The fake yoga brochure was one of many clever come-ons used by a stealth Chinese military unit for hacking, said researchers at CrowdStrike, an
Just weeks after the
The report, parts of which
Those officials say the NSA and its partners are tracking more than 20 hacking groups in
Unit 61486, researchers say, in some instances shared computing resources and communicated with members of Unit 61398, the PLA unit whose members were the focus of last month's indictments.
"If you look at all the groups that we track in
Knowledge of the attacks, which continue and are being reported for the first time, emerge amid an escalating conflict between
Tensions had been simmering for years, but grew more pointed last year when a U.S. cybersecurity company,
In response, Chinese officials have denounced the indictments, denied the charges, cited recent revelations that
The decision to issue indictments against the members of Unit 61398 has proved controversial, even inside the Obama administration. The members of the unit are almost certain never to see the inside of an American courtroom and U.S. officials fear that it could become more difficult to negotiate norms of behavior with
The same issue will arise in the case of this newly disclosed unit, whose operations pose as large a threat to U.S. infrastructure as the one whose members have been indicted.
CrowdStrike's forensic investigation revealed that members of Unit 61486 took steps to hide their origins -- by using compromised foreign websites to launch their attacks, for instance -- but left behind digital traces of their identities and whereabouts. The report does not name the companies that were targeted because of confidentiality agreements CrowdStrike has with clients.
The hackers' tools were developed during working hours in Chinese time zones, researchers say, and Internet records show that in one case hackers used the same I.P. address as members of Unit 61398 to launch their attacks. The use of that address for simultaneous attacks suggests cooperation between Unit 61398 and Unit 61486, said
CrowdStrike, founded by two former executives of the security software company McAfee, is one of a new generation of computer security companies that specialize in computer forensics.
Rather than reacting to attacks by hackers, the company tries to understand who hackers are and what methods they are using. It has released several reports on global hacking over the past year.
The company's investigation revealed that the group targeted its victims with custom malware disguised as emails containing PDF invitations to aerospace and satellite conferences, job postings, and in one case the brochure for a yoga studio in
Once victims clicked on decoy files, they inadvertently downloaded malicious programs onto their computers. That opened the door for attackers to enter the victim's network, see which other devices and networks their victim was connected to, and eventually steal trade secrets and design schematics for satellite and aerospace technology.
CrowdStrike's researchers said they traced attacks on dozens of the company's clients in the space and satellite industry to the group; the researchers say the list of victims could number in the hundreds, if not thousands.
In some cases, researchers said, attackers slipped up and registered websites used in their assaults under the same email address they used to register personal blog and social media accounts. In one case, an attacker deployed a remote access tool, or RAT, from a Web domain registered to an email address that belonged to a onetime student at the
Representatives for Shanghai Jiaotong did not respond to fax messages requesting comment.
In another case, an email address -- which popped up repeatedly in Internet records for attack domains -- was used to register a personal blog on Sina.com, the Chinese Internet portal, to a 35-year-old who listed the military as his profession. The soldier did not return requests for comment, but in security discussion forums, CrowdStrike's researchers uncovered discussions between that person and two other hackers, whose noms de guerre ClassicWind and Linxder have been linked to members of Unit 61398.
The 35-year-old's Picasa albums show photos of him in military training and celebrating his birthday with friends in military garb, and pictures of his dormitory, where
Military analysts at the Project 2049 Institute, a defense research group in
CrowdStrike believes its report offers the final proof. "We've got the gun, the bullet and the body," Meyers said of evidence connecting attacks on its clients, in the space and satellite sectors, back to Unit 61486.
"The awareness level may be going up," said Kurtz of CrowdStrike. "But the Chinese are not slowing down. They keep plowing away."
Most Popular Stories
- Homeowners More Satisfied With Mortgage Servicers
- Russia, Ukraine Now Face Off Over Football Clubs
- Obama Vows to Veto House Immigration Bill
- Body Parts Retrieved at MH17 Crash Site
- Motorists Get Rare Summer Break on Gas Prices
- Government Meets Goal for Small-business Contracts
- MassMutual Teams Up With ALPFA
- Chrysler U.S. Sales in July Hit 9-Year High
- Law Lets Users Unlock Cellphones
- Reno Gigafactory No Cinch to Land Tesla Plant