Hubbry Logo
PLA Unit 61398PLA Unit 61398Main
Open search
PLA Unit 61398
Community hub
PLA Unit 61398
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
PLA Unit 61398
PLA Unit 61398
PLA Unit 61398
View on Wikipedia
from Wikipedia

People's Liberation Army Unit 61398
61398部队
Emblem of the People's Liberation Army
Active2002–present
Country China
Allegiance Chinese Communist Party
BranchPeople's Liberation Army Cyberspace Force
TypeCyber force, Cyber-espionage Unit
RoleCyber warfare
Electronic warfare
Part of People's Liberation Army
Garrison/HQTonggang Road, Pudong, Shanghai
Nicknames
  • APT 1
  • Comment Crew
  • Comment Panda
  • GIF89a
  • Byzantine Candor
  • Group 3
  • Threat Group 8223
Engagements

PLA Unit 61398 (also known as APT1, Comment Crew, Comment Panda, GIF89a, or Byzantine Candor; Chinese: 61398部队, Pinyin: 61398 bùduì) is the military unit cover designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks.[2][3][4] The unit is stationed in Pudong, Shanghai,[5] and has been cited by US intelligence agencies since 2002.

History

[edit]
From left, Chinese military officers Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu indicted on cyber espionage charges.
See also: Chinese information operations and information warfare and Cyberwarfare and China

A report by the computer security firm Mandiant stated that PLA Unit 61398 is believed to operate under the 2nd Bureau of the People's Liberation Army General Staff Department (GSD) Third Department (总参三部二局)[1] and that there is evidence that it contains, or is itself, an entity Mandiant calls APT1, part of the advanced persistent threat that has attacked a broad range of corporations and government entities around the world since at least 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New Area. It is one of more than 20 APT groups with origins in China.[1][6] The Third and Fourth Department, responsible for electronic warfare, are believed to comprise the PLA units mainly responsible for infiltrating and manipulating computer networks.[7]

2014 indictment

[edit]

On 19 May 2014, the US Department of Justice announced that a federal grand jury had returned an indictment of five 61398 officers on charges of theft of confidential business information and intellectual property from U.S. commercial firms and of planting malware on their computers.[8][9] The five are Huang Zhenyu (黄振宇), Wen Xinyu (文新宇), Sun Kailiang (孙凯亮), Gu Chunhui (顾春晖), and Wang Dong (王东). Forensic evidence traces the base of operations to a 12-story building off Datong Road in a public, mixed-use area of Pudong in Shanghai.[2] The group is also known by various other names including "Advanced Persistent Threat 1" ("APT1"), "the Comment group" and "Byzantine Candor", a codename given by US intelligence agencies since 2002.[10][11][12][13]

The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group".[14][15] The collective has stolen trade secrets and other confidential information from numerous foreign businesses and organizations over the course of seven years such as Lockheed Martin, Telvent, and other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.[11]

Dell SecureWorks says it believed the group includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam, were targeted.[2]

The attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go back at least to 2002, according to incident reports and investigators. In 2012, FireEye, Inc. stated that they had tracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000 organizations.[12]

Most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private hackers inspired by patriotic passions.[7]

A 2020 report in Daily News and Analysis stated that the unit was eyeing information related to defense and research in India.[16]

Public position of the Chinese government

[edit]

Until 2013, the government of China has consistently denied that it is involved in hacking.[17] In response to the Mandiant Corporation report about Unit 61398, Hong Lei, a spokesperson for the Chinese foreign ministry, said such allegations were "unprofessional".[17][4]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

PLA Unit 61398

View on Grokipedia
from Grokipedia
PLA Unit 61398, formally the Second Bureau of the Third Department of the General Staff Department, is a Chinese military and cyber operations unit headquartered in a 12-story facility in , . The unit specializes in exploitation, conducting operations to gather intelligence and from foreign targets, primarily in the United States and other Western nations. In 2013, cybersecurity firm Mandiant attributed to Unit 61398—designated as APT1—a multi-year espionage campaign compromising at least 141 organizations across 20 industries, exfiltrating hundreds of terabytes of data including blueprints, formulas, and proprietary research to support Chinese military and economic advantages. This attribution relied on forensic analysis linking malicious infrastructure, malware signatures, and operational patterns to the unit's physical location and personnel. The following year, the U.S. Department of Justice indicted five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—on charges of hacking U.S. corporations in sectors such as nuclear energy, metals, and solar technology, as well as labor organizations, to steal trade secrets benefiting Chinese state interests. These actions exemplified state-sponsored economic espionage, prompting international scrutiny of China's cyber practices despite official denials from Beijing asserting no government involvement. Following PLA reforms in 2015–2016, the unit's structure was integrated into the People's Liberation Army Strategic Support Force, though its legacy persists in attributions of ongoing cyber threats.

