Beijing - A secret Chinese military unit in Shanghai has been tied to years of cyberattacks against US companies.

After analysing breaches that compromised more than 140 US companies, cybersecurity firm Mandiant has concluded that they can be linked to the People’s Liberation Army’s (PLA) Unit 61398.

The Chinese government has denied involvement in the cyberattacks tracked by Mandiant.

In its report, Mandiant said it traced the hacking back to a neighbourhood in the outskirts of Shanghai that includes a white 12-storey office building run by the PLA’s Unit 61398.

The unit “has systematically stolen hundreds of terabytes of data from at least 141 organisations”, Mandiant wrote. A terabyte is 1 000 gigabytes.

Mandrian says Unit 61398 has been recruiting computer experts for at least a decade.

Hackers with the Chinese unit have been active for years, using online handles such as “UglyGorilla”.

The Mandiant report depicts a specialised community of internet warriors working from the white building in Shanghai:


Unit 61398, alleged to be one of several hacking operations run by China’s military, recruits directly from universities. It favours high computer expertise and English language skills.

A notice dated 2003 on the Chinese internet said the unit was seeking Master’s degree students from Zhejiang University’s College of Computer Science and Technology. It offered a scholarship, conditional on the student reporting for work at Unit 61398 after graduation.


Mandiant says it traced scores of cyberattacks on US defence and infrastructure companies to a neighbourhood in Shanghai’s Pudong district that includes the 12-storey building where Unit 61398 is known to be housed.

The building has office space for up to 2 000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand. The surrounding neighbourhood is filled with flats, tea houses, shops and karaoke bars.


While the building’s activities may be top secret, Unit 61398’s status in the community as a military division is not. It turns up in numerous Chinese internet references to community events, including a 2010 accord with the local government to set up a joint outreach centre on family planning. Other articles describe mass weddings for officers, badminton matches and even discussion of the merits of the “Unit 61398 Kindergarten”. Other support facilities include a clinic, car pool, and guesthouse – all standard for the military’s often self-contained communities across China.


The Mandiant report describes a special arrangement made with China Telecom for a fibre optic communication infrastructure in the Unit 61398 neighbourhood, pointing to its need for bandwidth and its elite status.

The contract between the two refers to Unit 61398 as belonging to the General Staff Department 3rd Department, 2nd Bureau, and says China Telecom agreed to the military’s suggested price due to “national defence construction” concerns.


The cyberspies typically enter targeted computer networks through “spearfishing” attacks, in which a company official receives a creatively disguised e-mail and is tricked into clicking on a link or attachment that then opens a secret door for the hackers, Mandiant says. The cyberspies would steal and retransmit data for an average of just under a year, but in some cases more than four years.

Information technology companies were their favourite targets, followed by aerospace firms, pointing to a key area of interest as China seeks to develop its own cutting-edge civilian and military aircraft.


Mandiant identifies three of the unit’s hackers by their screen names. It says one of them, “UglyGorilla”, was first detected in a 2004 online forum posing a question to a cybersecurity expert about whether China needed a dedicated force to square off against an online cohort being mustered by the US. The user of another screen name, “Dota”, appears to be a fan of Harry Potter; Mandiant said references to the book and movie character appear as answers to his computer security questions.

Unit 61398 hackers were sometimes identified as the “Comment Crew” by security companies because of their practice of inserting secret backdoors into systems by using code embedded in comments on websites.


And what helped Mandiant track down the source of hacking into more than 140 companies and organisations from the US and elsewhere? Facebook and Twitter.

China’s “Great Firewall” of internet filtering blocks those US-based social networks, but Unit 61398 operators got around that by accessing them directly from the unit’s system.

Mandiant was able to see that Facebook and Twitter accounts were being accessed from Internet Protocol addresses connected to the unit. It’s not clear whether those accounts aided in hacking or were for the hackers’ personal use.

“These actors have made poor operational security choices, facilitating our research and allowing us to track their activities,” the report says. – Sapa-AP