Who are Unit 61398?
Unit 61398 (Military Unit Cover Designation) is a cyber operations unit within the People’s Liberation Army that is thought to be part of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department based in Shanghai.
This highly secretive unit was one of the first Advanced Persistent Threat (APT) groups to be publicly named in a report released by Mandiant (now owned by FireEye) in 2013 - hence their designation as APT1.
APT1 is noted for widespread and high volume cyber-based intrusion and collection activities
Targeting industries noted as internal development areas by China’s 12th Five-Year Plan, APT 1 is notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors.
As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.
While the targets may be anyone or anything - a person, business, government, military or other organisation - APTs are often associated with government or military operations (state actors) as they tend to be the organisations with the resources necessary to conduct such an attack.
Targets of interest for Unit 61398 (and their sister unit 61486) are: intellectual property; medical research (including COVID-19 vaccine research); advanced technology in general; "anti-China" activities by Chinese nationals abroad; foreign research and development; any country's foreign policies affecting China; trade-related information; foreign governance systems (including identifying politicians susceptible to influence), and; any information that will benefit its defence capabilities.
In the past, the digital IP addresses of many of the hackers stealing terabytes of data from US and Australian corporations – everything from the designs of the F-35 aircraft to the technology of gas pipelines, from data collected by healthcare systems to Google’s algorithms and Facebook’s magic formula – pointed straight back to the unit's building.
It is thought that cyber attacks on the Australian Government, corporate entities and our intelligence agencies are also attributed to APT1.