Overview

Establishment and Mandate

PLA Unit 61398 serves as the military unit cover designator for the Second Bureau of the (PLA) General Staff Department's Third Department, also known as the Technical Reconnaissance Department, which is tasked with (SIGINT) collection. The Third Department's mandate encompasses intercepting and analyzing foreign communications to support objectives, including military and economic intelligence gathering through technical means such as electronic surveillance and cyber operations. This bureau-level entity operates from a facility in Shanghai's district, equipped for advanced network operations. While the precise establishment date of Unit 61398 remains undisclosed in open sources, its operational infrastructure, including a 12-story building, was constructed starting around 2007, aligning with the expansion of China's cyber capabilities during that period. U.S. assessments trace the unit's cyber activities to at least 2006, involving persistent intrusions into foreign networks for , though the underlying SIGINT functions likely predate these digital efforts as part of the PLA's longstanding apparatus. The unit's extends beyond offensive cyber espionage to include training in , , and covert communications, enabling targeted operations against perceived strategic adversaries. Chinese authorities have denied that Unit 61398 engages in hacking or , asserting that the unit focuses on routine and , while dismissing Western attributions as politically motivated. However, evidence from cybersecurity analyses and U.S. Department of Justice indictments of five unit members in May 2014 for computer hacking and economic underscores its alleged mandate to acquire proprietary information from U.S. corporations in sectors like defense, , and , supporting China's state-directed industrial policies. These activities are framed by U.S. sources as part of a broader PLA strategy to close technological gaps through non-traditional intelligence methods.

Organizational Affiliation

PLA Unit 61398 serves as the military unit cover designator (MUCD) for the Second Bureau of the Third Department within the General Staff Department (GSD) of the (PLA). The Third Department, established in the early 1990s, holds primary responsibility for collection, technical reconnaissance, and electronic warfare support across the PLA's seven military regions. This bureau-level entity operates from a large facility in the district of , housing an estimated 1,000 to 2,000 personnel focused on cyber and network operations. The Second Bureau's affiliation underscores its integration into the PLA's intelligence apparatus, where it functions as one of multiple sub-bureaus conducting specialized technical tasks under centralized GSD oversight. U.S. indictments in explicitly identified five indicted hackers as officers assigned to Unit 61398 within this structure, linking their activities to state-directed . Infrastructure analysis, including IP addresses and fiber-optic connections provided by , further corroborates the unit's PLA embedding, with operations tied to government-allocated resources. Prior to the 2015-2016 PLA reforms, which reorganized the GSD into the Joint Staff Department and transferred cyber functions to the Strategic Support Force, Unit 61398 exemplified the PLA's pre-reform emphasis on department-level technical bureaus for information operations. These reforms dispersed some Third Department elements but preserved core affiliations with PLA intelligence directorates, maintaining continuity in operational mandates.

Historical Development

Pre-2013 Operations

PLA Unit 61398 initiated cyber espionage activities targeting foreign networks at least as early as 2006, with evidence of custom backdoors dating to that year and earlier compilation timestamps from 2004. These operations focused on infiltrating corporate and government systems to exfiltrate and strategic data, primarily in English-speaking countries. By early 2013, the unit had compromised at least 141 organizations across 20 industries, including , defense, , and , with annual intrusion rates increasing over time. Intruders employed spear-phishing to deliver custom , such as the WEBC2 backdoor and tools for email harvesting like GETMAIL, enabling prolonged access with an average dwell time of 356 days per victim and up to 1,764 days in extreme cases. reached hundreds of terabytes across victims, including a single instance of 6.5 terabytes stolen over 10 months from one organization. Unit personnel, including officers Wang Dong and Sun Kailiang, targeted U.S. firms such as in February to June 2008 and in 2010, using to access technical specifications, bid proposals, and . Similar tactics struck between 2010 and 2011, yielding nuclear plant design data and business strategies. Supporting infrastructure included over 900 command-and-control servers hosted on hundreds of IP addresses, many registered to Shanghai-based entities near the unit's physical location, facilitating simultaneous operations against dozens of targets as observed in early 2011. Officer Huang Zhenyu contributed programming for tools between 2006 and 2009, including database creation for . These efforts aligned with broader patterns of economic , prioritizing high-value sectors for rather than immediate disruptive effects.

2013 Mandiant Attribution

In February 2013, cybersecurity firm published the report APT1: Exposing One of China's Cyber Espionage Units, attributing a sophisticated cyber espionage campaign—designated APT1—to the (PLA) Unit 61398. The report detailed APT1's operations dating back to at least 2006, involving the compromise of over 140 organizations, predominantly in the United States across sectors including , , and . Mandiant's analysis drew from forensic investigations of victim networks, malware reverse-engineering, and infrastructure mapping, concluding with high confidence that APT1 operated from within Unit 61398 based on overlapping location, operational scale, and mission alignment. Key evidence centered on geographic and infrastructural correlations. APT1's command-and-control infrastructure was heavily concentrated in , with 709 of 849 traced IP addresses registered in —primarily to China Unicom blocks in the city—and 22% of 107 analyzed domains explicitly listing addresses. Two of APT1's four primary "home" net blocks were allocated in the New Area, the same district housing Unit 61398's headquarters in a 12-story, 130,663-square-foot facility on Datong Road in Gaoqiaozhen, completed in early 2007 and equipped with specialized fiber-optic lines by . Operator personas associated with APT1, such as "Ugly Gorilla" (linked to uploads and domains registered as early as October 25, 2004), self-identified online as residing in , further tying activities to the unit's locale. The scale and expertise required for APT1's sustained intrusions—estimated to involve dozens to hundreds of direct operators plus extensive support staff—mirrored Unit 61398's structure. The unit, subordinate to the PLA General Staff Department's Third Department () and Second Bureau, was assessed to employ hundreds to thousands of personnel trained in operations, English-language analysis, and covert communications, enabling multi-year campaigns against foreign targets. noted APT1's professional tactics, including custom deployment and data exfiltration volumes exceeding gigabytes per victim, aligned with a state-sponsored entity's resources rather than independent actors. Mandiant emphasized that while no single "smoking gun" like internal documents directly confirmed the link, the cumulative evidence—encompassing infrastructure proximity, equivalent operational tempo (e.g., over 1,000 servers in hop chains), and shared focus on economic —made alternative explanations improbable. The posited that a non-PLA entity replicating this activity from the same confined area would require implausibly similar capabilities and motivations. This attribution marked a rare public naming of a specific Chinese unit in cyber operations, prompting international scrutiny and later influencing U.S. responses.

