Three months after hackers working for a cyberunit of China’s People’s Liberation Army (PLA) went silent amid evidence that they had stolen data from scores of US companies and government agencies, they appear to have resumed their attacks using different techniques, according to computer industry security experts and US officials.
The administration of US President Barack Obama had bet that “naming and shaming” the groups, first in industry reports and then in the Pentagon’s own detailed survey of Chinese military capabilities, might prompt China’s new leadership to crack down on the military’s highly organized team of hackers — or at least urge them to become more subtle.
However, Unit 61398, whose well-guarded 12-story white headquarters on the edges of Shanghai became the symbol of Chinese cyberpower, is back in business, according to US officials and security companies.
It is not clear precisely who has been affected by the latest attacks. Mandiant, a private security company that helps companies and government agencies defend themselves from hackers, said the attacks had resumed, but would not identify the targets, citing agreements with its clients. However, it did say the victims were many of the same ones the unit had attacked before.
The hackers were behind scores of thefts of intellectual property and government documents over the past five years, according to a report by Mandiant in February that was confirmed by US officials. They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the US.
According to security experts, the cyberunit was responsible for a 2009 attack on the Coca-Cola Co that coincided with its failed attempt to acquire the China Huiyuan Juice Group.
In 2011, it attacked RSA, a maker of data security products used by US government agencies and defense contractors, and used the information it collected from that attack to break into the computer systems of Lockheed Martin, the aerospace contractor.
More recently, the group took aim at companies with access to the nation’s power grid, security experts said.
In September last year, it broke into the Canadian arm of Telvent, now Schneider Electric, which keeps detailed blueprints on more than half the oil and gas pipelines in North America.
Representatives of Coca-Cola and Schneider Electric did not return requests for comment on Sunday. A Lockheed Martin spokesman said the company declined to comment.
In interviews, Obama administration officials said they were not surprised by the resumption of the hacking activity.
One senior official said on Friday last week that “this is something we are going to have to come back at time and again with the Chinese leadership,” who, he said, “have to be convinced there is a real cost to this kind of activity.”
Mandiant said that the Chinese hackers had stopped their attacks after they were exposed in February and removed their spying tools from the organizations they had infiltrated.
However, during the past two months, they have gradually begun attacking the same victims from new servers and have reinserted many of the tools that enable them to seek out data without detection.
They are now operating at between 60 and 70 percent of the level they were working at before, according to a study by Mandiant requested by the New York Times.