For Chinese hackers, it's all in a workday
When experts note cyber thieves' rising savvy, they start with the work hours.
BEIJING - Beijing has hotly denied accusations of official involvement in massive cyberattacks against foreign targets, insinuating such activity is the work of rogues. But at least one element cited by Internet experts points to professional cyberspies: China's hackers take the weekend off.
Accusations of state-sanctioned hacking took center stage last month after a detailed report by a U.S.-based Internet security firm Mandiant. It added to growing suspicions that the Chinese military was not only stealing national defense secrets and harassing dissidents but also pilfering information from foreign companies that could be worth millions or even billions of dollars.
Experts say Chinese hacking attacks are characterized not only by their brazenness but also by their persistence.
Martin Libicki, a specialist on cyber warfare at the Rand Corp., in Santa Monica, Calif., and other experts have long noted a Monday-to-Friday pattern in the intensity of attacks believed to come from Chinese sources, though there has been little evidence released publicly directly linking the Chinese military to the attacks.
'Comment Crew'
Mandiant went a step further in its report, saying that it had traced hacking activities against 141 foreign entities in the United States, Canada, Britain, and elsewhere to a group of operators known as the "Comment Crew" or "APT1," for "Advanced Persistent Threat 1," which it traced back to the People's Liberation Army Unit 61398. The unit has its headquarters in a nondescript 12-story building inside a military compound in a crowded suburb of China's financial hub of Shanghai.
Attackers stole information about pricing, contract negotiations, manufacturing, product testing, and corporate acquisitions, the company said.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually, they continued for a standard workday, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
China has consistently denied state-sponsored hacking, but experts say the office hours that the cyberspies keep point to a professional army rather than mere hobbyists or so-called hacktivists inspired by patriotic passions.
'Quite methodical'
Mandiant noticed that pattern while monitoring attacks on the New York Times last year blamed on another Chinese hacking group it labeled APT12. Hacker activity began about 8 a.m. Beijing time and usually lasted through a standard workday.
The Rand Corp.'s Libicki said that he was not aware of any comprehensive studies but that in such cases, most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone.
Richard Forno, director of the University of Maryland Baltimore County's graduate cybersecurity program, and David Clemente, a cybersecurity expert with the independent analysis center Chatham House in London, said that observation had been widely noted among cybersecurity specialists.
"It would reflect the idea that this is becoming a more routine activity," Clemente said, "and that they are quite methodical."
The PLA is believed to have made cyber warfare a key priority in its war-fighting capabilities more than a decade ago. Among the few public announcements of its development came in a May 25, 2011, news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.
"Currently, China's network protection is comparatively weak," Geng told reporters, adding that enhancing information technology and "strengthening network-security protection are important components of military training for an army."
Unit 61398 is considered just one of many such units under the Third Department responsible for hacking, according to experts.
Greg Walton, a cyber-security researcher who has tracked Chinese hacking campaigns, said he had observed the "Comment Crew" at work, but cited as equally active another Third Department unit operating out of the southwestern city of Chengdu. It is tasked with stealing secrets from Indian government security agencies and think tanks, together with the India-based Tibetan government in exile, Walton said.
China's government isn't alone in being accused of cyber espionage, but observers say it has outpaced its rivals in using military assets to steal commercial secrets.
"Stealing secrets is stealing secrets, regardless of the medium," Forno said. "The key difference is that you can't easily arrest such electronic thieves, since they're most likely not even in the country. Which differs from how the game was played during the Cold War."