2014 US Indictment

On May 19, 2014, the unsealed an returned by a federal in the Western District of Pennsylvania, charging five officers of the (PLA) Unit 61398 with offenses related to cyber espionage against American entities. The defendants—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—were identified as members of the Third Department of the PLA, specifically operating from Unit 61398 in . This marked the first time the U.S. government publicly indicted members of a foreign military for conducting cyber intrusions into networks to steal secrets. The 31-count alleged a spanning from 2006 to 2014, involving computer hacking, economic , , and wire , with the defendants purportedly using spear-phishing emails and to gain unauthorized access to victim networks. Specific actions included stealing proprietary technical data, such as turbine models from during nuclear plant bid preparations, and design specifications from AG related to solar panels. The hackers also targeted communications between U.S. labor organizations and members of to access strategy documents on trade negotiations with . Victims named in the included six American companies and organizations across the , metals, and solar industries—Westinghouse Electric Co., United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (AFSCME), Allegheny Technologies Inc., U.S. Steel Corp., and SolarWorld AG—as well as their subsidiaries. The U.S. authorities asserted that the intrusions were state-sponsored efforts to provide competitive advantages to Chinese entities, building on prior attributions like the 2013 Mandiant report linking Unit 61398 to (APT1) activities. None of the defendants have been extradited or appeared in U.S. court as of the announcement, rendering the largely symbolic in terms of immediate legal enforcement but significant for public attribution and diplomatic signaling.

Post-2015 PLA Reforms and Evolution

In late 2015, the People's Liberation Army (PLA) initiated comprehensive structural reforms under Central Military Commission (CMC) Chairman Xi Jinping, abolishing the four general departments—including the 3rd Department responsible for technical reconnaissance and cyber operations—and redistributing their functions to new entities directly under the CMC and joint theater commands. Unit 61398, previously affiliated with the 3rd Department's 2nd Bureau and linked to cyber espionage activities, was integrated into the newly established PLA Strategic Support Force (SSF) in December 2015, specifically under its Network Systems Department, which centralized cyber, electronic warfare, and network operations previously dispersed across PLA branches. This reorganization aimed to enhance joint operations and information dominance but also reduced the visibility of specific units like 61398, contributing to a perceived decline in attributable PLA-linked cyber intrusions traceable to pre-reform identifiers. The SSF's formation marked a shift toward "informatized" warfare, with Unit 61398's personnel—estimated at over 2,000 engineers and technicians focused on hacking and development—retained for (APT) activities, though operations became more compartmentalized and less tied to geographic bases like the unit's Pudong facility. Post-reform, U.S. intelligence assessments noted continuity in tactics, techniques, and procedures (TTPs) associated with APT1 (the designation for 61398-linked actors), including spear-phishing and exploitation of zero-day vulnerabilities, but with evolving tools to evade detection, such as custom variants observed in campaigns targeting U.S. defense contractors as late as 2018. These changes aligned with Xi's emphasis on , potentially incorporating civilian talent from state-linked firms, though direct evidence of Unit 61398's exact post-2015 subunit designation remains opaque due to PLA opacity. Further evolution occurred in April 2024, when the CMC dissolved the SSF amid reported internal issues, including corruption purges, and elevated its components into three independent forces: the Cyberspace Force for offensive and defensive cyber missions, the Aerospace Force for space operations, and the Information Support Force for integrated networks and electronic warfare. Unit 61398's cyber elements were reportedly centralized under the new Cyberspace Force, reflecting Xi's push for "intelligentized" warfare with AI-enhanced capabilities, though this structure may further obscure attribution by emphasizing domain-specific commands over legacy units. These reforms have not halted espionage allegations; for instance, U.S. officials attributed 2023-2024 intrusions on critical infrastructure to PLA-affiliated actors exhibiting TTPs consistent with pre-reform Unit 61398 operations, underscoring adaptation rather than cessation.

