PLA Unit 61398

File:FBI20140519.jpg{{See also|Chinese information operations and information warfare|Cyberwarfare and China}}

A report by the computer security firm Mandiant stated that PLA Unit 61398 is believed to operate under the 2nd Bureau of the People's Liberation Army General Staff Department (GSD) Third Department (总参三部二局) and that there is evidence that it contains, or is itself, an entity Mandiant calls APT1, part of the advanced persistent threat that has attacked a broad range of corporations and government entities around the world since at least 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New Area. It is one of more than 20 APT groups with origins in China.{{cite web|url=http://www.businessinsider.com/china-hacking-pla-unit-61398-2013-2|title=REPORT: An Overwhelming Number Of The Cyber-Attacks On America Are Coming From This Particular Army Building In China|publisher=Business Insider|date=18 February 2013|author=Joe Weisenthal and Geoffrey Ingersoll|access-date=19 February 2013|archive-url=https://web.archive.org/web/20130220095914/http://www.businessinsider.com/china-hacking-pla-unit-61398-2013-2|archive-date=20 February 2013|url-status=live}} The Third and Fourth Department, responsible for electronic warfare, are believed to comprise the PLA units mainly responsible for infiltrating and manipulating computer networks.{{cite web|last=Bodeen|first=Christopher|title=Sign That Chinese Hackers Have Become Professional: They Take Weekends Off|url=http://www.huffingtonpost.com/2013/02/25/chinese-hackers_n_2756914.html|work=The Huffington Post|date=25 February 2013|access-date=27 February 2013|archive-url=https://web.archive.org/web/20130226184036/http://www.huffingtonpost.com/2013/02/25/chinese-hackers_n_2756914.html|archive-date=26 February 2013|url-status=live}}

On 19 May 2014, the US Department of Justice announced that a federal grand jury had returned an indictment of five 61398 officers on charges of theft of confidential business information and intellectual property from U.S. commercial firms and of planting malware on their computers.Finkle, J., Menn, J., Viswanatha, J. [https://www.reuters.com/article/us-cybercrime-usa-china-idUSKCN0J42M520141120 U.S. accuses China of cyber spying on American companies.] {{Webarchive|url=https://web.archive.org/web/20170412015738/http://www.reuters.com/article/us-cybercrime-usa-china-idUSKCN0J42M520141120 |date=12 April 2017 }} Reuters, 20 Nov 2014.Clayton, M. [http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/US-indicts-five-in-China-s-secret-Unit-61398-for-cyber-spying-on-US-firms US indicts five in China's secret 'Unit 61398' for cyber-spying.] {{Webarchive|url=https://web.archive.org/web/20140520075207/http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/US-indicts-five-in-China-s-secret-Unit-61398-for-cyber-spying-on-US-firms |date=20 May 2014 }} Christian Science Monitor, 19 May 2014 The five are Huang Zhenyu (黄振宇), Wen Xinyu (文新宇), Sun Kailiang (孙凯亮), Gu Chunhui (顾春晖), and Wang Dong (王东). Forensic evidence traces the base of operations to a 12-story building off Datong Road in a public, mixed-use area of Pudong in Shanghai. The group is also known by various other names including "Advanced Persistent Threat 1" ("APT1"), "the Comment group" and "Byzantine Candor", a codename given by US intelligence agencies since 2002.{{cite web |url=http://www.fiercegovernmentit.com/story/chinese-attacks-byzantine-candor-penetrated-federal-agencies-says-leaked-ca/2010-12-06 |title=Chinese attacks 'Byzantine Candor' penetrated federal agencies, says leaked cable |author=David Perera |date=6 December 2010 |website=fiercegovernmentit.com |publisher=Fierce Government IT |archive-url=https://web.archive.org/web/20160419054340/http://www.fiercegovernmentit.com/story/chinese-attacks-byzantine-candor-penetrated-federal-agencies-says-leaked-ca/2010-12-06 |archive-date=19 April 2016 |url-status=live }}{{cite web|last=Clayton|first=Mark|title=Stealing US business secrets: Experts ID two huge cyber 'gangs' in China|url=http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China|publisher=CSMonitor|access-date=24 February 2013|date=14 September 2012|archive-url=https://web.archive.org/web/20191115165311/https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China|archive-date=15 November 2019|url-status=live}}{{cite news|title=China's Comment Group Hacks Europe—and the World|url=http://www.businessweek.com/articles/2012-08-02/chinas-comment-group-hacks-europe-and-the-world|access-date=12 February 2013|newspaper=Bloomberg Businessweek|date=2 August 2012|author=Michael Riley|author2=Dune Lawrence|archive-url=https://web.archive.org/web/20130219064600/http://www.businessweek.com/articles/2012-08-02/chinas-comment-group-hacks-europe-and-the-world|archive-date=19 February 2013|url-status=dead}}

