PLA Unit 61486

Last updated
Unit 61486
CountryFlag of the People's Republic of China.svg  People's Republic of China
AllegianceFlag of the Chinese Communist Party.svg Chinese Communist Party [1]
Branch PLASSF.svg People's Liberation Army Strategic Support Force
Type Cyber force
Role Cyber warfare
Electronic warfare
Part ofPeople's Liberation Army Flag of the People's Republic of China.svg  People's Liberation Army
Nickname(s)Putter Panda

PLA Unit 61486 (also known as Putter Panda or APT2) is a People's Liberation Army unit dedicated to cyberattacks on American, Japanese, and European corporations focused on satellite and communications technology. It is a unit that takes part in China's campaign to steal trade and military secrets from foreign targets. [2] [3] [4] [5]

Contents

In 2014, they were exposed to the public by a report made by CrowdStrike, a digital security firm. One member of Unit 61486 has been identified as Chen Ping, with the online alias of "cpyy". Unit 61486 has also been nicknamed "Putter Panda" by the security firm Crowdstrike, in reference to its Chinese origins ("panda") and its penchant for targeting golf players ("putter"). [2]

Its exposure came after another PLA unit, PLA Unit 61398, was exposed for similar activity, the previous year, as well as the indictment of five members of Unit 61398 by the United States the previous month. [2] Meanwhile, Edward Snowden's release of information on America's surveillance program would also become a focal point in China's response to the accusations of spying, using it as evidence the United States was hypocritical in their accusations of espionage. [6]

History

Unit 61486 is a bureau within the Operations arm of the Third Department of the General Staff Department. Its name, Unit 61486, is a Military Unit Cover Designator (MUCD), these are used to hide the unit's true identity. [7] The earliest signs of the unit's existence comes from 2007. [8] Unit 61486 is the 12th Bureau within the Third Department, the majority of their cyber attacks have been focused on targeting American, European, and Japanese industries that worked in aerospace and satellite. They are believed to be focused on space technology. [7] [8]

Operations

They primarily have done their work through a technique known as spear-phishing, also known as Remote Access Tools (RAT), targeting members of industries noted above, specifically members that had played golf as major targets in their operations. [2] They would use emails that had PDF and word documents that detailed information related to conferences, from there the Remote Access Tool would be installed allowing for the victims computer to be accessed. [5] An example of this operation can be seen when an email brochure that appeared to be for a yoga studio in Toulouse would steal the personal information of the person who opened the email. [2] From Crowdstrike's report, they claim that the Unit 61486 used the Adobe Reader and Microsoft office as the vessels for the malware. [6] According to Crowdstrike, the attack on the Canadian National Research Council in 2014 could also be attributed to Unit 61486. Crowdstrike's Chief Technology Officer Dmitri Alperovitch would say that the attack was similar to ones that had been conducted by Unit 61486 in the past, claiming "It certainly looks like one of the actors we track out of China that we’ve seen going after aircraft manufacturers in the past,". [9] However, Canada has only stated the attack was done by state actors working for China, saying "a highly sophisticated Chinese state-sponsored actor" had been responsible for the attack. Their statement did not directly attribute it to Unit 61486. [7] [9]

In response to these allegations, Ministry of Foreign Affairs of the People's Republic of China would demand that Canada stop making these claims. Foreign ministry spokesman Qin Gang said that they did not have any evidence to back this claim and this accusation was unjustified provocation. [9]

Exposing of Operations

Zhabei District from Pearl Tower, where Unit 61486's headquarters is believed to be located Zhabei District from Pearl Tower.jpg
Zhabei District from Pearl Tower, where Unit 61486's headquarters is believed to be located

On the 9th of June 2014, the security firm Crowdstrike released a report detailing the actions of Unit 61486, as well as a potential member of the unit. [8] Crowdstrike states the reason for releasing this report publicly was because of China's statement following the United States indictment of 5 members in Unit 61398. China responded to the indictment claiming these were lies, and that the information used was fabricated. [8] [6] The CEO of Crowdstrike, George Kurtz states they publicly released the report to provide irrefutable evidence of China's involvement with cyber espionage, as a means to counter the claims made by the Chinese government.: [5]