Alleged Activities and Capabilities

Methods and Tools Employed

APT1, linked to PLA Unit 61398, primarily gained initial access through spear-phishing emails containing malicious attachments, such as ZIP files disguised as legitimate documents (e.g., "2012ChinaUSAviationSymposium.zip"), or hyperlinks leading to exploit kits. Additional vectors included strategic web compromises, or watering holes, targeting vulnerable Internet-facing web servers to deploy webshells. The group deployed a diverse arsenal of over 40 malware families, including custom backdoors like WEBC2 variants (e.g., WEBC2-TABLE, WEBC2-QBP), , and SEASALT for remote access and control; remote access trojans (RATs) such as , Gh0st RAT, AURIGA, and BANGAT for and screen capture; and specialized tools like GETMAIL and MAPIGET for automated email collection. These were often customized, with some incorporating public tools like for credential dumping from LSASS memory and PsExec for lateral movement via pass-the-hash techniques. Execution frequently involved Windows Command Shell and batch scripts, while defense evasion included masquerading as legitimate processes (e.g., naming files AcroRD32.exe). Command and control (C2) operations relied on HTTP/ protocols with SSL encryption, custom encrypted channels, and tools like HTRAN for traffic proxying through compromised hop points; infrastructure encompassed 937 servers across 849 IP addresses (709 in ) and 2,551 fully qualified domain names (FQDNs), many registered dynamically or hijacked from legitimate domains. Persistence was achieved via registry run keys, multiple redundant backdoors, and exploitation of stolen VPN or PKI credentials. Lateral movement utilized (RDP), , and network discovery commands (e.g., net user, net group). Data exfiltration involved compressing files into password-protected RAR, ZIP, or archives—often split into 200 MB chunks—transmitted via FTP, custom backdoors, or existing C2 channels, with one documented instance extracting 6.5 terabytes from a single victim. These tactics supported sustained intrusions averaging 356 days, with a maximum of 1,764 days across 141 compromised organizations since 2006.

Targeted Sectors and Victims

Mandiant's 2013 report attributed to PLA Unit 61398, designated as APT1, the targeting of 141 organizations across at least 20 industries since 2006, with 115 victims headquartered in the United States. These industries included , , , satellites and , scientific research and consulting services, , transportation, and manufacturing, engineering services, high-technology electronics, international organizations, legal services, media and entertainment, , chemicals, , food and , healthcare, metals and mining, and . The operations focused heavily on sectors aligned with China's strategic priorities, such as those outlined in its 12th Five-Year Plan, emphasizing theft to support economic and technological advancement. The U.S. Department of Justice's of five individuals affiliated with Unit 61398 provided specific examples of victims in high-value industrial sectors. Targeted entities included in the sector, U.S. subsidiaries of AG in solar energy manufacturing, Steel Corporation, Allegheny Technologies Inc., and Alcoa Inc. in metals and production, as well as the labor union. These intrusions, spanning 2006 to , aimed to exfiltrate trade secrets, technical specifications, and to benefit Chinese state-owned enterprises. Broader patterns highlighted and as frequently targeted areas, including companies involved in services, technology, , and systems, reflecting a pattern of rather than purely gathering. While most victims remained anonymous to protect ongoing operations, the scale involved sustained access—averaging over a year per intrusion—and the theft of hundreds of terabytes of data across these sectors.

Scale of Operations

Mandiant's analysis of APT1, attributed to PLA Unit 61398, documented a sustained cyber espionage campaign active since at least 2006, spanning over seven years by the time of the 2013 report. The unit compromised at least 141 organizations across 20 industries, including , energy, , and high-tech electronics, with 87% of targets in English-speaking countries. These intrusions targeted entities aligned with China's strategic priorities, such as those in its 12th Five-Year Plan for emerging industries. The operations involved exfiltrating hundreds of terabytes of data, with one documented case extracting 6.5 terabytes from a single victim over 10 months. Access persistence averaged 356 days per intrusion, extending up to 1,764 days in the longest observed instance, enabling systematic data theft rather than disruptive attacks. Unit 61398 supported these efforts through extensive infrastructure, including 937 command-and-control servers on 849 IP addresses across 13 countries and over 2,500 fully qualified domain names. The unit's physical facility, a 130,663-square-foot complex in Shanghai's Pudong district, is estimated to house hundreds to thousands of personnel, many trained in network operations, underscoring the enterprise-scale resources dedicated to these activities.

Accusations and Evidentiary Basis

Key Reports and Intelligence Assessments

In February 2013, cybersecurity firm released its report "APT1: Exposing One of China's Cyber Espionage Units," attributing a sustained cyber espionage campaign to 1 (APT1), which it linked to the People's Liberation Army's Unit 61398 based in , . The 70-page analysis detailed APT1's infiltration of at least 141 organizations across 20 industries—primarily in the United States—over six years, involving the exfiltration of hundreds of terabytes of data through custom , spear-phishing, and command-and-control infrastructure traceable to IP addresses near the unit's reported 12-story facility. 's attribution relied on forensic indicators such as code similarities, operational timing aligned with Chinese work hours, and online personas of suspected unit members boasting hacking skills in English on Chinese forums, though the firm noted challenges in definitive state sponsorship proof absent insider access. On May 19, 2014, the U.S. Department of Justice unsealed an indictment from the Western District of Pennsylvania charging five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—with conspiracy to commit computer hacking, economic espionage, and identity theft targeting six U.S. victims, including Westinghouse Electric, U.S. Steel, Allegheny Technologies, Alcoa, and the United Steelworkers Union. The 31-count indictment, supported by FBI investigations, alleged intrusions from 2006 to 2014 that stole nuclear plant designs, steel technology, and union negotiation data, with hackers using malware variants akin to those in Mandiant's findings and routing traffic through leased servers masking origins in China. U.S. officials described Unit 61398 as a cyber warfare arm employing over 2,000 personnel trained in network operations, marking the first public U.S. criminal charges against named PLA members for economic espionage. Subsequent U.S. intelligence assessments have reinforced these attributions, with the framework classifying APT1 (also known as Comment Panda) as tied to the PLA's 3rd Department, 2nd Bureau, citing persistent tactics like backdoor implantation and data staging observed in and DOJ evidence. Annual U.S. government reports, such as those from the Office of the , have highlighted PLA units including 61398 in broader Chinese cyber threats, though without new unit-specific indictments post-2014 amid reported operational shifts following PLA reforms. These reports emphasize the unit's role in state-directed intelligence collection, drawing on corroborated digital footprints rather than public confessions, while acknowledging attribution limitations in deniable cyber operations.

