The Times hired Mandiant to investigate an attack that originated in China on its news operations in autumn last year. Mandiant is not currently working for the New York Times.
Mandiant’s findings match those of Crowdstrike, another security company that has also been tracking the group. Adam Meyers, director of intelligence at Crowdstrike, said that apart from a few minor changes in tactics, it was “business as usual” for the Chinese hackers.
The subject of Chinese attacks is expected to be a central issue in an upcoming visit to China by Obama’s national security adviser, Thomas Donilon, who has said that dealing with China’s actions in cyberspace is now moving to the center of the complex security and economic relationship between the two countries.
However, hopes for progress on the issue are limited. When the Pentagon released its report this month officially identifying the Chinese military as the source of years of attacks, the Chinese Ministry of Foreign Affairs denied the accusation, and People’s Daily, which reflects the views of the Chinese Communist Party, called the US “the real ‘hacking empire,”’ saying it “has continued to strengthen its network tools for political subversion against other countries.”
Other Chinese organizations and academics cited US and Israeli cyberattacks on Iran’s nuclear facilities as evidence of US hypocrisy.
At the White House, National Security Council spokeswoman Caitlin Hayden said on Sunday that “what we have been seeking from China is for it to investigate our concerns and to start a dialogue with us on cyberissues.”
She said that China “agreed last month to start a new working group,” and that the administration hoped to win “longer-term changes in China’s behavior, including by working together to establish norms against the theft of trade secrets and confidential business information.”
In a report to be issued today, a private task force led by Obama’s former director of national intelligence, Dennis Blair, and former US ambassador to China Jon Huntsman lays out a series of proposed executive actions and congressional legislation intended to raise the stakes for China.
“Jawboning alone won’t work,” Blair said on Saturday. “Something has to change China’s calculus.”
The exposure of Unit 61398’s actions, which have long been well-known to US intelligence agencies, did not accomplish that task.
One day after Mandiant and the US government revealed the PLA unit as the culprit behind hundreds of attacks on agencies and companies, the unit began a haphazard cleanup operation, Mandiant said.
Attack tools were unplugged from victims’ systems. Command and control servers went silent. And of the 3,000 technical indicators Mandiant identified in its initial report, only a sliver kept operating. Some of the unit’s most visible operatives, hackers with names like “DOTA,” “SuperHard” and “UglyGorilla,” disappeared, as cybersleuths scoured the Internet for clues to their real identities.
In the case of UglyGorilla, Web sleuths found digital evidence that linked him to a Chinese national named Wang Dong, who kept a blog about his experience as a PLA hacker from 2006 to 2009, in which he lamented his low pay, long hours and instant ramen meals.