"This report is part of our extensive intelligence library and was made available to our intelligence subscribers in April 2014, prior to the US Government’s criminal indictment and China’s subsequent refusal to engage in a constructive dialog ... We believe the U.S. Government indictments and global acknowledgment and awareness are important steps in the right direction. In support of these efforts, we are making this report available to the public to continue the dialog around this ever-present threat." [8]

Another aim of releasing the report was to show the international community that the indictment of 5 individuals for cyber espionage was limit of China's cyber espionage program, or that this program was limited to targeting only the United States. Rather it was just "the tip of the iceberg" as George Kurtz wrote, with campaigns taking place across the world. [8]

The investigation revealed a potential member of the unit under the alias "cpyy". Several emails that used this alias were registered to a person name Chen Ping. On a personal blog on 163.com, it lists this persons employment as either military or police, it also lists his birth date as 25 May 1979. The same page also had posts in an IT category, whilst related a separate blog linked to Chen Ping indicated he had either studied or worked on networking or programming from 2002 to 2003. This report also pointed to several images on their personal sina.com blog that said they had attended Shanghai Jiao Tong University, a university that allegedly is targeted for recruitment into the PLA. In addition, several other posts suggested he was a member of the PLA, from photos with PLA uniforms in the background. [10] [8] In a personal blog Chen Ping listed his work as military, whilst in a different blog, a post said "Soldier’s duty is to defend the country, as long as our country is safe, our military is excellent.", suggesting that Chen held nationalistic ideals that would encourage one to join the armed forces. This blog also states that Chen Ping lived in Shanghai from 2005 to 2007. However, this page was last updated in 2007 before being taken down following the release of Crowdstrike's report. [8]

Based on previous IP addresses and photos from Chen Ping's multiple personal blogs, Crowdstrike states that the headquarters for the unit is within the Zhabei District of Shanghai. Furthermore, several of the website domains registered by Chen Ping led to an address that was close to a building he took a photo of, and posted under the caption of "office". Additionally, these personal photos showed large satellite dish installations. From Crowdstrike's investigations they believed that Unit 61486 was involved in space surveillance and also the targeting of western companies that manufactured or researched satellites. Thus the satellite dishes were related to this activity. A webpage published by a Chinese government entity that details theatrical performances involving members of the PLA listed an address that also corresponds to an area that has the buildings in Chen Ping's photos. With the address from this site as well as the personal photos from Chen Pings blogs, Crowdstrike states that they believe that this building is the headquarters for Unit 61486. [10] [8]

This report also suggested that Unit 61486 works alongside Unit 61398, another unit within the Third Department. Several domains registered to alleged members of 61486 have the same IP address as ones from Unit 61398. In addition to the allegations of cooperation with Unit 61398, another unit, Vixen Panda, is mentioned to have a connection to unit 61486, as an IP address that had been used by Vixen Panda for one of their sites had also been associated with a domain that Unit 61486 had used. Furthermore, "cpyy" (Chen Ping) was also found to interact with an individual listed as "linxder", on cpyy.org, cpyy's site. The individual Linxder is the handle of someone part of Comment Panda, another hacking group believed to be in Shanghai. [8]

Following the exposing of Chen Ping or "cpyy", his information was all taken down the day after the report was released. Additionally, according to Crowdstrike they believe that Chen Ping has been moved from Shanghai to Kunming in Yunnan province. According to the Project 2049 Institute, the Unit 61486 has a facility in the region.[ citation needed ]

This report had been available to subscribers of Crowdstrike since April 2014 However, only following the public release of the report would there be responses made by the United States as well as the Chinese Foreign Ministry. [10]

