Hackers commissioned by a cyber unit of the People's Liberation Army in China have been quiet in recent months after evidence surfaced that the crooks had stolen data from U.S government agencies and companies. But The New York Times is reporting that the group is once again on the cyber warpath with new strategies.
The Times is citing American security experts and officials as its source. Mandiant, the firm that issued a report on Chinese hackers in February, is one of those security experts. Although the firm declined to identify the targets, the Times reports Mandiant saying the victims were many of the same ones Unit 61398 previously attacked.
"In interviews, Obama administration officials said they were not surprised by the resumption of the hacking activity," the Times reported. "One senior official said Friday that 'this is something we are going to have to come back at time and again with the Chinese leadership,' who, he said, 'have to be convinced there is a real cost to this kind of activity.' "
$873 Million in Damage
Security firms also have a close eye on the news. Jim Butterworth, chief security officer at HBGary, told us the fact that these hackers have resumed their attacks is not surprising.
"Every day we see adversaries adapt their attack methods to avoid detection and remain persistent in the networks," Butterworth says. "These attackers are highly motivated and well-funded and will not be easily deterred, which is why organizations need to consistently and effectively perform the five key phases of incident response: detection, validation, response, mitigation and adapt and prepare."
According to a report from the Financial Times, hackers who call China their home base did $873 million in damage to the Chinese economy in 2011. Financial Times writer Kathrin Hille says reports that the country "has no equivalent of Mandiant yet" and that its leading Internet security firms "have no ambition in investing in forensics, the capability that supports long-term, in-depth analysis of the origin, structure and technical detail of past attacks that is being built by firms such as Symantec or TrendMicro."
Mandiant's February analysis led the firm to conclude that the APT1, a prolific cyber-espionage group that is believed to be part of the Chinese military's Unit 61398, has conducted attacks on a number of victims since at least 2006, is likely sponsored by the Chinese government and is one of the most persistent of China's threat actors.
According to Mandiant, APT1 maintains an extensive infrastructure of computer systems around the world. In over 97 percent of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.