Regular users of the Internet have been busy in the week since The New York Times reported that Mandiant, a computer security firm, had tied a prolific Chinese hacking group to a specific Peopleâs Liberation Army unit in Shanghai.
Chinese-speaking users and amateur hackers have scoured the Internet for traces of the online personas of those who Mandiant claims work on behalf of Chinaâs P.L.A. Unit 61398. The new evidence, while circumstantial, adds to the signs suggesting Chinese military efforts to hack into American corporate computer systems. Mandiant said that in one case, people were able to trace one of the P.L.A.âs hackers to an apartment building located 600 meters from the military unitâs headquarters. In another, they were able to trace one hacker back to the P.L.A.âs Information Engineering University, described by American computer security researchers as one of the Chinese militaryâs top training schools for computer hacking. They also found recruitment notices for Unit 61398, suggesting the group has been active since at least 2004, despite the fact that the unitâs headquarters were not built until later.
In its report, Mandiant singled out a hacker named âDOTA,â possibly shorthand for the video game âDefense of the Ancients,â which is often abbreviated to DotA. That hacker created e-mail accounts that were used to begin several cyberattacks. The password for several of those accounts were a play on the Chinese military unitâs designation. To register the accounts, DOTA used a Shanghai phone number.
This past week, Chinese-speaking Internet users disclosed on Twitter that DOTAâs telephone number was listed in a 2009 ad for a Shanghai apartment rental. The apartment is 6! 00 meters from Unit 61398âs headquarters.
Another online persona that Mandiant singled out was of a military hacker named âSuperhard.â The author of a cybercrime blog, Cyb3rsleuth, connected the user name âSuperhard_Mâ to the e-mail address mei_qiang_82@hotmail.com. That e-mail address was also used in a job posting, in which the person lists his skills and interests as ânetwork security and developing hacking tools.â The address listed in the post matched the address for the Information Engineering University. In a Northrop Grumman report for the U.S.-China Economy and Security Review Commission last year, defense analysts said the school, in Zhengzhou, Henan Province, âis perhaps the military university with the most comprehensive involvement in information warfare and computer network operations training, planning and possibly also execution.â
Cyb3rsleuth found that a P.L.A. university stuent named Mei Qiang was co-author of two papers about hacking in 2007 and 2008, one titled âHTTP Session Hijacking on Switch LAN and Its Countermeasuresâ and the other âStack Protection Mechanisms in Windows Vista.â
Mandiantâs report found that Unit 61398âs headquarters in the Pudong new area of Shanghai was not built until early 2007. But China Digital Times found a 2004 military recruitment notice on a Zhejiang University Web site: âUnit 61398 of Chinaâs Peopleâs Liberation Army (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.â
âThis corroborates our assertions concerning the kinds of personnel that Unit 61398 recruits,â Mandiant said in a blog post online. âThis also indicates Unit 61398 has been operating in Pudong since 2004, even though the current headquarters facility was not built and operational until years la! ter.â! p>