Specific Incidents Linked to the Unit

In May 2014, the U.S. Department of indicted five officers from PLA Unit 61398—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for their roles in a involving computer hacking and economic against U.S. corporations and a labor organization from approximately 2006 to 2014. The charges specified intrusions into networks of six victims, primarily via spear-phishing emails delivering , to exfiltrate trade secrets benefiting Chinese state-owned enterprises. One key incident involved Inc. in mid-2008, shortly after the company announced a partnership with a Chinese ; hackers stole thousands of emails and attachments containing proprietary information on aluminum production technologies. In 2010, Westinghouse Electric Co. was targeted, resulting in the theft of technical specifications and design drawings for plants, along with sensitive executive emails that could inform competitive bidding. That same year, Corp. suffered a spear-phishing attack leading to deployment and exfiltration of network hostnames, computer descriptions, and other infrastructural data. Further incidents in 2012 included hacks against U.S. subsidiaries of AG, where thousands of files on cash flow projections, metrics, production costs, and legal strategies were stolen amid from Chinese solar firms. Inc. lost network login credentials for nearly all employees, enabling broad access to and technologies used in and defense. The union was also compromised, with hackers accessing emails detailing negotiation strategies against Chinese steel dumping, and maintaining persistence into early 2013. Mandiant's 2013 attribution of APT1 operations to Unit 61398 highlighted additional examples, such as a multi-year intrusion from 2008 to 2010 into an unnamed U.S. wholesale industry victim, where over 2.5 years of files and executive emails were exfiltrated, correlating with Chinese government negotiations that forced a price reduction on the victim's goods. In September 2012, APT1 tools were used in a breach at Telvent Canada Ltd. (now part of Schneider Electric), compromising energy sector systems potentially linked to supervisory control and data acquisition infrastructure. These cases, supported by forensic indicators like IP addresses traced to Unit 61398's Shanghai facility, underscore targeted economic intelligence gathering.

Attribution Challenges and Counterarguments

Attributing cyber operations to PLA Unit 61398 encounters technical and methodological hurdles inherent to , where perpetrators routinely mask origins through proxy servers, virtual private networks, and compromised infrastructure hosted in neutral jurisdictions. Such enables , as IP addresses tied to attacks—such as those Mandiant traced to the Pudong district in —can be rented or hijacked without direct control by the implicated entity. Forensic attribution demands correlating multiple indicators like signatures, tactics, techniques, and procedures (TTPs), and linguistic artifacts, yet these remain probabilistic rather than conclusive, vulnerable to by non-state actors or rival states employing false flags. Specific to Unit 61398, evidentiary linkages in reports like Mandiant's APT1 analysis depend on geospatial clustering of command-and-control servers near the unit's reported facility at 208 Jiayuqiao Street, alongside consistent TTPs observed in over 140 intrusions since 2006. However, skeptics note the absence of intercepted communications, defectors, or physical artifacts directly implicating personnel, rendering claims reliant on private-sector intelligence without independent governmental corroboration beyond U.S. assessments. The unit's formal role in under the PLA's 3rd Department further muddies distinctions between defensive monitoring and offensive , as similar infrastructure could support legitimate military functions. Chinese government rebuttals dismiss these attributions as fabricated, with the Foreign Ministry labeling the U.S. of five Unit 61398 officers "groundless and absurd," arguing it lacked verifiable proof and served political motives to hinder bilateral ties. Officials contended that the unit, if existent in the described capacity, focuses on internal security rather than extraterritorial hacking, and accused the U.S. of given documented American cyber intrusions into Chinese networks, such as those revealed by in 2013. has highlighted mutual espionage dynamics, asserting that Western indictments ignore comparable activities by U.S. entities like the NSA, which conducted operations against and Chinese infrastructure. Post-2015 PLA reforms, which reorganized cyber elements into the Strategic Support Force and emphasized contractor proxies, have amplified attribution opacity by dispersing operations across civilian firms and non-military actors, potentially rendering pre-reform linkages to Unit 61398 outdated or misdirected. Counterarguments also invoke the risk of over-attribution, where clustered activity in China's tech hubs like —home to thousands of IT firms—might coincidentally align with state facilities, as evidenced by private-sector mimicking military TTPs near Unit 61398's vicinity. Indictments' limited deterrent effect, with no arrests and continued intrusions post-2014, underscores enforcement challenges absent treaties or allied .

