The cybersecurity firm whose blockbuster reports claimed that the Chinese army was barraging the U.S. with online attacks says that unit "took a vacation"—but now it's back.
The mysterious Unit 61398, located outside Shanghai, “went quiet for a while," Richard Bejtlich, Chief Security Officer at cybersecurity firm Mandiant, said at a Center for National Policy talk Wednesday. "But over the course of the last several weeks," he said, "they seem to be trying to get back into some of their old targets.”
Government officials and security firms have claimed for years that the majority of cyber attacks on U.S. companies come from China. (The Chinese government, for its part, both denies any official involvement and says it's the U.S. that attacks them.) But in February, Mandiant, a major firm with significant government consulting ties, made a bold, blockbuster claim: that Unit 61398, where an overwhelming number of attacks on the U.S. originate, was almost certainly a single building on a People's Liberation Army campus.
Lawmakers have long cited Mandiant's findings to call for increased cybersecurity laws. In particular, Mike Rogers (R-Mich.), sponsor of the controversial Cyber Intelligence Sharing and Protection Act (CISPA), has cited Mandiant's expertise since at least 2011. Mandiant's major report was released in February 2013, and may have helped CISPA pass its House vote two months later. While CISPA has since died in the Senate, politicians who call for new cybersecurity laws still refer to Chinese attacks as the major reason why.
It's unclear if the attacks ceased in direct response to Mandiant had calling out Unit 61398. Bejtlich said that while they changed their methods, "they have no changed appreciatively."
He said there's an apparent mentality for those hackers to keep using what works, and noted that many American companies are as vulnerable now as they were a few months ago. "In some cases, they're using the same infrastructure they were using before," Bejtlich said.