Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

More (circumstantial) findings reinforce Mandiant's APT1 claims

Posted on 28 February 2013.

The release of Mandiant's APT1 report has created quite a stir in security and international political circles.

The majority saw it as a confirmation of the long held belief that the Chinese government is sanctioning active espionage campaigns all over the world, while others pointed out its flaws.

In the meantime, certain curious individuals did some investigating on their own and discovered some more data that seems to reinforce Mandiant's findings.

According to the company's blog post, some Chinese-speaking netizens discovered that the phone number associated with the individual that goes by the handle of "DOTA" was listed as a contact phone in a rental advertisement four years ago. The advertisement was for a room in an apartment located 600 meters away from the building that functions as the headquarters building for China's People's Liberation Army Unit 61398, which Mandiant believes to be the APT1 group.

Another investigator that call himself Cyb3rsleuth, who has previously done some research on uncovering the identities of Chinese hackers, linked the "SuperHard" persona to the “Superhard_M” username, a Hotmail email address, a real-world address and a name of a man in whose online job profile writes that he is interested in network security and developing hacking tools.

Seven years ago this same man had set up a mailbox at the PLA Information Engineering University in Zhengzhou, Henan Province, and has authored two papers (associated with the PLAIEU) on hacking techniques.

Cyb3rsleuth has also discovered that a person with the username “uglygorilla” was, at on time, logged into the bulletin board system of the Shanghai Jiaotong University, and posted a question about Chinese cyber troops.

Admittedly, this last piece of evidence is tenuous, but Mandiant ends up with one that is actual proof that Unit 61398 sought to hire computer science graduate students in 2003: a recruitment notice on the Zhejiang University website.

"This corroborates our assertions concerning the kinds of personnel that Unit 61398 recruits," says Mandiant. "This also indicates Unit 61398 has been operating in Pudong since 2004, even though the current headquarters facility was not built and operational until years later."