Mandiant says it traced the data flow, IP addresses, and other digital signatures of the attackers to a block in downtown Shanghai that includes a new, white brick 12-story office building that is home to the Second Bureau of the PLA’s General Staff Department’s Third Department. That group’s most common designation is “Unit 61398,” and it is estimated to have hundreds or possibly thousands of employees – and English proficiency is a requirement.
The Mandiant findings make sense to L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group in Arlington, Va., that has made a specialty of analyzing China's cyber and signals intelligence units within the PLA.
In 2011, Project 2049 produced a report that also identifies Unit 61398 as a cyberespionage group run by the PLA that “appears to function as the Third Department’s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.”
Among the details in the Mandiant report:
“We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398,” the report concludes.
Indeed, the report “provides a new baseline for the [intelligence] communities looking at these cyberespionage groups to ascertain the different groups and their activities,” Mr. Hsiao says.