PLA Unit 61398
PLA Unit 61398, formally the Second Bureau of the Third Department of the People's Liberation Army General Staff Department, is a Chinese military signals intelligence and cyber operations unit headquartered in a 12-story facility in Pudong, Shanghai.[1][2] The unit specializes in computer network exploitation, conducting advanced persistent threat operations to gather intelligence and intellectual property from foreign targets, primarily in the United States and other Western nations.[2][3] In 2013, cybersecurity firm Mandiant attributed to Unit 61398—designated as APT1—a multi-year espionage campaign compromising at least 141 organizations across 20 industries, exfiltrating hundreds of terabytes of data including blueprints, formulas, and proprietary research to support Chinese military and economic advantages.[2] This attribution relied on forensic analysis linking malicious infrastructure, malware signatures, and operational patterns to the unit's physical location and personnel.[2] The following year, the U.S. Department of Justice indicted five Unit 61398 officers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—on charges of hacking U.S. corporations in sectors such as nuclear energy, metals, and solar technology, as well as labor organizations, to steal trade secrets benefiting Chinese state interests.[3][4] These actions exemplified state-sponsored economic espionage, prompting international scrutiny of China's cyber practices despite official denials from Beijing asserting no government involvement.[3] Following PLA reforms in 2015–2016, the unit's structure was integrated into the People's Liberation Army Strategic Support Force, though its legacy persists in attributions of ongoing cyber threats.Overview
Establishment and Mandate
PLA Unit 61398 serves as the military unit cover designator for the Second Bureau of the People's Liberation Army (PLA) General Staff Department's Third Department, also known as the Technical Reconnaissance Department, which is tasked with signals intelligence (SIGINT) collection.[1] The Third Department's mandate encompasses intercepting and analyzing foreign communications to support national security objectives, including military and economic intelligence gathering through technical means such as electronic surveillance and cyber operations.[3] This bureau-level entity operates from a facility in Shanghai's Pudong district, equipped for advanced network operations.[5] While the precise establishment date of Unit 61398 remains undisclosed in open sources, its operational infrastructure, including a 12-story headquarters building, was constructed starting around 2007, aligning with the expansion of China's cyber capabilities during that period.[6] U.S. intelligence assessments trace the unit's cyber activities to at least 2006, involving persistent intrusions into foreign networks for data exfiltration, though the underlying SIGINT functions likely predate these digital efforts as part of the PLA's longstanding reconnaissance apparatus.[6] The unit's role extends beyond offensive cyber espionage to include training in linguistics, computer programming, and covert communications, enabling targeted intelligence operations against perceived strategic adversaries.[1] Chinese authorities have denied that Unit 61398 engages in hacking or espionage, asserting that the unit focuses on routine military communications and research, while dismissing Western attributions as politically motivated.[7] However, evidence from cybersecurity analyses and U.S. Department of Justice indictments of five unit members in May 2014 for computer hacking and economic espionage underscores its alleged mandate to acquire proprietary information from U.S. corporations in sectors like defense, energy, and technology, supporting China's state-directed industrial policies.[3] These activities are framed by U.S. sources as part of a broader PLA strategy to close technological gaps through non-traditional intelligence methods.[6]Organizational Affiliation
