Mandiant: Chinese hacker unit attempted to clean up online presence

By Jennifer Martinez - 03/19/13 06:33 PM ET

An elite unit of Chinese hackers that allegedly waged a massive cyber-espionage campaign against U.S. companies has attempted to clean up their online presence after being identified in a public report by information security firm Mandiant.

Since the release of the report last month, top administration officials have called on China to take urgent steps to crack down on hacker attacks and curb the siphoning of intellectual property from American companies.

After outing the hacker unit in its report, Mandiant executives said Tuesday that the Chinese hackers have taken steps to clean up their tracks and have largely stopped their activity.

"We've seen them try to clean up some of their online presence," Richard Bejtlich, chief security officer of Mandiant, told the leaders of the Senate Armed Service Committee's subpanel on emerging threats and capabilities at an unclassified briefing on Tuesday. "Some of the public databases that we or other security researchers can use to identify them, they've changed some of those entries."

"We've seen them change some of their infrastructure so the computers they were using to hop from China to the West, some of that has been changed but we've been able to keep up with them," Bejtlich added.

Kevin Mandia, CEO of Mandiant, predicted that the Chinese hackers in the unit identified in the company's report, called APT1, will likely be redistributed to other hacker units associated with the military.

"I think this whole group just went bye-bye for now, the APT1," Mandia told reporters after the briefing. "They did a few things and then nothing. I think they showed up to work that day and went, 'Wow, New Years is over.'"

"And then they started doing things and I think their efforts just deteriorated and waned," he added. "I don't think they're active right now."

Mandiant's report has been viewed as a catalyst in the U.S.' response to hacker attacks stemming from China. Previously administration officials have refrained from publicly confronting China about the hacker attacks.

Tom Donilon, the president's national security adviser, urged China in a speech this month to "take serious steps to investigate and put a stop" to hacker attacks on American companies stemming from its country.

"We need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace," Donilon said.

During the unclassified briefing, Bejtlich said the Chinese hackers are primarily after American intellectual property (IP) because they believe gaining access to the blueprints and business plans of American companies will bolster both their economy and national security.

"They think, this is the engine of growth. Here's how we're going to provide jobs for our people, create world-leading brands," he said. "It's probably the no. 2 priority for their country."

"Make no mistake, they are targeting our IP," Mandia said. "They are pilfering every PDF, Word document, PowerPoint…related to the other projects that they're interested in."

Bejtlich said the security firm believes the Chinese hacker unit identified in its report is the People's Liberation Army Unit 61398. The firm also tracks other Chinese hacker units that Bejtlich noted are likely "government sanctioned" but may not officially be military units.

The APT1 hackers were able to crack into American companies' computer networks and systems by targeting "human weakness," according to Mandia. They would send emails to a company's employees that appeared to be from someone they knew and the message would prompt those workers to click on a link or PDF file laced with malware. This would allow the hackers to get access to an employee's computer.

The two Mandiant executives also warned that while large companies have the resources and bandwidth to thwart cyberattacks, small- and medium-sized businesses are particularly vulnerable because they don't have the capabilities to keep up with the evolving cyberthreat.

"No matter what we do, there's always going to be a gap in our security," Mandia said, adding that there's no "silver bullet" to fix the problem. "We have to come up with a process where we mine the security gap that's always going to exist."