China has consistently denied state-sponsored hacking, but experts say the office hours that the cyberspies keep point to a professional army rather than mere hobbyists or so-called “hacktivists” inspired by patriotic passions.
Mandiant noticed this same pattern while monitoring attacks on the New York Times last year, blamed on another Chinese hacking group it labeled APT12..
Libicki said he was not aware of any comprehensive studies, but that in such cases most activity between malware embedded in a compromised system and the malware’s controllers takes place during business hours in Beijing’s time zone.
Richard Forno, director of the University of Maryland Baltimore County’s graduate cybersecurity program, and David Clemente, a cybersecurity expert with independent analysis center Chatham House in London, said that this observation has been widely noted among cybersecurity specialists.
“It would reflect the idea that this is becoming a more routine activity and that they are quite methodical,” Clemente said.
The PLA’s Third Department is brimming with resources, according to studies commissioned by the US government, with 12 operation bureaus, three research institutes and an estimated 13,000 linguists, technicians and researchers as staff. It is further reinforced by technical teams from China’s seven military regions spread across the country and by the military’s vast academic resources, especially the PLA University of Information Engineering and the Academy of Military Sciences.
The PLA is believed to have made cyberwarfare a key priority in its capabilities more than a decade ago. Among the few public announcements of its development came in a May 25, 2011, news conference by Chinese Ministry of National Defense spokesman Geng Yansheng (耿雁生), in which he talked of developing China’s “online” army.
“Currently, China’s network protection is comparatively weak,” Geng said, adding that enhancing information technology and “strengthening network security protection are important components of military training for an army.”
Unit 61398 is considered just one of many such units under the Third Department responsible for hacking, according to experts.
Greg Walton, a cybersecurity researcher who has tracked Chinese hacking campaigns, said he has observed the “Comment Crew” at work, but cites another Third Department unit operating out of the southwestern city of Chengdu as equally active. It is tasked with stealing secrets from Indian government security agencies and think tanks, together with the India-based Tibetan government-in-exile, Walton said.
Another hacking outfit believed by some to have PLA links, the “Elderwood Group,” has targeted defense contractors, human rights groups, non-governmental organizations and service providers, according to computer security company Symantec.
It is believed to have compromised Amnesty International’s Hong Kong Web site in May last year, although other attacks have gone after targets as diverse as the US Council on Foreign Relations and Capstone Turbine Corp, which makes gas microturbines for power plants.
Civilian departments believed to be involved in hacking include those under China’s Ministry of Public Security, which commands the police, and the Ministry of State Security, one of the leading clandestine intelligence agencies.