PLA Unit 61398 serves as the military unit cover designator (MUCD) for the Second Bureau of the Third Department within the General Staff Department (GSD) of the People's Liberation Army (PLA).[3][1] The Third Department, established in the early 1990s, holds primary responsibility for signals intelligence collection, technical reconnaissance, and electronic warfare support across the PLA's seven military regions.[8] This bureau-level entity operates from a large facility in the Pudong district of Shanghai, housing an estimated 1,000 to 2,000 personnel focused on cyber and network operations. The Second Bureau's affiliation underscores its integration into the PLA's intelligence apparatus, where it functions as one of multiple sub-bureaus conducting specialized technical tasks under centralized GSD oversight.[9] U.S. indictments in 2014 explicitly identified five indicted hackers as officers assigned to Unit 61398 within this structure, linking their activities to state-directed espionage.[3] Infrastructure analysis, including IP addresses and fiber-optic connections provided by China Telecom, further corroborates the unit's PLA embedding, with operations tied to government-allocated resources. Prior to the 2015-2016 PLA reforms, which reorganized the GSD into the Joint Staff Department and transferred cyber functions to the Strategic Support Force, Unit 61398 exemplified the PLA's pre-reform emphasis on department-level technical bureaus for information operations.[10] These reforms dispersed some Third Department elements but preserved core affiliations with PLA intelligence directorates, maintaining continuity in operational mandates.[1]Historical Development
Pre-2013 Operations
PLA Unit 61398 initiated cyber espionage activities targeting foreign networks at least as early as 2006, with evidence of custom malware backdoors dating to that year and earlier compilation timestamps from 2004.[11] These operations focused on infiltrating corporate and government systems to exfiltrate intellectual property and strategic data, primarily in English-speaking countries.[11] By early 2013, the unit had compromised at least 141 organizations across 20 industries, including aerospace, defense, energy, and information technology, with annual intrusion rates increasing over time.[11] Intruders employed spear-phishing emails to deliver custom malware, such as the WEBC2 backdoor and tools for email harvesting like GETMAIL, enabling prolonged access with an average dwell time of 356 days per victim and up to 1,764 days in extreme cases.[11] Data exfiltration reached hundreds of terabytes across victims, including a single instance of 6.5 terabytes stolen over 10 months from one organization.[11] Unit personnel, including officers Wang Dong and Sun Kailiang, targeted U.S. firms such as Alcoa in February to June 2008 and U.S. Steel in 2010, using malware to access technical specifications, bid proposals, and internal communications.[3] Similar tactics struck Westinghouse Electric Company between 2010 and 2011, yielding nuclear plant design data and business strategies.[3] Supporting infrastructure included over 900 command-and-control servers hosted on hundreds of IP addresses, many registered to Shanghai-based entities near the unit's physical location, facilitating simultaneous operations against dozens of targets as observed in early 2011.[11] Officer Huang Zhenyu contributed programming for state-owned enterprise tools between 2006 and 2009, including database creation for data management.[3] These efforts aligned with broader patterns of economic espionage, prioritizing high-value sectors for competitive advantage rather than immediate disruptive effects.[11]2013 Mandiant Attribution
In February 2013, cybersecurity firm Mandiant published the report APT1: Exposing One of China's Cyber Espionage Units, attributing a sophisticated cyber espionage campaign—designated APT1—to the People's Liberation Army (PLA) Unit 61398.[2][12] The report detailed APT1's operations dating back to at least 2006, involving the compromise of over 140 organizations, predominantly in the United States across sectors including technology, aerospace, and energy.[2] Mandiant's analysis drew from forensic investigations of victim networks, malware reverse-engineering, and infrastructure mapping, concluding with high confidence that APT1 operated from within Unit 61398 based on overlapping location, operational scale, and mission alignment.[2] Key evidence centered on geographic and infrastructural correlations. APT1's command-and-control infrastructure was heavily concentrated in Shanghai, with 709 of 849 traced IP addresses registered in China—primarily to China Unicom blocks in the city—and 22% of 107 analyzed domains explicitly listing Shanghai addresses.[2] Two of APT1's four primary "home" net blocks were allocated in the Pudong New Area, the same district housing Unit 61398's headquarters in a 12-story, 130,663-square-foot facility on Datong Road in Gaoqiaozhen, completed in early 2007 and equipped with specialized fiber-optic lines by China Telecom.