China’s secret military cyber warfare unit is targeting critical U.S. infrastructure for potential disruption during a future conflict.
A forthcoming report by the congressional U.S.-China Economic and Security Review Commission reveals that Unit 61398, a People’s Liberation Army unit based near Shanghai, is preparing to target U.S. infrastructure.
A late draft of the forthcoming report, set for release Nov. 19, said that a threat researcher at the Japanese cyber security company Trend Micro set up a “honeypot” – a false online target that simulated a an industrial control system for a U.S. water plant – in December 2012.
The report said that a forensic analysis of the cyber sting operation “attributed the intrusion to Unit 61398.”
“If true, this suggests Unit 61398 is collecting intelligence on critical infrastructure in addition to other targets,” the report said, calling the activities “consistent with PLA doctrine, which explains that one function of wartime computer network operations is to ‘disrupt and damage the networks of [an adversary’s] infrastructure facilities, such as power systems, telecommunications systems, and educational systems.’”
“Some PLA strategists also have suggested China should develop the capability to paralyze ports and airports by cyber or precision weapon attacks on critical infrastructure,” the report said.
A major section of the report is devoted to large-scale Chinese cyber espionage and cyber reconnaissance against the United States.
The Commission found that disclosures of Chinese government-origin cyber attacks have not led to diminished activity.
“The Chinese government is directing and executing a large-scale cyber espionage campaign against the United States, and to date has successfully targeted the networks of U.S. government and private organizations, including those of DoD, defense contractors, and private firms,” the report said.
“These activities are designed to achieve a number of broad economic and strategic objectives, such as gathering intelligence, providing Chinese firms with an advantage over its competitors worldwide, advancing long-term research and development objectives, and gaining information that could enable future military operations.”
Unit 61398 of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department was first disclosed in February by the private security group Mandiant. The military unit since 2006 attacked and penetrated networks of at least 141 organizations located in 15 countries and representing 20 major industries, from information technology to financial services.
After the disclosures, Unit 61398 took steps to make it more difficult to track its cyber strikes. The exposure also led to a temporary decrease in the unit’s attacks for a month.
The temporary reduction coincided with the U.S. government’s release of a list of Internet Protocol addresses used by the Chinese cyber spies.
Currently, cyber spying by Unit 61398 is “as active as it was before Mandiant’s report was released,” the report said.
The Commission is urging the U.S. government to impose tough punishment on China, something the Obama administration so far has refused to do.
“There is an urgent need for Washington to take action to prompt Beijing to change its approach to cyberspace and deter future Chinese cyber theft,” the report said.
Among the recommendation of the report are:
— Passing legislation that would allow U.S. companies to conduct retaliatory cyber attacks against China.
— Blocking imports of Chinese goods developed through cyber espionage.
— Increasing information sharing on cyber threats.
— Banning Chinese firms that use stolen U.S. data from accessing U.S. banks.
— Blocking travel to the United States by officials linked to cyber attacks.
— Using special computer code to identify data stolen from U.S. networks that can be used in prosecution or sanctions.
“If effective action to curb commercial espionage is not taken, this problem might worsen for U.S. companies,” the report said.
China’s failure to curb cyber intrusions against the United States, despite recent published disclosures, “suggests Beijing has decided to continue its cyber campaign against the United States,” the report said.
The report said cyber attacks and theft of data pose a “significant threat” to U.S. businesses. Cost estimates of the losses due to cyber spying range from $120 billion to $300 billion annually.
Data obtained by cyber attacks is also helping improve China’s insight into U.S. weapon systems and “enables China’s development of countermeasures.”
“In addition, the same access Chinese cyber actors use for espionage also could be used to prepare for offensive cyber operations,” the report said. “Chinese cyber actors could place latent capabilities in U.S. software code or hardware components that might be employed in a potential conflict between the United States and China.”
— Bill Gertz
November 9, 2013
For detailed cyber threat intelligence reporting, subscribe to Flash//CRITIC Cyber Threat Intelligence Report.