But the answer does appear to be that yes, APT1 is a government organization, as Mandiant's only alternative scenario reads rather tongue-in-cheek: "A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398's gates, performing tasks similar to Unit 61398's known mission."
At the very least, the Chinese government is an accomplice to APT1's activities in that it has turned a blind eye to them. The Chinese government is notorious for scrutinizing every bit of data that flows in and out of the nation's "great firewall." It's tough to imagine Chinese officials simply haven't noticed incident after incident of successful cyber breaches targeting organizations worldwide.
What connections has Mandiant identified between the Chinese government and APT1?
Mandiant proposes that APT1 is, in fact, a branch of the Chinese military: People's Liberation Army (PLA's) Unit 61398. APT1 and Unit 61398 are similar in their mission, capabilities, and resources, according to Mandiant. What's more, Unit 61398 "is also located in precisely the same area from which APT1 activity appears to originate." Specifically, Mandiant said it has traced APT1's activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.
Additionally, Mandiant found that China Telecom provides special fiber optic communications infrastructure for Unit 61398.
Finally, Mandiant points out that "in a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government."
Who has APT1 targeted?
The group targets organizations in predominantly English-speaking countries: Of the 141 APT1 victims Mandiant has identified, 87 percent are headquartered in countries where English is the native language. This includes 115 victims in the United States and seven in Canada and the United Kingdom.
In terms of industries, Mandian reports that the highest percentage of attacks targeted IT companies, followed by aerospace companies. However, the total list contains 20 industries, ranging from energy and transportation to chemicals and financial services.
Sign up for Computerworld eNewsletters.