Official Chinese Perspectives

Government Denials and Rebuttals

The Chinese government has repeatedly denied allegations linking PLA Unit 61398 to cyber espionage. Following the release of the Mandiant APT1 report on February 19, 2013, which attributed widespread hacking to the unit, Foreign Ministry spokesman Hong Lei dismissed the claims as "groundless," arguing that hacking is "transnational and anonymous" and that attributing such attacks to a specific country without conclusive proof is unprofessional. In response to the U.S. Department of Justice's May 19, 2014, indictments of five officers from Unit 61398—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for economic espionage targeting U.S. firms including Westinghouse Electric, SolarWorld, and Allegheny Technologies, the Foreign Ministry labeled the charges "absurd" and based on "fabricated facts," stating they undermined mutual trust and cooperation between the two nations. The ministry further suspended activities of the Sino-U.S. cyber working group established earlier that year, citing the indictments as a violation of bilateral agreements. China's Defense Ministry echoed these denials by summoning the U.S. defense attaché on May 20, 2014, to protest the indictments as actions that "seriously violated norms of international relations" and jeopardized military ties. Officials maintained that the unit was not involved in offensive cyber operations and portrayed the accusations as politically motivated, while deflecting by highlighting U.S. cyber activities, such as those revealed by Edward Snowden regarding NSA surveillance. No admissions of involvement have been made, and subsequent PLA reforms in 2015–2017, which restructured cyber units under the Strategic Support Force, were not presented by Beijing as acknowledgments of prior misconduct.

Claims of Mutual Espionage

In response to indictments against members of PLA Unit 61398 for alleged cyber espionage, Chinese Foreign Ministry spokespersons asserted that the U.S. government has itself conducted extensive cyber spying operations against China, citing disclosures by former NSA contractor in 2013. Snowden's leaks revealed that the NSA infiltrated major Chinese telecommunications firms such as , hacked servers at , and targeted Technologies for intelligence collection, including efforts to insert backdoors into Huawei equipment used globally. These activities, according to Chinese statements, demonstrate U.S. hypocrisy in accusing China while engaging in comparable or greater-scale intrusions, with the NSA's programs like enabling the theft of and sensitive data from foreign entities. Following the May 19, 2014, U.S. Department of indictment of five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—on charges including economic against U.S. firms in nuclear, energy, and sectors, Foreign Ministry spokesman described the allegations as "fabricated" and emphasized mutual culpability in . He stated that "the U.S. has also long been engaged in large-scale cyber theft and spying activities against other countries, including ," directly invoking Snowden's evidence of NSA penetration into Chinese networks since at least 2009. Chinese officials framed this as part of a broader pattern, arguing that the U.S. maintains a monopoly on cyber capabilities while portraying itself as a victim, and urged bilateral on cybersecurity norms rather than unilateral accusations. Such claims align with recurring Chinese narratives portraying the nation as a frequent target of foreign cyber threats, with outlets like Xinhua reporting that over 38,000 foreign IP addresses—many traced to the U.S.—launched attacks on Chinese websites daily in 2013, coinciding with the APT1 report linking Unit 61398 to U.S.-targeted intrusions. However, independent analyses, including those from U.S. cybersecurity firms and intelligence assessments, have noted that while NSA operations focused primarily on rather than commercial theft, the distinction does not negate the element, though Chinese rebuttals often conflate the two to deflect scrutiny. Beijing's position, disseminated through official channels, consistently rejects attribution to state-sponsored units like 61398 while advocating for "peaceful use" of , positioning mutual restraint as essential amid escalating bilateral tensions.

Broader Implications

Strategic Role in Chinese National Security

PLA Unit 61398, operating under the Third Department of the (PLA) General Staff Department, serves as a primary instrument for conducting cyber espionage to acquire foreign technologies critical to China's military modernization and objectives. This unit, identified by cybersecurity firm as APT1, has systematically targeted industries aligned with China's strategic priorities, such as , , and pharmaceuticals, extracting to bridge technological gaps and support the PLA's informatization efforts. Such operations facilitate the transfer of stolen data to state-owned enterprises and military research entities, enabling rapid indigenous innovation under initiatives like "," which intertwine economic competitiveness with defense capabilities. In the broader framework of Chinese national security, Unit 61398's activities exemplify the PLA's emphasis on "information dominance" as a core pillar of active defense , where cyber intrusions provide actionable for geopolitical decision-making and deterrence. The unit's role extends to supporting , wherein espionage-derived technologies enhance both civilian sectors and PLA weapon systems, reducing reliance on imported components vulnerable to sanctions or supply disruptions. This integration underscores a causal link between cyber theft and China's pursuit of , as articulated in PLA doctrinal writings prioritizing . The 2015 PLA reforms restructured cyber units, including those linked to 61398, under the Strategic Support Force (SSF), which consolidates space, cyber, and electronic warfare to deliver unified strategic information support. This evolution positions such operations at the nexus of offensive cyber capabilities and national security resilience, enabling the to maintain advantages in potential conflicts over or the by preemptively degrading adversaries' technological edges. Empirical evidence from attributed intrusions, including IP addresses traced to facilities housing the unit, corroborates its enduring operational tempo despite public exposures.

