2014年5月19日星期一

纽约时报:揭秘中国网络战61398部队

上海郊区一座12层白色办公楼,这里是中国人民解放军61398部队司令部,中国国防部否认该部队对网络攻击负有责任。

 联合报道 2013年02月19

在上海郊区一片破败的街区,主要的建筑物是一栋12层的白色办公楼。这里是中国人民解放军日益壮大的网络作战队伍的一座基地。

这栋在大同路上的大楼,周围环绕着餐厅、按摩店,以及一家葡萄酒进口商,它是解放军61398部队的司令部。美国情报官员表示,他们监视这支部队的活动已有多年。目前,已有越来越多经过这些情报官员证实的数字证据表明,针对美国公司、组织,以及政府部门的黑客攻击,很大一部分来自这栋白楼及周边地区,这几乎毫无疑问。

美国计算机安全公司Mandiant已于周二发布了一份长达60页的异常详细报告,它首次将中国最尖端黑客群体中的一些成员,追踪到了逼近这支部队司令部的地点。对很多美国的受害者来说,它被称为“注释组”(Comment Crew)或“上海组”(Shanghai Group)。Mandiant无法确认黑客位于这栋12层建筑内,但它提出,除了这种结论之外,没法解释为何有这么多的攻击来自于这么小的一块区域。

Mandiant的创始人和执行总裁凯文・曼迪亚(Kevin Mandia)上周在一次采访中说,“黑客要么是来自61398部队内部,要么就是那些负责运营世界上控制、监控最严密的网络的人,完全不知道有数以千计的人,在从这个街区发起攻击。”

其他追踪过“注释组”的安全公司说,他们也相信这个组织是由国家支持的,而且最近一份机密的国家情报评估(National Intelligence Estimate)也证明,许多这些黑客组织或者由人民解放军军官负责,或者受雇于61398部队这样的机构,了解这份机密报告内容的官员这样说道。这份评估以美国所有16个情报机构的共识文件的形式发布。

Mandiant在发表之前给《纽约时报》提供了该报告的样本,希望“这份报告中提出的问题能够引起关注”。《纽约时报》记者随后与政府内外的其他专家联系,来验证报告中的结论。这些专家也都曾考察过这些黑客组织和人民解放军的联系。
(Mandiant曾受雇于纽约时报公司[The New York Times Company],调查一次针对该新闻集团的来自中国的高水平黑客攻击,但结论是并非“注释组”所为,实施者是另一支中国组织。该公司目前没有为纽约时报公司提供服务,但双方正在洽谈商业合作事宜。)

虽然“注释组”已从像可口可乐(Coca-Cola)这样的公司获取了大量信息,但它的重心越来越集中在与美国关键性基础设施相关的公司之上,不管是电网、燃气管线,还是水利工程。据研究安全的专家说,其中一个目标是一家能够远程访问北美洲超过60%的石油和燃气管线的公司。这支队伍也曾攻击过计算机安全公司RSA。该公司的计算机代码正被用来保护机密的公司和政府数据库。

周一,在与中国驻美国大使馆联系的过程中,使馆的官员再次坚称,中国政府不参与电脑黑客攻击,而且这种行为违法法律。他们称中国本身是电脑黑客攻击的受害方,并清楚地指出,在美国有很多的黑客组织。但是安全研究人员说,来自中国的攻击近年已显著增加。自从2006年起,Mandiant已经探测到超过140次来自“注释组”的入侵。美国情报机构以及每日追踪约20个此类中国组织的私营安全公司说,这些组织看来是与上述部队有关联的承包商。

尽管该部队的存在和运作被认为是中国的国家机密,但密歇根州共和党众议员、美国众议院情报委员会(House Intelligence Committee)主席麦克・罗杰斯(Mike Rogers)在一次采访中表示,Mandiant公司的报告“与情报委员会一段时间以来观察到的活动情况完全一致”。

白宫表示“知道”Mandiant公司的这份报告,国家安全委员会(National Security Council)发言人汤米・菲托尔(Tommy Vietor)表示,“我们已多次向中国的高层官员,包括军方的高层,表达了对网络盗窃行为的最高关注,我们将继续这样做。”

美国政府计划,从周二起开始对中国的黑客组织采取更大胆的防御措施,其根据是奥巴马总统上周签署的一份指令。政府计划同美国的互联网供应商共享已搜集到的信息,这些信息涉及一些最大的黑客组织独特的数字签名,它们包括“注释组”和其他一些发源于61398部队驻地附近的组织。

