Skip to main content
Part of complete coverage on

What we know about the Chinese army's alleged cyber spying unit

By Zoe Li, CNN
May 20, 2014 -- Updated 0911 GMT (1711 HKT)
STORY HIGHLIGHTS
  • Shadowy PLA unit coded as 61398 could be responsible for cyber espionage
  • U.S.-based security firm Mandiant studied hacking activity originating from China over a six-year period
  • Mandiant says it has details on the what, where, who, and how of unit 61398
  • Chinese authorities deny any connection between the military and cyber espionage

(CNN) -- "UglyGorilla," "KandyGoo," and "WinXYHappy" are some of the aliases used by the Chinese accused of hacking U.S. companies on Monday.

The men behind these handles are officers of the People's Liberation Army (PLA) under a unit known simply by the code 61398.

Little is confirmed about the mysterious unit 61398, a section that the Chinese authorities have not officially acknowledged. The Chinese defense ministry said the country's military "has never supported any hacker activities."

But the U.S. indictment notice pinpoints a non-descript building on Datong Road in Shanghai's Pudong District as one of the locations for unit 61398's alleged cyber espionage activities.

The Shanghai building allegedly home to a part of the PLA's unit 61398.  The Shanghai building allegedly home to a part of the PLA's unit 61398.
The Shanghai building allegedly home to a part of the PLA's unit 61398.The Shanghai building allegedly home to a part of the PLA's unit 61398.

When CNN tried to visit the building last year, our correspondents were chased away by security guards, as seen in the video above.

What is unit 61398 and what do they do? U.S.-based Internet security firm Mandiant released a 60-page report last year detailing allegations against the shadowy unit over a six-year period.

U.S. vulnerable to Chinese cyberspies?
Chinese accused of hacking US secrets
Snowden: U.S. hacked targets in China

According to Mandiant's document and the U.S. indictment, here's what we know about the secret division.

Capable

Mandiant says unit 61398 is also known as the "comment crew," and has systematically stolen hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since as early as 2006.

Large

Mandiant estimates that more than 1,000 servers are being used by unit 61398.

The security firm believes the unit employs anywhere from hundreds to thousands of staff. A look at the physical size of the building in Shanghai -- 12 floors high, with more than 130,000 square feet of space -- suggests the unit could house around 2,000 people.

Focused

Mandiant observed 141 companies targeted by unit 61398, out of which 115 were in the United States. These were blue-chip companies in important industries such as aerospace, satellite and telecommunications, and information technology -- strategic industries that were identified in China's five year plan for 2011 to 2015.

"It's really a who's who of American companies," says Grady Summers, Mandiant's vice president.

Some of the alleged victims included in the latest indictment are U.S. Steel Corp., Westinghouse, Alcoa, Allegheny Technologies, the United Steel Workers Union and SolarWorld.

Well-supported

Unit 61398 was given a special fiber optic communication infrastructure by state-owned enterprise China Telecom in the name of national defense, Mandiant reported.

Tricky

The accused Chinese hackers reportedly use spear-phishing to hack into companies. The simple trick makes scam emails appear like they are from someone the receiver actually knows. For example, the emails would be personally addressed and signed by another employee in the same company.

Spear-phishers may scan social media to find out personal details about a victim to make the scam emails seem legitimate.

Tip of the iceberg

Unit 61398 is just one of more than 20 cyber attack groups with origins in China, says Mandiant.

ADVERTISEMENT
Part of complete coverage on
September 22, 2014 -- Updated 0916 GMT (1716 HKT)
He's one of the fieriest political activists in Hong Kong — he's been called an "extremist" by China's state-run media — and he's not old enough to drive.
September 16, 2014 -- Updated 0929 GMT (1729 HKT)
Christians in eastern China keep watch in Wenzhou, where authorities have demolished churches and removed crosses.
September 10, 2014 -- Updated 0538 GMT (1338 HKT)
Home-grown hip-hop appeals to a younger generation but its popularity has not translated into record deals and profits for budding rap artists.
September 9, 2014 -- Updated 0545 GMT (1345 HKT)
Reforms to the grueling gaokao - the competitive college entrance examination - don't make the grade, says educator Jiang Xueqin.
September 5, 2014 -- Updated 1218 GMT (2018 HKT)
Beijing grapples with reports from Iraq that a Chinese national fighting for ISIS has been captured.
September 1, 2014 -- Updated 0200 GMT (1000 HKT)
CNN's David McKenzie has tasted everything from worms to grasshoppers while on the road; China's cockroaches are his latest culinary adventure.
September 5, 2014 -- Updated 0057 GMT (0857 HKT)
Beijing rules only candidates approved by a nominating committee can run for Hong Kong's chief executive.
August 29, 2014 -- Updated 1914 GMT (0314 HKT)
China warns the United States to end its military surveillance flights near Chinese territory.
August 29, 2014 -- Updated 0312 GMT (1112 HKT)
China has produced elite national athletes but some argue the emphasis on winning discourages children. CNN's Kristie Lu Stout reports
August 19, 2014 -- Updated 0513 GMT (1313 HKT)
Chinese are turning to overseas personal shoppers to get their hands on luxury goods at lower prices.
August 15, 2014 -- Updated 0908 GMT (1708 HKT)
Experts say rapidly rising numbers of Christians are making it harder for authorities to control the religion's spread.
August 11, 2014 -- Updated 0452 GMT (1252 HKT)
"I'm proud of their moral standing," says Harvey Humphrey. His parents are accused of corporate crimes in China.
August 6, 2014 -- Updated 1942 GMT (0342 HKT)
A TV confession detailing a life of illegal gambling and paid-for sex has capped the dramatic fall of one of China's most high-profile social media celebrities.
July 31, 2014 -- Updated 0410 GMT (1210 HKT)
President Xi Jinping's campaign to punish corrupt Chinese officials has snared its biggest target -- where can the campaign go from here?
July 30, 2014 -- Updated 0712 GMT (1512 HKT)
All you need to know about the tainted meat produce that affects fast food restaurants across China, Hong Kong, and Japan.
July 18, 2014 -- Updated 0230 GMT (1030 HKT)
Some savvy individuals in China are claiming naming rights to valuable foreign brands. Here's how companies can combat them.
July 16, 2014 -- Updated 0911 GMT (1711 HKT)
Is the Chinese president a true reformist or merely a "dictator" in disguise? CNN's Beijing bureau chief Jaime FlorCruz dissects the leader's policies
July 8, 2014 -- Updated 0344 GMT (1144 HKT)
With a population of 1.3 billion, you'd think that there would be 11 people in China who are good enough to put up a fight on the football pitch.
ADVERTISEMENT