Impact on International Relations

The attribution of cyber espionage to PLA Unit 61398, culminating in the U.S. Department of Justice's May 19, 2014, indictments of five unit members—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for hacking U.S. firms including Alcoa, U.S. Steel, Westinghouse, Allegheny Technologies, SolarWorld, and the United Steelworkers Union, marked the first formal U.S. charges against Chinese military personnel for economic espionage. These indictments, alleging theft of trade secrets worth billions via spear-phishing and malware from 2006 to 2014, represented a direct escalation in public confrontation over state-sponsored hacking, prompting China to denounce them as "groundless" and "absurd" acts of "hegemonism" that sabotaged mutual trust-building efforts. In immediate response, China's Foreign Ministry summoned U.S. Ambassador for a formal demarche and briefly halted participation in the U.S.- Cybersecurity , signaling heightened bilateral friction amid ongoing economic dialogues. This episode intensified scrutiny of Chinese cyber practices in multilateral forums, influencing allies like the to voice concerns over theft and reinforcing U.S.-led calls for international cyber norms against commercial . The tensions fed into the June 7-8, 2014, Obama-Xi summit at , where leaders agreed to establish a bilateral Working Group and to mitigate cyber misunderstandings, though commercial remained a flashpoint. These steps contributed to the September 25, 2015, U.S.- cyber agreement, in which both sides pledged not to conduct or support cyber-enabled theft of for commercial advantage—a direct outcome of sustained U.S. pressure via attribution and indictments, despite 's prior denials of Unit 61398's role. However, the agreement's implementation faltered amid subsequent incidents, perpetuating distrust that has shaped U.S. export controls, investment screening, and technology decoupling policies toward . Internationally, the Unit 61398 case established indictments as a tool of cyber diplomacy, encouraging similar actions against state actors and elevating global awareness of supply-chain vulnerabilities, though it also drew Chinese accusations of mutual , complicating cooperation on non-competitive threats like .

Lessons for Cyber Defense and Attribution

The operations attributed to PLA Unit 61398, as detailed in Mandiant's APT1 report, underscore the necessity for organizations to prioritize proactive threat hunting and to counter prolonged network intrusions. APT1 actors typically gained initial access via spear-phishing emails containing malicious attachments or links, exploiting unpatched software vulnerabilities such as those in or Reader, and then deployed custom for over periods exceeding six months in many cases. Effective defenses thus require mandatory , regular patching, and behavioral analytics to detect lateral movement and anomalous data flows, as passive perimeter defenses proved insufficient against these tactics. Key defensive measures informed by Unit 61398-linked incidents include sharing indicators of compromise (IOCs) across sectors, as released over 3,000 such indicators—including IP addresses traced to infrastructure near the unit's facility—to enable widespread blocking and forensic correlation. and zero-trust architectures emerged as critical responses, given APT1's exploitation of trusted internal systems for command-and-control via hijacked legitimate web servers, which evaded traditional signature-based detection. The unit's focus on theft from industries like , , and pharmaceuticals also highlights the value of supply-chain and employee training to mitigate insider-enabled compromises. Attribution to state-sponsored actors like Unit 61398 relies on converging technical evidence, such as code reuse, operational timing patterns aligned with Chinese work hours, and geolocated IP addresses from a specific district building housing the unit, but faces inherent challenges from proxy usage and infrastructure pivoting. Following public disclosures, Chinese actors adapted by dispersing operations and enhancing , rendering future attributions more resource-intensive and probabilistic, as confirmed by post-2013 shifts in PLA cyber structures. The 2014 U.S. Department of Justice indictments of five Unit 61398 officers for hacking U.S. firms like Westinghouse and demonstrated that legal mechanisms can publicize attributions and impose symbolic costs, yet yielded no extraditions due to 's non-cooperation, illustrating the limits of unilateral judicial responses absent multilateral enforcement. Broader lessons emphasize integrating cyber intelligence with diplomatic signaling, as temporary reductions in similar intrusions followed U.S.- pacts post-indictment, though persistent denials and mutual accusations of complicate verifiable deterrence. Effective attribution thus demands sustained investment in cross-domain intelligence fusion, beyond technical forensics, to counter in state-directed campaigns.