但政府警告不会明确地将这些组织或它们使用的大型计算机服务器同解放军联系在一起。是否公开对该部队进行点名并谴责其实施了广泛的盗窃行为是当前讨论的主题。

“这件事在外交上非常敏感,”一名情报官员说,语气里充满了沮丧。

但奥巴马政府的官员表示,他们计划在未来几周告诉中国的新一届领导人,攻击的数量和水平已经变得非常猖獗,以至于它们会威胁到中美之间的基本关系。

美国政府也有网络作战人员。美国同以色列合作,用名为“震网”(stuxnet)的恶意软件来对伊朗的铀浓缩项目进行干扰。但政府官员坚持称,他们行动规则虽然保密,却非常严格,这些规则禁止将攻击性手段用于非军事目的或窃取公司数据。

美国发现,在某种意义上,自己陷入了同中国的不对称数字战。“在冷战时期,我们每天把精力花在莫斯科周围的核指挥中心上,”国防部的一名高级官员前不久说。“如今可以说,上海的计算机服务器同样使我们忧心忡忡。”

一支秘密部队

61398部队的正式称谓是人民解放军总参三部二局,在官方对中国军队的描述中,几乎找不到它的存在。但研究该组织的情报分析人士表示,它是中国计算机间谍活动的重要组成部分。2011年,弗吉尼亚州研究亚洲安全和政策问题的非政府组织2049项目研究所(Project 2049 Institute)称,该部队是“以美国和加拿大为目标的重要实体,最可能关注有关政治、经济和军事的情报”。 

尽管奥巴马政府从未公开论及这支中国部队的行为,但国务院(State Department)的一份秘密电报详细描述了美国对该组织向政府网站发起攻击的担忧,这份电报是在奥巴马2008年11月当选为总统的前一天写的。(当时,美国的情报机构将该部队命名为“拜占庭式的坦率”,在电报被维基解密[WikiLeaks]公开后,这个暗语随之被停用。)

该电报称,美国国防部(Defense Department)和国务院是该部队的特定目标,电报描述了该组织的入侵者如何通过电子邮件,发起所谓的“鱼叉式捕鱼”攻击,一旦收件人点击邮件,这些邮件便会将恶意软件安装在目标计算机上。通过这些计算机,它们潜入了多个内部系统。

美国官员称,出于一些外交上的考虑,以及对跟踪该部队的期待,政府从未公开这个问题。但Mandiant的报告正迫使这个问题进入公众视野。

Mandiant公司追踪“注释组”的行踪已有6年多,这个名称源于这些攻击者喜好在网页里添加隐藏的代码,即注释。研究人员已经了解,“注释组”的攻击者会在不同的攻击中利用相同的恶意软件、网络域名、IP地址、黑客工具和技术。根据“注释组”遗留下的数字痕迹,Mandiant公司跟踪了该团体进行的141次攻击,并称这些攻击为“APT1”,意为“1号高度持续性威胁”。

曼迪亚说,“不过,这些攻击只是我们能够轻易识别出的那一部分。”其他安全专家估计,“注释组”实施了数千次网络攻击。
Mandiant公司对IP地址和其他的数字证据片段进行了定位,这些证据都指向上海浦东区的边缘地带,正好围绕着61398部队的司令部。Mandiant公司的报告,连同3000个IP地址和其他能用来识别攻击源的信息,可以断定,“证据总体上”引向一个结论,那就是“APT1来自61398部队”。

Mandiant公司发现,攻击中使用的两套IP地址的注册地,就位于61398部队大楼所在的地段。

曼迪亚说,“我们追踪的攻击中,有90%来自于那里。”

该报告带着一丝讽刺的口吻断言,唯一的另外一种可能是,“一个全都讲中文的大陆人组成的,资源充足的秘密组织,能够直接接入上海的电信基础设施,多年以来,这个组织一直在61398部队的门外,进行大规模的计算机间谍活动。”
Mandiant的报告中最引人入胜的细节是,它追踪了数名黑客的每一步电脑操作,该公司认为,这些黑客是为解放军工作的。Mandiant公司在黑客正在入侵的美国公司的电脑系统内部,追踪了他们的行动。这些公司为了摆脱中国间谍,给Mandiant公司的调查人员提供了完全的公司电脑系统访问权限。

最引人注目的黑客之一是“UglyGorilla”(意为丑陋的大猩猩——译注),他在2004年1月第一次出现在中国的一个军事论坛上,当时他问道,中国是否有与美国军方建立的“网军相似的部队”。

