PLA Unit 61398 (also known as APT 1, Comment Crew, Comment Panda, GIF89a, and Byzantine Candor) (,

Pinyin Hanyu Pinyin (), often shortened to just pinyin, is the official romanization system for Standard Mandarin Chinese in China, and to some extent, in Singapore and Malaysia. It is often used to teach Mandarin, normally written in Chinese fo ...

: 61398 ''bùduì'') is the Military Unit Cover Designator (MUCD) of a

People's Liberation Army The People's Liberation Army (PLA) is the principal military force of the People's Republic of China and the armed wing of the Chinese Communist Party (CCP). The PLA consists of five service branches: the Ground Force, Navy, Air Force, ...

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...

unit that has been alleged to be a source of Chinese

computer hacking A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

attacks. The unit is stationed in

Pudong Pudong is a district of Shanghai located east of the Huangpu, the river which flows through central Shanghai. The name ''Pudong'' was originally applied to the Huangpu's east bank, directly across from the west bank or Puxi, the historic city ...

Shanghai Shanghai (; , , Standard Mandarin pronunciation: ) is one of the four direct-administered municipalities of the People's Republic of China (PRC). The city is located on the southern estuary of the Yangtze River, with the Huangpu River flowin ...

History

A 2020 report in

DNA India ''Zee Media Corporation Limited'' (abbreviated as ZMCL; formerly Zee News Limited) is the news broadcasting company of the Essel Group which is controlled by Subhash Chandra. The company is engaged mainly in the business of broadcasting of news ...

stated that the unit was involved in espionage on the

Military of India The Indian Armed Forces are the military forces of the Republic of India. It consists of three professional uniformed services: the Indian Army, Indian Navy, and Indian Air Force.—— Additionally, the Indian Armed Forces are supported by th ...

2014 indictment

On 19 May 2014, the

US Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the United States government tasked with the enforcement of federal law and administration of justice in the United Stat ...

announced that a Federal

grand jury A grand jury is a jury—a group of citizens—empowered by law to conduct legal proceedings, investigate potential criminal conduct, and determine whether criminal charges should be brought. A grand jury may subpoena physical evidence or a per ...

had returned an indictment of five 61398 officers on charges of theft of confidential business information and intellectual property from U.S. commercial firms and of planting

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, dep ...

on their computers. The five are Huang Zhenyu (黄振宇), Wen Xinyu (文新宇), Sun Kailiang (孙凯亮), Gu Chunhui (顾春晖), and Wang Dong (王东). Forensic evidence traces the base of operations to a 12-story building off Datong Road in a public, mixed-use area of

in Shanghai. The group is also known by various other names including "Advanced Persistent Threat 1" ("APT1"), "the Comment group" and "Byzantine Candor", a codename given by US intelligence agencies since 2002. A report by the computer security firm

Mandiant Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 bil ...

stated that PLA Unit 61398 is believed to operate under the 2nd Bureau of the

People's Liberation Army General Staff Department The Joint Staff Department of the Central Military Commission (JSDCMC) () is the command organ and the headquarters for the People's Liberation Army (PLA), superseding the former PLA General Staff Department (GSD). It was established on 11 Ja ...

(GSD) Third Department (总参三部二局) and that there is evidence that it contains, or is itself, an entity Mandiant calls

APT1 PLA Unit 61398 (also known as APT 1, Comment Crew, Comment Panda, GIF89a, and Byzantine Candor) (, Pinyin: 61398 ''bùduì'') is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has be ...

, part of the advanced persistent threat that has attacked a broad range of corporations and government entities around the world since at least 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New Area. It is one of more than 20 APT groups with origins in China. The Third and Fourth Department, responsible for

electronic warfare Electronic warfare (EW) is any action involving the use of the electromagnetic spectrum (EM spectrum) or directed energy to control the spectrum, attack an enemy, or impede enemy assaults. The purpose of electronic warfare is to deny the opponen ...

, are believed to comprise the PLA units mainly responsible for infiltrating and manipulating computer networks. The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group". The collective has stolen

trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily asc ...

s and other confidential information from numerous foreign businesses and organizations over the course of seven years such as

Lockheed Martin The Lockheed Martin Corporation is an American aerospace, arms, defense, information security, and technology corporation with worldwide interests. It was formed by the merger of Lockheed Corporation with Martin Marietta in March 1995. It is ...

Telvent Telvent (a portmanteau of ''"Telecom Ventures"'') was an information technology and industrial automation company specializing in SCADA, GIS and related IT systems for pipeline, energy utility, traffic, agriculture and environmental monitoring ind ...

, and other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors. Dell SecureWorks says it believed the group includes the same group of attackers behind

Operation Shady RAT Operation Shady RAT is an ongoing series of cyber attacks starting in mid-2006 reported by Dmitri Alperovitch, Vice President of Threat Research at Internet security company McAfee in August 2011, who also led and named the Night Dragon Operation a ...

, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada,

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korean Peninsula and sharing a land border with North Korea. Its western border is formed by the Yellow Sea, while its ea ...

, Taiwan and Vietnam, were targeted. The attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go back at least to 2002, according to incident reports and investigators. In 2012, FireEye, Inc. stated that they had tracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000 organizations. Most activity between

embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private hackers inspired by patriotic passions.

Public position of the Chinese government

Until 2013, the

Government of China The Government of the People's Republic of China () is an authoritarian political system in the People's Republic of China under the exclusive political leadership of the Chinese Communist Party (CCP). It consists of legislative, executive, mil ...

has consistently denied that it is involved in hacking. In response to the

Corporation report about Unit 61398, Hong Lei, a spokesperson for the

Chinese foreign ministry The Ministry of Foreign Affairs of the People's Republic of China () is the first-ranked executive department of the State Council of the Chinese government, responsible for the foreign relations of the People's Republic of China. It is led ...

, said such allegations were "unprofessional". In 2013, China changed its position and openly admitted to having secretive cyber warfare units in both the military and the civilian part of the governmenthowever, the details of their activities were left to speculation. As a show of force towards the rest of the global community the Chinese government now openly lists their abilities when it comes to digital spying and network attack capabilities.

References

{{coord, 31, 20, 57.43, N, 121, 34, 24.74, E, region:CN_type:landmark_source:MandiantReportPage12, display=title Military units and formations of the People's Republic of China Cyberwarfare by China Chinese advanced persistent threat groups Information operations units and formations Hacking (computer security) Injection exploits Web security exploits Sabotage 2002 establishments in China Chinese intelligence agencies Cybercrime in India

History

2014 indictment

Public position of the Chinese government

See also

References