References

  1. https://project2049.net/2015/07/27/the-pla-general-staff-department-third-department-second-bureau-an-organizational-overview-of-unit-61398/
  2. https://services.google.com/fh/files/misc/mandiant-apt1-report.pdf
  3. https://www.justice.gov/archives/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor
  4. https://www.fbi.gov/news/stories/five-chinese-military-hackers-charged-with-cyber-espionage-against-us
  5. https://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html
  6. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
  7. https://www.reuters.com/article/technology/china-us-cyber-spying-row-turns-spotlight-back-on-shadowy-unit-61398-idUSBREA4J08M/
  8. https://nsarchive.gwu.edu/sites/default/files/documents/2849768/Document-09.pdf
  9. https://project2049.net/wp-content/uploads/2018/04/P2049_Stokes_PLA_General_Staff_Department_Unit_61398_072715.pdf
  10. https://nsarchive.gwu.edu/sites/default/files/2022-03/Document-09a.pdf
  11. https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-083.pdf
  12. https://cloud.google.com/blog/topics/threat-intelligence/mandiant-exposes-apt1-chinas-cyber-espionage-units
  13. http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
  14. https://www.lawfaremedia.org/article/the-pla%27s-cyber-operations-go-dark
  15. https://jamestown.org/program/a-disturbance-in-the-force-the-reorganization-of-peoples-liberation-army-command-and-elimination-of-chinas-strategic-support-force/
  16. https://www.cfr.org/blog/chinas-strategic-support-force-new-home-plas-cyber-operations
  17. https://cyberdefensereview.army.mil/Portals/6/Documents/CDR%2520Journal%2520Articles/The%2520Strategic%2520Support%2520Force_Kania_Costello.pdf
  18. https://www.uscc.gov/sites/default/files/2022-11/Chapter_3_Section_2--Chinas_Cyber_Capabilities.pdf
  19. https://www.iiss.org/online-analysis/online-analysis/2024/05/chinas-new-information-support-force/
  20. https://www.platracker.com/post/operationalizing-intelligentized-warfare-xi-replaces-the-strategic-support-force-with-three-new-ar
  21. https://attack.mitre.org/groups/G0006/
  22. https://spacenews.com/33761aerospace-telecommunications-companies-high-on-the-list-for-hackers/
  23. https://www.belfercenter.org/publication/confronting-chinas-efforts-steal-defense-information
  24. https://www.cfr.org/cyber-operations/indictment-pla-officers
  25. https://www.cfr.org/cyber-operations/pla-unit-61398
  26. https://www.globsec.org/sites/default/files/2018-05/GLOBSEC-cyber-attribution.pdf
  27. https://www.hoover.org/sites/default/files/research/docs/lin_webready.pdf
  28. https://repository.uclawsf.edu/cgi/viewcontent.cgi?article=2731&context=faculty_scholarship
  29. https://www.theguardian.com/world/2014/may/20/china-reacts-furiously-us-cyber-espionage-charges
  30. https://thediplomat.com/2014/05/chinas-response-to-the-us-cyber-espionage-charges/
  31. https://www.lawfaremedia.org/article/failure-united-states-chinese-hacking-indictment-strategy
  32. https://merics.org/en/report/here-stay-chinese-state-affiliated-hacking-strategic-goals
  33. https://www.bbc.com/news/world-asia-china-21502088
  34. https://www.bbc.com/news/world-us-canada-21515259
  35. https://www.cbsnews.com/news/u-s-government-files-economic-espionage-charges-against-chinese-hackers-sources-say/
  36. https://www.securityweek.com/china-accuses-us-hypocrisy-hacking-row-escalates/
  37. https://www.reuters.com/article/technology/u-s-accuses-china-of-cyber-spying-on-american-companies-idUSKCN0J42ME/
  38. https://finance.yahoo.com/news/china-warns-u-retaliation-accusations-032213525.html
  39. https://www.cbc.ca/news/world/china-says-cyberspying-charges-may-harm-u-s-military-ties-1.2648435
  40. https://foreignpolicy.com/2014/05/19/chinese-lash-out-at-u-s-spying-indictment/
  41. https://www.dw.com/en/chinese-cyber-attacks-not-a-parallel-with-nsa-spying/a-17651036
  42. https://www.washingtonpost.com/news/worldviews/wp/2014/05/19/edward-snowden-makes-it-easier-for-china-to-dismiss-new-spying-charges/
  43. https://www.reuters.com/article/technology/us-accuses-china-of-cyber-spying-on-american-companies-idUSBREA4I094/
  44. https://www.nytimes.com/2014/06/10/technology/private-report-further-details-chinese-cyberattacks.html
  45. https://theconversation.com/cyber-espionage-and-the-new-cold-war-of-us-china-relations-26975
  46. https://www.rfa.org/english/news/china/cyberspying-05202014104817.html
  47. https://media.defense.gov/2024/Dec/18/2003615520/-1/-1/0/MILITARY-AND-SECURITY-DEVELOPMENTS-INVOLVING-THE-PEOPLES-REPUBLIC-OF-CHINA-2024.PDF
  48. https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-08_Issue-1/Wortzel.pdf
  49. https://www.theguardian.com/technology/2014/may/19/us-chinese-military-officials-cyber-espionage
  50. https://carnegieendowment.org/research/2022/03/managing-us-china-tensions-over-public-cyber-attribution
  51. https://www.cfr.org/blog/us-china-cyber-espionage-deal-one-year-later
  52. https://www.csis.org/analysis/moving-forward-obama-xi-cybersecurity-agreement
  53. https://orionpolicy.org/cyber-espionage-and-u-s-policy-responses/
  54. https://carnegieendowment.org/posts/2021/06/the-obama-xi-summit-and-the-prospects-for-a-global-norm-against-commercial-ip-theft?lang=en
  55. https://www.uscc.gov/sites/default/files/2022-02/Adam_Segal_Testimony.pdf
  56. https://www.nytimes.com/2016/06/21/us/politics/china-us-cyber-spying.html
  57. https://cdn.govexec.com/media/gbc/docs/gbc_dellsoftware_attribution_ib_designed_final.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.