Official Response by the Chinese Foreign Ministry

In the previous year, the security firm Mandiant had exposed Unit 61398, for doing similar activity to Unit 61486. The month before the report on Unit 61486 was released, the United States had indicted 5 people they believed to be members of Unit 61398, of cyber espionage, marking the first time this charge was levelled at state actors. [5] The exposing of Unit 61486 raised tensions between the two nations higher. This led to the Foreign Ministry threatening to start a trade war with the United States, as well as more inspections and regulations of US Technologies coming into the country. [2] Additionally, China would pull out of several meetings with the United States over the issue of hacking. Additionally, a spokeswoman for China's foreign ministry upon hearing the allegations over Unit 61486 listed by Crowdstrike's report scorned it as giving her "déjà vu", in reference to the report made by Mandiant the year before. [6]

Edward Snowden had exposed the United States spying programs conducted by the CIA and NSA the year before Unit 61486 was revealed by the Crowdstrike report. This was brought up by Foreign Ministry spokeswoman Hua Chunying, as an example of the United States being hypocritical in their accusations of China stealing information from Western corporations. Spokeswoman Hua Chunying would state that the United States had no right to accuse others of hacking, as they had been caught doing so. She stated that the United States is a "Hacker empire". [2] [6]

In a Press conference Foreign Ministry spokeswoman Hua Chunying states "The United States cannot pretend that it is the victim. They are a hacker empire. I think everyone in the world knows this." [6]

In addition, earlier in the year it was revealed by The New York Times and Der Spiegel that the NSA had also hacked Huawei's servers. This was done to see if there was any relationship between the PLA and Huawei, however it quickly expanded to developing exploits that would allow the NSA to access their networks to conduct surveillance and "offensive operations". This operation known as "Shotgiant" was conducted despite a House Intelligence Committee report in 2012 stated that there was no connection between the PLA and Huawei, along with another entity known as ZTF. This also was brought up by the Foreign Ministry as another case of American hypocrisy in spying allegations. [11] The Foreign Ministry Spokesperson further iterated that the report could not be correct, saying it was ridiculous that someone that would do this sort of work would be open about being a hacker.

In a news brief, Foreign Ministry spokeswoman Hua Chunying states:"I think this is both curious and puzzling. Have you ever seen a thief in the street who advertises on his chest that he is a thief? Honestly speaking, I think what the U.S. has done here cannot be accepted as correct." [6]

In addition to these allegations, the week before the report was released, the Chinese government criticised the United States Department of Defense for releasing a report that said they believed China's actual military spending was an estimated $145 billion US dollars. The report additionally warned that China was speeding up its military modernisation program. However, even though tensions and relations between the two nations were already poor, and increasing from these events and allegations, China would still accept an invitation to participate in RIMPAC which was to occur within the month. This would mark the first time China would participate in an American led naval drill, though they had previously participated in 1998 as observers. They would send 4 ships in total, a destroyer, frigate, a supply ship and a hospital ship. [6] [12]

See also

Related Research Articles

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, to which various US officials contend economic damages, prosperity and stolen innovations have resulted in $US320-445 billion annually since its inception and activities.

<span class="mw-page-title-main">Titan Rain</span> Series of coordinated attacks on American computer systems

Titan Rain was a series of coordinated attacks on computer systems in the United States since 2003; they were known to have been ongoing for at least three years. The attacks originated in Guangdong, China. The activity is believed to be associated with a state-sponsored advanced persistent threat. It was given the designation Titan Rain by the federal government of the United States.

Author - Sidharth Lakra

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak and Peter Lee. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

Operation Shady RAT is an ongoing series of cyber attacks starting in mid-2006 reported by Dmitri Alperovitch, Vice President of Threat Research at Internet security company McAfee in August 2011, who also led and named the Night Dragon Operation and Operation Aurora cyberespionage intrusion investigations. The attacks have hit at least 71 organizations, including defense contractors, businesses worldwide, the United Nations, and the International Olympic Committee. Governments attacked include Canada, India, South Korea, Taiwan, United States and Vietnam. International bodies attacked include the United Nations, the Association of Southeast Asian Nations (ASEAN), the International Olympic Committee, the World Anti-Doping Agency.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

<span class="mw-page-title-main">Hua Chunying</span> PRC politician and spokeswoman

Hua Chunying is a Chinese diplomat who has been serving as Assistant Minister of Foreign Affairs of China since 2021 and spokesperson of the Ministry of Foreign Affairs since 2012.

