Skip to main content
Part of complete coverage on

What we know about the Chinese army's alleged cyber spying unit

By Zoe Li, CNN
updated 5:11 AM EDT, Tue May 20, 2014
STORY HIGHLIGHTS
  • Shadowy PLA unit coded as 61398 could be responsible for cyber espionage
  • U.S.-based security firm Mandiant studied hacking activity originating from China over a six-year period
  • Mandiant says it has details on the what, where, who, and how of unit 61398
  • Chinese authorities deny any connection between the military and cyber espionage

(CNN) -- "UglyGorilla," "KandyGoo," and "WinXYHappy" are some of the aliases used by the Chinese accused of hacking U.S. companies on Monday.

The men behind these handles are officers of the People's Liberation Army (PLA) under a unit known simply by the code 61398.

Little is confirmed about the mysterious unit 61398, a section that the Chinese authorities have not officially acknowledged. The Chinese defense ministry said the country's military "has never supported any hacker activities."

But the U.S. indictment notice pinpoints a non-descript building on Datong Road in Shanghai's Pudong District as one of the locations for unit 61398's alleged cyber espionage activities.

The Shanghai building allegedly home to a part of the PLA's unit 61398.  The Shanghai building allegedly home to a part of the PLA's unit 61398.
The Shanghai building allegedly home to a part of the PLA's unit 61398.The Shanghai building allegedly home to a part of the PLA's unit 61398.

When CNN tried to visit the building last year, our correspondents were chased away by security guards, as seen in the video above.

What is unit 61398 and what do they do? U.S.-based Internet security firm Mandiant released a 60-page report last year detailing allegations against the shadowy unit over a six-year period.

U.S. vulnerable to Chinese cyberspies?
Chinese accused of hacking US secrets
Snowden: U.S. hacked targets in China

According to Mandiant's document and the U.S. indictment, here's what we know about the secret division.

Capable

Mandiant says unit 61398 is also known as the "comment crew," and has systematically stolen hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since as early as 2006.

Large

Mandiant estimates that more than 1,000 servers are being used by unit 61398.

The security firm believes the unit employs anywhere from hundreds to thousands of staff. A look at the physical size of the building in Shanghai -- 12 floors high, with more than 130,000 square feet of space -- suggests the unit could house around 2,000 people.

Focused

Mandiant observed 141 companies targeted by unit 61398, out of which 115 were in the United States. These were blue-chip companies in important industries such as aerospace, satellite and telecommunications, and information technology -- strategic industries that were identified in China's five year plan for 2011 to 2015.

"It's really a who's who of American companies," says Grady Summers, Mandiant's vice president.

Some of the alleged victims included in the latest indictment are U.S. Steel Corp., Westinghouse, Alcoa, Allegheny Technologies, the United Steel Workers Union and SolarWorld.

Well-supported

Unit 61398 was given a special fiber optic communication infrastructure by state-owned enterprise China Telecom in the name of national defense, Mandiant reported.

Tricky

The accused Chinese hackers reportedly use spear-phishing to hack into companies. The simple trick makes scam emails appear like they are from someone the receiver actually knows. For example, the emails would be personally addressed and signed by another employee in the same company.

Spear-phishers may scan social media to find out personal details about a victim to make the scam emails seem legitimate.

Tip of the iceberg

Unit 61398 is just one of more than 20 cyber attack groups with origins in China, says Mandiant.

ADVERTISEMENT
Part of complete coverage on
updated 12:51 AM EST, Mon December 22, 2014
David McKenzie meets some American teenagers who are spending a year in China to be fully immersed in the culture.
updated 9:59 PM EST, Sun December 21, 2014
Chinese students show a handmade red ribbon one day ahead of the the World AIDS Day, at a school in Hanshan, east China's Anhui province on November 30, 2009.
The Chinese government pledges to protect a boy with HIV, who was shunned by his entire village in Sichuan, state media reported.
updated 6:44 AM EST, Mon December 15, 2014
A Chinese couple allegedly threw hot water on a flight attendant and threatened to blow up the plane.
updated 12:03 AM EST, Mon December 15, 2014
China's 1.3 billion citizens may soon find it much harder to belt out their national anthem at will.
updated 7:21 PM EST, Tue December 9, 2014
Los Angeles in the last century went through its own smog crisis. The city's mayor says LA's experience delivers valuable lessons for Beijing.
updated 12:42 AM EST, Sat December 6, 2014
At the height of his power, security chief Zhou Yongkang controlled China's police, spy agencies and courts. Now, he's under arrest.
updated 3:26 AM EST, Fri December 5, 2014
China says it will end organ transplants from executed prisoners but tradition means that donors are unlikely to make up the shortfall.
updated 1:48 AM EST, Fri December 5, 2014
China's skylines could look a lot more uniform in the years to come, if a statement by a top Beijing official is to believed.
updated 3:55 AM EST, Wed December 3, 2014
Despite a high-profile anti-corruption drive, China's position on an international corruption index has deteriorated in the past year.
updated 7:01 AM EST, Wed November 26, 2014
A daring cross-border raid by one of Russian President Vladimir Putin's associates has -- so far -- yet to sour Sino-Russian relations.
updated 7:51 PM EST, Sun November 23, 2014
A 24-hour bookstore in Taipei is a popular hangout for both hipsters and bookworms.
updated 8:53 PM EST, Mon November 24, 2014
China is building an island in the South China Sea that could accommodate an airstrip, according to IHS Jane's Defence Weekly.
updated 5:57 AM EST, Wed November 19, 2014
North Korean refugees and defectors face a daunting journey to reach asylum in South Korea, with gangs of smugglers the only option.
updated 6:19 PM EST, Fri November 21, 2014
China and "probably one or two other" countries have the capacity to shut down the nation's power grid and other critical infrastructure.
ADVERTISEMENT