到2007年,“UglyGorilla”放出了一系列恶意软件,Mandiant的报告称,这些恶意软件都带有一个“能够明确辨别的特征”。另一名被Mandiant公司称为“DOTA”的黑客,创建了一些用于置入恶意软件的电子邮件账号。根据追查,这名黑客频繁使用一个似乎是根据其部队番号设置的密码。“DOTA”和“UglyGorilla”都使用同一组可以被追溯到61398部队所在区域的IP地址。

Mandiant公司发现,攻击者有数次曾翻越中国的防火墙,登录他们在Facebook和Twitter上的账号。中国的防火墙屏蔽了普通中国公民对上述社交网站的访问。而这使得黑客的真实身份更容易被追查到。

Mandiant公司还发现了中国电信的一份内部备忘录,备忘录讨论了这家国有电信企业为61398部队安装高速光纤线路的决定。

中国国防部否认中国军方曾发起攻击。该部上个月曾发表声明称,“在未经彻底调查、没有确凿证据的情况下就指责中方对美进行网络攻击,是武断的和不负责任的。”这份声明及中方的其他声明促使Mandiant公司公开了手中的证据。

攻击加剧

Mandiant公司认为,61398部队对美国企业和政府的计算机系统实施了零星的攻击;该公司发现的最早攻击发生在2006年。两年前,攻击的数量突然大幅增多。Mandiant公司发现,其中的一些入侵是长期性的。平均来说,“注释组”会在侵入的网络内部待上一年,来盗取数据和密码;其中的一个案例中,“注释组”入侵系统的时长为四年零十个月。

Mandiant公司一直观察这个组织,目睹他们从该公司的100多家客户那里,盗取了技术规划、制造流程、临床试验结果、定价文件、谈判策略和其他专有信息,这些客户主要来自美国。Mandiant确认,有20个行业受到了攻击,从军方承包商到化工厂、矿业公司和卫星和电信企业。

Mandiant的报告并未给出受攻击者的名称,因为这些公司通常坚持要匿名。据熟悉该公司调查结果的人士称,2009年可口可乐公司(Coca-Cola)受到的攻击,恰逢这家饮料业巨头尝试以24亿美元收购中国汇源果汁集团。此次收购最后以失败告终。
正当可口可乐公司高管进行谈判时,“注释组”也正在忙着在他们的电脑里翻找,明显是为了更多地了解可口可乐的谈判策略。那次并购案如果成功,会成为外资并购中国企业最大的一宗并购案。

就像之前数以百计的攻击一样,对可口可乐的攻击,始于发给一名高管的一封看似无害的电子邮件,但实际上这是一次鱼叉式捕鱼攻击。这名高管点击了邮件中的恶意链接,从而使黑客能在可口可乐公司的网络中立足。每周,攻击者都会悄无声息地从网络内部把该公司的机密文件通过复杂的电脑网络传回上海。

两年后,至少有三个位于中国的组织对RSA公司实施了类似的攻击,“注释组”是其中一个。RSA以其SecurID令牌而知名,是大型技术企业EMC旗下的一家计算机安全公司。美国情报机关、军队承包商和大型企业的员工,都佩戴有SecurID令牌。《纽约时报》也使用这项技术,来允许远程访问其邮件和生产系统。RSA已经提出为用户更换SecurID令牌,并称已在产品中添加了新的安全措施。

同可口可乐的事件一样,RSA遭受的攻击始于一封以一名RSA雇员为目标的、精心设计的有害电子邮件。两个月后,黑客们攻破了美国最大的国防承包商洛克希德・马丁公司(Lockheed Martin),其部分手段运用了他们在RSA攻击中搜集到的信息。
Mandiant并非唯一一家跟踪“注释组”的私营公司。2011年,戴尔公司(Dell)下属的SecureWorks部门研究人员乔・斯图尔特(Joe Stewart)通过分析RSA攻击中的恶意软件,发现攻击者使用一种黑客工具,掩盖了自己的真实地址。

通过对这种工具软件进行逆向工程,他发现绝大多数被盗数据,一直在向同一段IP地址传输。后来Mandiant确定,这段IP地址位于上海。

戴尔SecureWorks称,相信“注释组”中包含的攻击者,与“暗鼠行动”(Operation Shady RAT)背后的攻击者是同一批。“暗鼠行动”是2011年发现的一场大规模的电脑间谍行动,在五年时间里,超过70个组织在这场行动中受到了攻击,其中包括联合国(United Nations),以及美国、加拿大、韩国、台湾和越南的政府机构。