[2][5] Operator personas associated with APT1, such as "Ugly Gorilla" (linked to malware uploads and domains registered as early as October 25, 2004), self-identified online as residing in Pudong, further tying activities to the unit's locale.[2] The scale and expertise required for APT1's sustained intrusions—estimated to involve dozens to hundreds of direct operators plus extensive support staff—mirrored Unit 61398's structure.[2] The unit, subordinate to the PLA General Staff Department's Third Department (signals intelligence) and Second Bureau, was assessed to employ hundreds to thousands of personnel trained in computer network operations, English-language analysis, and covert communications, enabling multi-year campaigns against foreign targets.[2][13] Mandiant noted APT1's professional tactics, including custom malware deployment and data exfiltration volumes exceeding gigabytes per victim, aligned with a state-sponsored military entity's resources rather than independent actors.[2] Mandiant emphasized that while no single "smoking gun" like internal documents directly confirmed the link, the cumulative evidence—encompassing infrastructure proximity, equivalent operational tempo (e.g., over 1,000 servers in hop chains), and shared focus on economic espionage—made alternative explanations improbable.[2] The report posited that a non-PLA entity replicating this activity from the same confined Shanghai area would require implausibly similar capabilities and motivations.[2] This attribution marked a rare public naming of a specific Chinese military unit in cyber operations, prompting international scrutiny and later influencing U.S. policy responses.[5]2014 US Indictment
On May 19, 2014, the United States Department of Justice unsealed an indictment returned by a federal grand jury in the Western District of Pennsylvania, charging five officers of the People's Liberation Army (PLA) Unit 61398 with offenses related to cyber espionage against American entities.[3] The defendants—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—were identified as members of the Third Department of the PLA, specifically operating from Unit 61398 in Shanghai.[3] [4] This marked the first time the U.S. government publicly indicted members of a foreign military for conducting cyber intrusions into private sector networks to steal trade secrets.[3] The 31-count indictment alleged a conspiracy spanning from 2006 to 2014, involving computer hacking, economic espionage, identity theft, and wire fraud, with the defendants purportedly using spear-phishing emails and malware to gain unauthorized access to victim networks.[3] [4] Specific actions included stealing proprietary technical data, such as turbine models from Westinghouse Electric Company during nuclear plant bid preparations, and design specifications from SolarWorld AG related to solar panels.[3] The hackers also targeted communications between U.S. labor organizations and members of Congress to access strategy documents on trade negotiations with China.[3] Victims named in the indictment included six American companies and organizations across the nuclear power, metals, and solar industries—Westinghouse Electric Co., United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (AFSCME), Allegheny Technologies Inc., U.S. Steel Corp., and SolarWorld AG—as well as their subsidiaries.[3] [4] The U.S. authorities asserted that the intrusions were state-sponsored efforts to provide competitive advantages to Chinese entities, building on prior attributions like the 2013 Mandiant report linking Unit 61398 to advanced persistent threat (APT1) activities.[3] None of the defendants have been extradited or appeared in U.S. court as of the announcement, rendering the indictment largely symbolic in terms of immediate legal enforcement but significant for public attribution and diplomatic signaling.[3]Post-2015 PLA Reforms and Evolution
In late 2015, the People's Liberation Army (PLA) initiated comprehensive structural reforms under Central Military Commission (CMC) Chairman Xi Jinping, abolishing the four general departments—including the 3rd Department responsible for technical reconnaissance and cyber operations—and redistributing their functions to new entities directly under the CMC and joint theater commands.[14][15] Unit 61398, previously affiliated with the 3rd Department's 2nd Bureau and linked to cyber espionage activities, was integrated into the newly established PLA Strategic Support Force (SSF) in December 2015, specifically under its Network Systems Department, which centralized cyber, electronic warfare, and network operations previously dispersed across PLA branches.