The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group".{{cite web|last=Martin|first=Adam|title=Meet 'Comment Crew,' China's Military-Linked Hackers|url=http://nymag.com/daily/intelligencer/2013/02/meet-comment-crew-chinas-military-hackers.html|work=NYMag.com|publisher=New York Media|access-date=24 February 2013|date=19 February 2013|archive-url=https://web.archive.org/web/20130222070617/http://nymag.com/daily/intelligencer/2013/02/meet-comment-crew-chinas-military-hackers.html|archive-date=22 February 2013|url-status=live}}{{cite web|title=The Comment Group: The hackers hunting for clues about you|url=https://www.bbc.co.uk/news/business-21371608|publisher=BBC News|access-date=12 February 2013|author=Dave Lee|date=12 February 2013|archive-url=https://web.archive.org/web/20130212155404/http://www.bbc.co.uk/news/business-21371608|archive-date=12 February 2013|url-status=live}} The collective has stolen trade secrets and other confidential information from numerous foreign businesses and organizations over the course of seven years such as Lockheed Martin, Telvent, and other companies in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.

Dell SecureWorks says it believed the group includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam, were targeted.

The attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go back at least to 2002, according to incident reports and investigators. In 2012, FireEye, Inc. stated that they had tracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000 organizations.{{cite news|last1=Riley|first1=Michael|title=Hackers Linked to China's Army Seen From EU to D.C.|url=https://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html|publisher=Bloomberg|access-date=24 February 2013|author2=Dune Lawrence|newspaper=Bloomberg.com|date=26 July 2012|archive-url=https://web.archive.org/web/20150111064254/http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html|archive-date=11 January 2015|url-status=live}}

Most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private hackers inspired by patriotic passions.

A 2020 report in Daily News and Analysis stated that the unit was eyeing information related to defense and research in India.{{cite web |last=Shukla |first=Manish |date=3 August 2020 |title=Chinese Army's secret '61398' unit spying on India's defense and research, warns intelligence |url=https://www.dnaindia.com/india/report-chinese-army-s-secret-61398-unit-spying-on-india-s-defense-and-research-warns-intelligence-2835741 |access-date=6 January 2024 |website=DNA India |language=en |archive-date=20 November 2022 |archive-url=https://web.archive.org/web/20221120090635/https://www.dnaindia.com/india/report-chinese-army-s-secret-61398-unit-spying-on-india-s-defense-and-research-warns-intelligence-2835741 |url-status=live }}

Until 2013, the government of China has consistently denied that it is involved in hacking.{{cite web|last=Xu|first=Weiwei|title=China denies hacking claims|url=http://www.morningwhistle.com/html/2013/PoliticsSociety_0220/217214.html|publisher=Morning Whistle|access-date=8 April 2013|date=20 February 2013|archive-url=https://archive.today/20130629220425/http://www.morningwhistle.com/html/2013/PoliticsSociety_0220/217214.html|archive-date=29 June 2013|url-status=live}} In response to the Mandiant Corporation report about Unit 61398, Hong Lei, a spokesperson for the Chinese foreign ministry, said such allegations were "unprofessional".{{Cite news |date=February 19, 2013 |title=Hello, Unit 61398 |newspaper=The Economist |url=https://www.economist.com/analects/2013/02/19/hello-unit-61398 |access-date=2023-05-28 |issn=0013-0613 |archive-date=28 May 2023 |archive-url=https://web.archive.org/web/20230528231305/https://www.economist.com/analects/2013/02/19/hello-unit-61398 |url-status=live }}

• Titan Rain
• Chinese espionage in the United States
• National Security Agency of the United States
• PLA Unit 61486
• Signals intelligence
• Tailored Access Operations of the United States
• Mandiant
• FireEye

{{Reflist}}

{{-}}

{{Hacking in the 2000s}}

{{Hacking in the 2010s}}

{{China national security}}

{{People's Liberation Army}}

{{Coord|31|20|57.43|N|121|34|24.74|E|region:CN_type:landmark_source:MandiantReportPage12|display=title}}

Category:Military units and formations of the People's Republic of China

Category:Cyberwarfare by China

Category:Chinese advanced persistent threat groups

Category:Information operations units and formations

Category:Hacking (computer security)

Category:2002 establishments in Shanghai

Category:Chinese intelligence agencies

Category:Cybercrime in India

Category:China–India relations