BEIJING Beijing hotly denies accusations of official involvement in massive cyberattacks against foreign targets, insinuating such activity is the work of rogues. But at least one element cited by Internet experts points to professional cyberspies: China's hackers take the weekend off.
Accusations of state-sanctioned hacking took center stage this past week following a detailed report by a U.S.-based Internet security firm Mandiant. It added to growing suspicions that the Chinese military is not only stealing national defense secrets and harassing dissidents but also pilfering information from foreign companies that could be worth millions or even billions of dollars.
Experts say Chinese hacking attacks are characterized not only by their brazenness, but by their persistence.
"China conducts at least an order of magnitude more than the next country," said Martin Libicki, a specialist on cyber warfare at the Rand Corporation, based in Santa Monica, Calif. The fact that hackers take weekends off suggests they are paid, and that would belie "the notion that the hackers are private," he said.
Libicki and other cyber warfare experts have long noted a Monday-through-Friday pattern in the intensity of attacks believed to come from Chinese sources, though there has been little evidence released publicly directly linking the Chinese military to the attacks.
Mandiant went a step further in its report Tuesday saying that it had traced hacking activities against 141 foreign entities in the U.S., Canada, Britain and elsewhere to a group of operators known as the "Comment Crew" or "APT1," for "Advanced Persistent Threat 1," which it traced back to the People's Liberation Army Unit 61398. The unit is headquartered in a nondescript 12-story building inside a military compound in a crowded suburb of China's financial hub of Shanghai.
Attackers stole information about pricing, contract negotiations, manufacturing, product testing and corporate acquisitions, the company said.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
China denies any official involvement, calling such accusations "groundless" and insisting that Beijing is itself a major victim of hacking attacks, the largest number of which originate in the U.S. While not denying hacking attacks originated in China, Foreign Ministry spokesman Hong Lei said Thursday that it was flat-out wrong to accuse the Chinese government or military of being behind them.
Mandiant and other experts believe Unit 61398 to be a branch of the PLA General Staff's Third Department responsible for collection and analysis of electronic signals such as e-mails and phone calls. It and the Fourth Department, responsible for electronic warfare, are believed to be the PLA units mainly responsible for infiltrating and manipulating computer networks.