• Montane PS Staff

Who are Unit 61398?

Unit 61398 (Military Unit Cover Designation) is a cyber operations unit within the People’s Liberation Army that is thought to be part of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department based in Shanghai.

This highly secretive unit was one of the first Advanced Persistent Threat (APT) groups to be publicly named in a report released by Mandiant (now owned by FireEye) in 2013 - hence their designation as APT1.

APT1 is noted for widespread and high volume cyber-based intrusion and collection activities

Targeting industries noted as internal development areas by China’s 12th Five-Year Plan, APT 1 is notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors.

As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.

While the targets may be anyone or anything - a person, business, government, military or other organisation - APTs are often associated with government or military operations (state actors) as they tend to be the organisations with the resources necessary to conduct such an attack.

Targets of interest for Unit 61398 (and their sister unit 61486) are: intellectual property; medical research (including COVID-19 vaccine research); advanced technology in general; "anti-China" activities by Chinese nationals abroad; foreign research and development; any country's foreign policies affecting China; trade-related information; foreign governance systems (including identifying politicians susceptible to influence), and; any information that will benefit its defence capabilities.

In the past, the digital IP addresses of many of the hackers stealing terabytes of data from US and Australian corporations – everything from the designs of the F-35 aircraft to the technology of gas pipelines, from data collected by healthcare systems to Google’s algorithms and Facebook’s magic formula – pointed straight back to the unit's building.

It is thought that cyber attacks on the Australian Government, corporate entities and our intelligence agencies are also attributed to APT1.

The ABC's Four Corners program has previously detailed widespread attacks on Australian government and corporate entities, in their program "Hacked". This is well worth a watch and provides very good context and information on Unit 61398 activities within Australia and overseas. A second program by Four Corners "Cyber War" also provides useful information.

It is unknown whether Unit 61398 is operating in the way that was identified in the Mandiant report. However, the advent of other APT's linked to China (and indeed, other state actors) highlights that the cyber threat is increasing, and likely to continue well in to the future. Therefore, businesses of all sizes need to be prepared and ready to not only repel and defend against cyber-based risks, but also be able to respond and recover from a successful attack.


Montane Protective Security offer a range of cyber and information security solutions to assist organisations to identify vulnerabilities and risks and to reduce the threat of cyber crime.

Contact us to learn more.


53 views0 comments

Recent Posts

See All