreign Relations
  26. [PDF] AttriButiOn in CyBErSpACE: BEyOnd thE “whOdunnit” - GLOBSEC
  27. [PDF] Attribution of Malicious Cyber Incidents - Hoover Institution
  28. [PDF] Attribution by Indictment - UC Law SF Scholarship Repository
  29. China reacts furiously to US cyber-espionage charges - The Guardian
  30. China's Response to the US Cyber Espionage Charges
  31. The Failure of the United States' Chinese-Hacking Indictment Strategy
  32. “Here to stay” – Chinese state-affiliated hacking for strategic goals
  33. China military unit 'behind prolific hacking' - BBC News
  34. China condemns hacking report by US firm Mandiant - BBC News
  35. U.S. files economic espionage charges against Chinese military ...
  36. China Accuses US of 'Hypocrisy' as Hacking Row Escalates
  37. U.S. accuses China of cyber spying on American companies | Reuters
  38. China confronts U.S. envoy over cyber-spying accusations
  39. China says cyberspying charges may harm U.S. military ties - CBC
  40. Chinese Lash Out at U.S. Spying Indictment - Foreign Policy
  41. 'Not a parallel with NSA' – DW – 05/21/2014
  42. Edward Snowden makes it easier for China to dismiss new spying ...
  43. U.S. accuses China of cyber spying on American companies | Reuters
  44. 2nd China Army Unit Implicated in Online Spying - The New York ...
  45. Cyber espionage and the new Cold War of US-China relations
  46. Beijing Hits Out at Accusations of Cyberspying - Radio Free Asia
  47. [PDF] Military and Security Developments Involving the People's Republic ...
  48. [PDF] China's Military Modernization and Cyber Activities - Air University
  49. Chinese military officials charged with stealing US data as tensions ...
  50. Managing U.S.-China Tensions Over Public Cyber Attribution
  51. The U.S.-China Cyber Espionage Deal One Year Later
  52. Moving Forward with the Obama-Xi Cybersecurity Agreement - CSIS
  53. Cyber Espionage and U.S. Policy Responses
  54. The Obama-Xi Summit and the Prospects for a Global Norm Against ...
  55. [PDF] Diplomatic Efforts to Establish Norms in Cyberspace
  56. Chinese Curb Cyberattacks on U.S. Interests, Report Finds
  57. [PDF] HOW THE PENTAGON CAN TACKLE THE CYBER ATTRIBUTION ...
User Avatar
No comments yet.