Security firm Mandiant three months ago put out a report detailing the activities of “Unit 61398,” a.k.a. “APT1,” which it alleges is a state-sponsored group of 1,000+ people based in Shanghai that successfully compromised 141 companies in 20 industries. In the wake of publication of that high-profile investigative document, cyber-activity decreased. But now, Mandiant said that Unit 61398 is back and using somewhat fresh tactics.
The New York Times reported that “the hackers now use the same malicious software they used to break into the same organizations in the past, only with minor modifications to the code.” Further, the group has begun a staged series of attacks on many of the same victims, but using new servers. That said, many of the tools they’re using are still very difficult to detect.
While no official statement has yet been issued about these latest reports, China has been denying any involvement in the attacks on an ongoing basis. Hong Lei of the Chinese Foreign Ministry said that “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don't know how the evidence in this so-called report can be tenable,” adding that “arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”
Mandiant is not releasing specific target names to the public, but told the Times that the group is back and operating at around 70% of its previous capacity.
The hackers are believed to have been highly successful, up until February, in stealing terabytes of intellectual property and government documents across a five-year period. “They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States,” the Times reported.
The most recent set of hacks began after Chinese officials told US Secretary of State John Kerry that they would be willing to begin discussions on cybersecurity with the US, reported the Voice of America.