Skip to main content
Part of complete coverage on

What we know about the Chinese army's alleged cyber spying unit

By Zoe Li, CNN
May 20, 2014 -- Updated 0911 GMT (1711 HKT)
STORY HIGHLIGHTS
  • Shadowy PLA unit coded as 61398 could be responsible for cyber espionage
  • U.S.-based security firm Mandiant studied hacking activity originating from China over a six-year period
  • Mandiant says it has details on the what, where, who, and how of unit 61398
  • Chinese authorities deny any connection between the military and cyber espionage

(CNN) -- "UglyGorilla," "KandyGoo," and "WinXYHappy" are some of the aliases used by the Chinese accused of hacking U.S. companies on Monday.

The men behind these handles are officers of the People's Liberation Army (PLA) under a unit known simply by the code 61398.

Little is confirmed about the mysterious unit 61398, a section that the Chinese authorities have not officially acknowledged. The Chinese defense ministry said the country's military "has never supported any hacker activities."

But the U.S. indictment notice pinpoints a non-descript building on Datong Road in Shanghai's Pudong District as one of the locations for unit 61398's alleged cyber espionage activities.

The Shanghai building allegedly home to a part of the PLA's unit 61398.  The Shanghai building allegedly home to a part of the PLA's unit 61398.
The Shanghai building allegedly home to a part of the PLA's unit 61398.The Shanghai building allegedly home to a part of the PLA's unit 61398.

When CNN tried to visit the building last year, our correspondents were chased away by security guards, as seen in the video above.

What is unit 61398 and what do they do? U.S.-based Internet security firm Mandiant released a 60-page report last year detailing allegations against the shadowy unit over a six-year period.

U.S. vulnerable to Chinese cyberspies?
Chinese accused of hacking US secrets
Snowden: U.S. hacked targets in China

According to Mandiant's document and the U.S. indictment, here's what we know about the secret division.

Capable

Mandiant says unit 61398 is also known as the "comment crew," and has systematically stolen hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since as early as 2006.

Large

Mandiant estimates that more than 1,000 servers are being used by unit 61398.

The security firm believes the unit employs anywhere from hundreds to thousands of staff. A look at the physical size of the building in Shanghai -- 12 floors high, with more than 130,000 square feet of space -- suggests the unit could house around 2,000 people.

Focused

Mandiant observed 141 companies targeted by unit 61398, out of which 115 were in the United States. These were blue-chip companies in important industries such as aerospace, satellite and telecommunications, and information technology -- strategic industries that were identified in China's five year plan for 2011 to 2015.

"It's really a who's who of American companies," says Grady Summers, Mandiant's vice president.

Some of the alleged victims included in the latest indictment are U.S. Steel Corp., Westinghouse, Alcoa, Allegheny Technologies, the United Steel Workers Union and SolarWorld.

Well-supported

Unit 61398 was given a special fiber optic communication infrastructure by state-owned enterprise China Telecom in the name of national defense, Mandiant reported.

Tricky

The accused Chinese hackers reportedly use spear-phishing to hack into companies. The simple trick makes scam emails appear like they are from someone the receiver actually knows. For example, the emails would be personally addressed and signed by another employee in the same company.

Spear-phishers may scan social media to find out personal details about a victim to make the scam emails seem legitimate.

Tip of the iceberg

Unit 61398 is just one of more than 20 cyber attack groups with origins in China, says Mandiant.

ADVERTISEMENT
Part of complete coverage on
See CNN's complete coverage on China.
July 18, 2014 -- Updated 0230 GMT (1030 HKT)
Some savvy individuals in China are claiming naming rights to valuable foreign brands. Here's how companies can combat them.
July 16, 2014 -- Updated 0911 GMT (1711 HKT)
Is Xi Jinping a true reformist or merely a "dictator" in disguise? CNN's Beijing bureau chief Jaime FlorCruz dissects the leader's policies
July 8, 2014 -- Updated 0344 GMT (1144 HKT)
With a population of 1.3 billion, you'd think that there would be 11 people in China who are good enough to put up a fight on the football pitch.
July 4, 2014 -- Updated 0631 GMT (1431 HKT)
26-year-old Ji Cheng is the first rider from China to compete for competitive cycling's highest honor.
July 7, 2014 -- Updated 1124 GMT (1924 HKT)
China's richest man, Wang Jianlin, may not yet be a household name outside of China, but that could be about to change.
July 4, 2014 -- Updated 0414 GMT (1214 HKT)
Hong Kong's narrow streets were once a dazzling gallery of neon, where banks and even bordellos plied their trade under sizzling tubular signs.
July 3, 2014 -- Updated 2357 GMT (0757 HKT)
When President Xi Jinping arrives in Seoul this week, the Chinese leader will have passed over North Korea in favor of its arch rival.
July 3, 2014 -- Updated 1159 GMT (1959 HKT)
Three more officials have been given the chop as part of China's anti-corruption drive, including former aides to the retired security chief.
July 1, 2014 -- Updated 1305 GMT (2105 HKT)
As thousands of Hong Kongers prepare for an annual protest, voices in China's press warn pro-democracy activism is a bad idea.
June 30, 2014 -- Updated 0437 GMT (1237 HKT)
Hong Kongers are demanding the right to directly elect their next leader, setting up a face-off with Beijing.
July 1, 2014 -- Updated 0656 GMT (1456 HKT)
The push for democratic reform in Hong Kong is testing China's "one country, two systems" model.
June 30, 2014 -- Updated 1156 GMT (1956 HKT)
Along a winding Chinese mountain road dotted with inns and restaurants is Jinan Orphanage, a place of refuge and site for troubled parents to dump unwanted children.
June 26, 2014 -- Updated 0836 GMT (1636 HKT)
CNN's Kristie Lu Stout invites Isaac Mao, Han Dongfang, and James Miles to discuss the rise of civil society in China and social media's crucial role.
June 26, 2014 -- Updated 0334 GMT (1134 HKT)
Chen Guangbiao wants rich people to give more to charity and he'll do anything to get their attention, including buying lunch for poor New Yorkers.
June 26, 2014 -- Updated 1144 GMT (1944 HKT)
Architects are planning to build the future world's tallest towers in China. They're going to come in pretty colors.
June 23, 2014 -- Updated 1147 GMT (1947 HKT)
Anna Coren visits Yulin's annual dog meat festival. Dogs are part of the daily diet here, with an estimated 10,000 dogs killed for the festival alone.
June 19, 2014 -- Updated 0638 GMT (1438 HKT)
People know little about sex, but are having plenty of it. We take a look at the ramifications of a lack of sex education in China.
June 13, 2014 -- Updated 0812 GMT (1612 HKT)
Hong Kongers have reacted angrily to a Chinese government white paper affirming Beijing's control over the territory.
The emphasis on national glory -- rather than purely personal achievement -- is key.
June 16, 2014 -- Updated 1614 GMT (0014 HKT)
A replica of the Effel Tower in Tianducheng, a luxury real estate development located in Hangzhou, east China's Zhejiang province.
What's the Eiffel Tower doing in China? Replica towns of the world's most famous monuments spring up all over China.
June 11, 2014 -- Updated 0013 GMT (0813 HKT)
Rapid development hasn't just boosted the economy -- it has opened up vast swathes of the country, says a man who has spent much of his life exploring it.
June 10, 2014 -- Updated 0654 GMT (1454 HKT)
The World Cup is apparently making a lot of people "ill" in China.
ADVERTISEMENT