The document summarizes key findings from the 2013 Mandiant APT1 report about a Chinese cyberespionage group known as Unit 61398. The summary includes details about the group's infrastructure located in Shanghai, China, estimated size of hundreds to thousands of personnel, English language requirement, and extensive theft of intellectual property terabytes of data from over 100 organizations simultaneously and over long periods. Attack methods include initial reconnaissance, compromising initial systems, establishing footholds, lateral movement within networks, completing the mission by data exfiltration, and evading detection. Stolen data included intellectual property, contracts, policy papers and internal documents. Exfiltrated data was compressed and collected, sometimes sent over Google Calendar or MSN channels.
7. Unit 61398 is partially situated on Datong Road
(大同路) in Gaoqiaozhen (高桥镇), which is
located in the Pudong New Area (浦东新区) of
Shanghai (上海). The central building in this
compound is a 130,663 square foot facility that
is 12 stories high and was built in early 2007.
* Mandiant APT1 report 2013
8. We estimate that Unit 61398 is staffed by
hundreds, and perhaps thousands of people
based on the size of Unit 61398’s physical
infrastructure.
9. “Unit 61398 requires its personnel to be
trained in computer security and computer
network operations and also requires its
personnel to be proficient in the English
language.”
* Mandiant APT1 report 2013
10. “They have systematically stolen hundreds of
terabytes of data from at least 141
organizations, and has demonstrated the
capability and intent to steal from dozens of
organizations simultaneously”*
* Mandiant APT1 report 2013
11. “Among other large-scale thefts of intellectual
property, we have observed them stealing 6.5
terabytes of compressed data from a single
organization over a ten-month time period.”
* Mandiant APT1 report 2013
12. Attack process
Initial Establish Lateral Complete
Initial recon Movement
compromize foothold mission
Maintain Internal
presence Recon
Escalate
privileges