基础设施面临危险

美国调查人员最为担忧的是,最近据信来自61398部队的一系列攻击,不仅仅是为了窃取情报,目的还包括获取操纵美国关键基础设施,包括电网和其他公用事业设施的能力。

“数字联结”(Digital Bond)是一家专门处理这种工业控制电脑的小型安全公司。该公司员工称,去年6月,“注释组”对其进行了攻击但并未成功。数字联结公司的一名兼职员工收到了一封邮件,看上去似乎来自他的老板戴尔・彼得森(Dale Peterson)。这封邮件以地道的英文,讨论了关键基础设施系统上的安全弱点,还要求该员工点击链接,查看一份文档,从而了解更多信息。彼得森截获了这封邮件,并拿它与其他研究者一同分析。他们发现链接中包含一种远程访问工具,令攻击者能够控制员工的电脑,并有可能令攻击者方便地接触到关于该公司客户的机密信息。这些客户包括一个大型水利工程、一座发电厂和一家矿业公司。

AlienVault公司安全研究员杰米・布拉斯科(Jaime Blasco)对攻击中使用的计算机服务器进行了分析,这让他找到了包括切尔托夫集团(Chertoff Group)在内的其他受害者。这家公司是由国土安全部(Department of Homeland Security)前部长迈克尔・切尔托夫(Michael Chertoff)领导的,该公司曾模拟过一场针对美国的大规模数字攻击行动。其他攻击行动针对的是国家地球空间情报局(National Geospatial-Intelligence Agency)的一家承包商,以及国家电气制造商协会(National Electrical Manufacturers Association)。后者是一家游说团体,代表的是电网部件制造企业的利益。这些机构证实它们受到了攻击,但表示已经拦截攻击者,使他们未能进入其网络。

布拉斯科说,根据侦测,所有这些遭袭者都受到了“注释组”的攻击。不过安全专家表示,到目前为止最令人不安的攻击行为是一次针对泰尔文特公司(Telvent)加拿大分部的成功入侵行动。泰尔文特公司现在属于施耐德电气(Schneider Electric),该公司设计的软件能够供石油和天然气管道公司,以及电网运营企业远程控制阀门、开关和安全系统。

泰尔文特公司保留着石油、天然气管线的详尽设计方案,这些方案涉及一多半北美洲和南美洲的石油与天然气管线。去年9月,泰尔文特加拿大公司向客户通报,攻击者侵入了该公司的系统,并取走了项目文件。攻击的途径被立即切断,因而入侵者未能夺得系统的控制权。

施耐德电气发言人马丁・汉纳(Martin Hanna)没有回应置评请求,不过对相关攻击事件中所用的恶意软件做过研究的安全专家确认,入侵者就是“注释组”,这些专家包括戴尔SecureWorks的斯图尔特和AlienVault公司的布拉斯科。

“这种攻击十分可怕。先不管国家,如果有人雇佣我,说希望获得相关攻击能力,来尽可能多地关停关键系统,我肯定愿意盯上那些厂商,做一些像泰尔文特遭受的攻击一样的事情,”Digital Bond公司的彼得森说,“那可是这一领域的圣杯。”

奥巴马在国情咨文(State of the Union)演说中指出了这种担忧,但并未提到中国或其他任何国家。“我们知道外国政府和企业会染指美国企业的机密,”他说,“现在我们的敌人也在追求破坏我们的电网、金融机构、空中交通管制系统的能力。我们不能等到多年以后,才去思索为什么现在的我们无所作为。”

奥巴马面临着一个棘手的选择。面对错综复杂而且至关重要的对华关系,是否值得就计算机黑客攻击,让世界第一大经济体和第二大经济体展开对抗?

几年前,美国政府官员说,知识产权的窃取使其不胜其烦,每年造成数十亿美元的收入损失。然而事情很显然已经发生了变化。有越来越多的证据显示,攻击背后有政府支持,61398部队越来越肆无忌惮,对美国基础设施构成的威胁也越来越大,这让官员们得出结论,认为有必要采取更强有力的应对方式。
“现在中国没有就此罢手的动力,”众议院情报委员会主席罗杰斯说,“如果我们不能提高攻击的代价,攻击行为就只会加剧。”

翻译:王童鹤、曹莉、陈亦亭、林蒙克、张薇

——纽约时报


Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

This 12-story building on the outskirts of Shanghai is the headquarters of Unit 61398 of the People’s Liberation Army. China’s defense ministry has denied that it is responsible for initiating digital attacks.