[16][17] This reorganization aimed to enhance joint operations and information dominance but also reduced the visibility of specific units like 61398, contributing to a perceived decline in attributable PLA-linked cyber intrusions traceable to pre-reform identifiers.[14] The SSF's formation marked a shift toward "informatized" warfare, with Unit 61398's personnel—estimated at over 2,000 engineers and technicians focused on hacking and malware development—retained for advanced persistent threat (APT) activities, though operations became more compartmentalized and less tied to geographic bases like the unit's Pudong facility.[18] Post-reform, U.S. intelligence assessments noted continuity in tactics, techniques, and procedures (TTPs) associated with APT1 (the Mandiant designation for 61398-linked actors), including spear-phishing and exploitation of zero-day vulnerabilities, but with evolving tools to evade detection, such as custom malware variants observed in campaigns targeting U.S. defense contractors as late as 2018.[18] These changes aligned with Xi's emphasis on military-civil fusion, potentially incorporating civilian talent from state-linked firms, though direct evidence of Unit 61398's exact post-2015 subunit designation remains opaque due to PLA opacity.[14] Further evolution occurred in April 2024, when the CMC dissolved the SSF amid reported internal issues, including corruption purges, and elevated its components into three independent forces: the Cyberspace Force for offensive and defensive cyber missions, the Aerospace Force for space operations, and the Information Support Force for integrated networks and electronic warfare.[15][19] Unit 61398's cyber elements were reportedly centralized under the new Cyberspace Force, reflecting Xi's push for "intelligentized" warfare with AI-enhanced capabilities, though this structure may further obscure attribution by emphasizing domain-specific commands over legacy units.[20] These reforms have not halted espionage allegations; for instance, U.S. officials attributed 2023-2024 intrusions on critical infrastructure to PLA-affiliated actors exhibiting TTPs consistent with pre-reform Unit 61398 operations, underscoring adaptation rather than cessation.[14]Alleged Activities and Capabilities
Methods and Tools Employed
APT1, linked to PLA Unit 61398, primarily gained initial access through spear-phishing emails containing malicious attachments, such as ZIP files disguised as legitimate documents (e.g., "2012ChinaUSAviationSymposium.zip"), or hyperlinks leading to exploit kits.[2][21] Additional vectors included strategic web compromises, or watering holes, targeting vulnerable Internet-facing web servers to deploy webshells.[2] The group deployed a diverse arsenal of over 40 malware families, including custom backdoors like WEBC2 variants (e.g., WEBC2-TABLE, WEBC2-QBP), BISCUIT, and SEASALT for remote access and control; remote access trojans (RATs) such as Poison Ivy, Gh0st RAT, AURIGA, and BANGAT for keystroke logging and screen capture; and specialized tools like GETMAIL and MAPIGET for automated email collection.[2][21] These were often customized, with some incorporating public tools like Mimikatz for credential dumping from LSASS memory and PsExec for lateral movement via pass-the-hash techniques.[21] Execution frequently involved Windows Command Shell and batch scripts, while defense evasion included masquerading malware as legitimate processes (e.g., naming files AcroRD32.exe).[21] Command and control (C2) operations relied on HTTP/HTTPS protocols with SSL encryption, custom encrypted channels, and tools like HTRAN for traffic proxying through compromised hop points; infrastructure encompassed 937 servers across 849 IP addresses (709 in China) and 2,551 fully qualified domain names (FQDNs), many registered dynamically or hijacked from legitimate domains.[2] Persistence was achieved via registry run keys, multiple redundant backdoors, and exploitation of stolen VPN or PKI credentials.[2][21] Lateral movement utilized Remote Desktop Protocol (RDP), Windows Task Scheduler, and network discovery commands (e.g.,net user, net group).[21]
Data exfiltration involved compressing files into password-protected RAR, ZIP, or 7-ZIP archives—often split into 200 MB chunks—transmitted via FTP, custom backdoors, or existing C2 channels, with one documented instance extracting 6.5 terabytes from a single victim.[2][21] These tactics supported sustained intrusions averaging 356 days, with a maximum of 1,764 days across 141 compromised organizations since 2006.[2]