The aerospace industry makes up the second largest group of companies that have been targeted by a unit of the Chinese military since 2006 for stealing various proprietary data by electronic means, according to a report released recently by the Virginia-based cyber security firm Mandiant.
The report exposes an organization that it believes is linked to China’s Peoples Liberation Army and has significant resources and manpower to sustain long-running cyber penetrations and data theft against its targets. The organization, which Mandiant calls APT1, is located in Shanghai and “has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously,” says the report, APT1: Exposing One of China’s Cyber Espionage Units.
Mandiant’s report provides satellite images of the 12-story building that APT1 operates from and even provides a photograph of the building taken from outside of the facility.
The New York Times first reported the Mandiant report.
Of the 141 companies that Mandiant says were breached by APT1 and had data stolen, 16 or 17 are aerospace firms, a chart from the report shows. Another chart shows that the first breach against an aerospace company occurred in mid-2009 and the latest breach occurred in the second-half of 2012.
The information technology sector accounted for the most companies compromised, about 18 or 19. Other industries attacked include satellites and telecommunications, high-tech electronics, navigation, engineering services, and scientific research and consulting. All told, 20 different industries have been targeted by APT1 beginning in 2006, Mandiant says.
Altogether, 115 of the firms compromised by APT1 are based in the United States and 87 percent are headquartered in countries where English is the official language, the report says. The report doesn’t identify specific companies that have been attacked.
On average, the cyber breaches against individual companies have lasted 356 days, although some attacks lasted several years and others just months, the report says.
“Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years,” Mandiant says.
The types of data that the Chinese military unit has been stealing includes product development and use, including test results and system designs, manufacturing procedures, business plans, contract negotiations and product pricing, mergers and acquisitions, policy positions, minutes from meetings, emails of high ranking executives and user credentials and network architecture information.
In addition to exposing APT1, Mandiant released over 3,000 indicators of the cyber espionage unit, including domain names, IP addresses and hashes of malware, to enable potential targets to bolster their defenses.
Publishing the indicators will reduce their “lifespan,” says the report, but on the other hand, APT1 will change their techniques as a result.
“It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s [also known as APT1] operations and impede their progress in a meaningful way,” Mandiant says.