On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.
The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.
An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by P.L.A. officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.
Mandiant provided an advance copy of its report to The New York Times, saying it hoped to “bring visibility to the issues addressed in the report.” Times reporters then tested the conclusions with other experts, both inside and outside government, who have examined links between the hacking groups and the P.L.A. (Mandiant was hired by The New York Times Company to investigate a sophisticated Chinese-origin attack on the news operations, but concluded it was not the work of Comment Crew, but another Chinese group. The firm is not currently working for the Times Company but they are in discussions about a business relationship.)
While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America. The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.
Contacted Monday, Chinese officials at its embassy in Washington again insisted that its government does not engage in computer hacking, and that such activity is illegal. They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States. But in recent years the Chinese attacks have grown significantly, security researchers say. Mandiant has detected more than 140 Comment Crew intrusions since 2006. American intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.
While the unit’s existence and operations are considered a Chinese state secret, Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, said in an interview that the Mandiant report was “completely consistent with the type of activity the Intelligence Committee has been seeing for some time.”
The White House said it was “aware” of the Mandiant report, and Tommy Vietor, the spokesman for the National Security Council, said, “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.”
The United States government is planning to begin a more aggressive defense against Chinese hacking groups, starting on Tuesday. Under a directive signed by President Obama last week, the government plans to share with American Internet providers information it has gathered about the unique digital signatures of the largest of the groups, including Comment Crew and others emanating from near where Unit 61398 is based.
But the government warnings will not explicitly link those groups, or the giant computer servers they use, to the P.L.A. The question of whether to publicly name the unit and accuse it of widespread theft is the subject of ongoing debate.
“There are huge diplomatic sensitivities here,” said one intelligence official, with frustration in his voice.
But Obama administration officials say they are planning to tell China’s new leaders in coming weeks that the volume and sophistication of the attacks have become so intense that they threaten the fundamental relationship between Washington and Beijing.
The United States government also has cyberwarriors. Working with Israel, the United States has used malicious software called Stuxnet to disrupt Iran’s uranium enrichment program. But government officials insist they operate under strict, if classified, rules that bar using offensive weapons for nonmilitary purposes or stealing corporate data.
The United States finds itself in something of an asymmetrical digital war with China. “In the cold war, we were focused every day on the nuclear command centers around Moscow,” one senior defense official said recently. “Today, it’s fair to say that we worry as much about the computer servers in Shanghai.”
A Shadowy Unit
Unit 61398 — formally, the 2nd Bureau of the People Liberation Army’s General Staff Department’s 3rd Department — exists almost nowhere in official Chinese military descriptions. Yet intelligence analysts who have studied the group say it is the central element of Chinese computer espionage. The unit was described in 2011 as the “premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence” by the Project 2049 Institute, a nongovernmental organization in Virginia that studies security and policy issues in Asia.
While the Obama administration has never publicly discussed the Chinese unit’s activities, a secret State Department cable written the day before Barack Obama was elected president in November 2008 described at length American concerns about the group’s attacks on government sites. (At the time American intelligence agencies called the unit “Byzantine Candor,” a code word dropped after the cable was published by WikiLeaks.)
The Defense Department and the State Department were particular targets, the cable said, describing how the group’s intruders send e-mails, called “spearphishing” attacks, that placed malware on target computers once the recipient clicked on them. From there, they were inside the systems.
American officials say that a combination of diplomatic concerns and the desire to follow the unit’s activities have kept the government from going public. But Mandiant’s report is forcing the issue into public view.
For more than six years, Mandiant tracked the actions of Comment Crew, so named for the attackers’ penchant for embedding hidden code or comments into Web pages. Based on the digital crumbs the group left behind — its attackers have been known to use the same malware, Web domains, Internet protocol addresses, hacking tools and techniques across attacks — Mandiant followed 141 attacks by the group, which it called “A.P.T. 1” for Advanced Persistent Threat 1.
“But those are only the ones we could easily identify,” said Mr. Mandia. Other security experts estimate that the group is responsible for thousands of attacks.
As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”
Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as the Unit 61398’s building.
“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.
The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”
The most fascinating elements of the Mandiant report follows the keystroke-by-keystroke actions of several of the hackers who the firm believes work for the P.L.A. Mandiant tracked their activities from inside the computer systems of American companies they were invading. The companies had given Mandiant investigators full access to rid them of the Chinese spies.
