Targeted for theft were “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”
At just one company, Mandiant researchers discovered 6.5 terabytes of data were stolen over a 10 month period – all exfiltrated back to computers identified in the same block in Shanghai – where the Chinese military’s cyberespionage unit is located. Sometimes data was seen being stolen from dozens of victims at once, Mandiant reported.
APT1 generally established access through spear-phishing – the ploy of sending to someone in a targeted company an e-mail that is designed to look legitimate but carries malware in an attachment. Once they gained access to a system, the cyberspies periodically revisited the victim’s network over several months or years.
The findings broadly square with those of other cybersecurity researchers. What Mandiant calls APT1 others have called “Comment Crew” or the “Shanghai Group.” But the Mandiant report offers unprecedented detail in its 200 page report to specifically identify APT1 as actually the cyberespionage section of the Chinese People’s Liberation Army (PLA) – even if it lacks a “smoking gun.”
Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA’s General Staff Department’s Third Department. That group’s most common designation is “Unit 61398,” and it is estimated to have hundreds or possibly thousands of employees – and English proficiency is a requirement.