We’re getting a rare glimpse of the inner workings of China’s national cyber force, courtesy of a new, detailed report by computer security firm Mandiant, which tracked one group of cyber spies back to their apparent base of operations. Turns out that the group Mandiant calls “one of the most persistent of China’s cyber threat actors” is housed within China’s equivalent of the National Security Agency, which is where the U.S. government’s best hackers work.
The group Mandiant calls “APT1” (for Advanced Persistent Threat) is believed to be the 2nd Bureau of the People’s Liberation Army General Staff Department’s 3rd Department more commonly known by a numerical designation, 61398. The General Staff Department is like our Joint Chiefs of Staff, and the 3rd Department handles signals intelligence and computer network operations (aka cyber attacks and exploitation—stealing information).
There are some fascinating parallels here between how the Chinese organize their cyber operations, and how we organize ours. Mandiant estimates that APT1 is “a large organization with at least dozens, and potentially hundreds of human operators.” (The company says all its estimates are conservative.) The “attack infrastructure” includes more than 1,000 servers. The cyber attackers are “directly supported by linguists, open source researchers, malware authors,” as well as “industry experts” and “people who transmit stolen information.” There’s also probably a support staff that buys and maintains computer equipment, as well as people handling finances, facility management, and logistics, such as shipping.
Given APT1’s great success stealing U.S. secrets, it seems that a smart way to organize a pervasive, broad, state-sponsored espionage campaign is along the lines of a bureaucratic hierarchy. I suppose that bodes well for the United States military, as well as the intelligence community, which is also in the business of cyber espionage, though generally targeting foreign governments and not corporations.
Less encouraging is how the U.S. stacks up against the Chinese in terms of the number of cyber spies. APT1 is just a small number compared to the broader Chinese cyber force.
“My sense is that there are perhaps 15,000 to 20,000 cyber operators in China working directly or indirectly on hacking for the [People’s Liberation Army],” says Alan Paller, the founder of the SANS Institute, which trains U.S. cyber experts. “We have far fewer than 1,000 cyber operators at the same level. We are badly mismatched.”
If Paller and Mandiant have the right numbers, APT1 alone could be nearly as big as our entire cadre of elite cyber operators. Certainly if we’re talking in overall terms, there are a lot more people hacking for the government on their side than ours.