Bureau 121 is a North Korean cyberwarfare agency, and the main unit of the Reconnaissance General Bureau (RGB) of North Korea's military. It conducts offensive cyber operations, including espionage and cyber-enabled finance crime. According to American authorities, the RGB manages clandestine operations and has six bureaus.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

<span class="mw-page-title-main">People's Liberation Army Strategic Support Force</span> Former cyber and space force of the Peoples Liberation Army (2015-2024)

The People's Liberation Army Strategic Support Force was a service branch of the People's Liberation Army that existed from December 2015 to April 2024.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

APT40, also known as BRONZE MOHAWK, FEVERDREAM, G0065, GADOLINIUM, Gingham Typhoon, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat operated by the Hainan State Security Department, a branch of the Chinese Ministry of State Security located in Haikou, Hainan, China, and has been active since at least 2009.

China is regularly accused by the United States and several other nations of state-organized economic espionage and theft of intellectual property, in violation of international trade agreements. The espionage and theft would not be limited to business, but also include academia and government. The Ministry of State Security (MSS), united front groups, and their affiliates have been reported as frequent perpetrators of such theft. China has repeatedly and vigorously denied the allegations, stating that Western companies willingly transfer technology to get access to China's market. China however also state they are taking steps to address the concerns. In 2019, China banned forced technology transfers via the Foreign Investment Law.

<span class="mw-page-title-main">Wang Dong (hacker)</span>

Wang Dong is a member of the People's Liberation Army and is a Chinese hacker who is part of PLA Unit 61398.

References

  1. "The PLA Oath" (PDF). February 2009. Archived (PDF) from the original on September 24, 2015. Retrieved October 30, 2015. I am a member of the People's Liberation Army. I promise that I will follow the leadership of the Communist Party of China...
  2. 1 2 3 4 5 6 7 Perlroth, Nicole (9 June 2014). "2nd China Army Unit Implicated in Online Spying". The New York Times. Archived from the original on 10 June 2014. Retrieved 9 June 2014.
  3. "Second China unit accused of cyber crime". Financial Times. 10 June 2014. Archived from the original on 30 April 2024. Retrieved 10 June 2014.
  4. "Cyber Spies Targeting U.S. Defense, Tech Firms Linked to China's PLA: Report". SecurityWeek.com. Archived from the original on 28 December 2017. Retrieved 18 December 2017.
  5. 1 2 3 4 "Cyber conflict escalates: Second Chinese PLA hacking group accused -". Defense Systems. Archived from the original on 28 December 2017. Retrieved 18 December 2017.
  6. 1 2 3 4 5 6 7 8 Menn, Joseph (10 June 2014). "Private U.S. report accuses another Chinese military unit of hacking". Reuters. Archived from the original on 17 October 2020. Retrieved 15 October 2020.
  7. 1 2 3 Cheng, Dean (14 November 2016). Cyber Dragon:Inside China's Information Warfare and Cyber Operations. ABC-CLIO, LLC, 2017. ISBN   978-1440835643.
  8. 1 2 3 4 5 6 7 8 9 10 "Crowdstrike Intelligence Report: Putter Panda" (PDF). Crowd Strike. Archived (PDF) from the original on 11 November 2020. Retrieved 2 November 2020.
  9. 1 2 3 Sharp, Alastaire; Ljunggren, David (1 August 2014). "Hacking attack in Canada bears signs of Chinese army unit: expert". Reuters. Archived from the original on 16 May 2021. Retrieved 2 November 2020.
  10. 1 2 3 Frizell, Sam. "How to Hunt a Chinese Hacker". Time Magazine. Archived from the original on 2021-01-22. Retrieved 2020-11-02.
  11. Perloth, Nicole; Sanger, David (22 March 2014). "N.S.A. Breached Chinese Servers Seen as Security Threat". The New York Times. The New York Times. Archived from the original on 18 February 2017. Retrieved 2 November 2020.
  12. "China confirms attendance at U.S.-hosted naval exercises in June". Reuters. 9 June 2014. Archived from the original on 8 March 2020. Retrieved 2 November 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.