One of the most visible hackers it followed is UglyGorilla, who first appeared on a Chinese military forum in January 2004, asking whether China has a “similar force” to the “cyber army” being set up by the American military.
By 2007 UglyGorilla was turning out a suite of malware with what the report called a “clearly identifiable signature.” Another hacker, called “DOTA” by Mandiant, created e-mail accounts that were used to plant malware. That hacker was tracked frequently using a password that appeared to be based on his military unit’s designation. DOTA and UglyGorilla both used the same I.P. addresses linked back to Unit 61398’s neighborhood.
Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities.
Mandiant also discovered an internal China Telecom memo discussing the state-owned telecom company’s decision to install high-speed fiber-optic lines for Unit 61398’s headquarters.
China’s defense ministry has denied that it is responsible for initiating attacks. “It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence,” it said last month, one of the statements that prompted Mandiant to make public its evidence.
Escalating Attacks
Mandiant believes Unit 61398 conducted sporadic attacks on American corporate and government computer networks; the earliest it found was in 2006. Two years ago the numbers spiked. Mandiant discovered some of the intrusions were long-running. On average the group would stay inside a network, stealing data and passwords, for a year; in one case it had access for four years and 10 months.
Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.
Mandiant’s report does not name the victims, who usually insist on anonymity. A 2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to acquire the China Huiyuan Juice Group for $2.4 billion, according to people with knowledge of the results of the company’s investigation.
As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.
The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack. When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.
Two years later, Comment Crew was one of at least three Chinese-based groups to mount a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors and many major companies. (The New York Times also uses the firm’s tokens to allow access to its e-mail and production systems remotely.) RSA has offered to replace SecurID tokens for customers and said it had added new layers of security to its products.
As in the Coca-Cola case, the attack began with a targeted, cleverly fashioned poisoned e-mail to an RSA employee. Two months later, hackers breached Lockheed Martin, the nation’s largest defense contractor, partly by using the information they gleaned from the RSA attack.
Mandiant is not the only private firm tracking Comment Crew. In 2011, Joe Stewart, a Dell SecureWorks researcher, was analyzing malware used in the RSA attack when he discovered that the attackers had used a hacker tool to mask their true location.
When he reverse-engineered the tool, he found that the vast majority of stolen data had been transferred to the same range of I.P. addresses that Mandiant later identified in Shanghai.
Dell SecureWorks says it believed Comment Crew includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam were targeted.
Infrastructure at Risk
What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.
Staff at Digital Bond, a small security firm that specializes in those industrial-control computers, said that last June Comment Crew unsuccessfully attacked it. A part-time employee at Digital Bond received an e-mail that appeared to come from his boss, Dale Peterson. The e-mail, in perfect English, discussed security weaknesses in critical infrastructure systems, and asked the employee to click a link to a document for more information. Mr. Peterson caught the e-mail and shared it with other researchers, who found the link contained a remote-access tool that would have given the attackers control over the employee’s computer and potentially given them a front-row seat to confidential information about Digital Bond’s clients, which include a major water project, a power plant and a mining company.
Jaime Blasco, a security researcher at AlienVault, analyzed the computer servers used in the attack, which led him to other victims, including the Chertoff Group. That firm, headed by the former secretary of the Department of Homeland Security, Michael Chertoff, has run simulations of an extensive digital attack on the United States. Other attacks were made on a contractor for the National Geospatial-Intelligence Agency, and the National Electrical Manufacturers Association, a lobbying group that represents companies that make components for power grids. Those organizations confirmed they were attacked but have said they prevented attackers from gaining access to their network.
Mr. Blasco said that, based on the forensics, all the victims had been hit by Comment Crew. But the most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.
Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.
Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack, including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault, confirmed that the perpetrators were the Comment Crew.
“This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and doing things like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the holy grail.“
Mr. Obama alluded to this concern in the State of the Union speech, without mentioning China or any other nation. “We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”
Mr. Obama faces a vexing choice: In a sprawling, vital relationship with China, is it worth a major confrontation between the world’s largest and second largest economy over computer hacking?
A few years ago, administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.
“Right now there is no incentive for the Chinese to stop doing this,” said Mr. Rogers, the House intelligence chairman. “If we don’t create a high price, it’s only going to keep accelerating.”

没有评论:

发表评论

页面