Home > Uncategorized > [Unit] 61398, The New Number of The Beast

[Unit] 61398, The New Number of The Beast

Earlier Black Phoenix wrote about the problem with Mandiant attributing the Comment Crew hacking to the Chinese military. The recent media frenzy around yet another “China hacking” story focused on a supposedly shadowy PLA military unit in Shanghai, Unit 61398, as the “state actor” behind the cyber attacks. Their primary source, Mandiant APT1 report, even cited the address of Unit 61398 central office as 208 Datong Road in Gaochao, Pudong.

Only problem is 208 Datong Raod is the address of a kindergarden run by the not-so-secret military unit, and is open to the public:

Star Baby review

– Here’s Star Baby, a preschool ratings site, giving Unit 61298 Preschool a favorable review:

http://www.starbaby.cn/jigou/1368-jieshao

– Here’s another preschool review site with photos of the potential “hackers”:

http://www.studyget.com/youeryuan/item-660.html

– No, this is not a picture of PLA hackers using children as human shields. The kindergarden was practicing emergency preparedness, probably in response to a school attack that occurred in China:

http://www.pudong-edu.sh.cn/web/pd/45322-450000032148.htm

Having never been to the place, I would conceed the nursery school COULD be a front for China’s premier cyber espionage center – saved the fact the school’s online registration information shows it is one of the schools in Pudong that accepts foreign families.

I hope cooler heads prevail. While it is reasonable to believe the Chinese probably is doing everything we’re doing, to pin this on the Chinese military requires more compelling evidence than bunch of toddlers running around.

  1. Zack
    February 26th, 2013 at 01:55 | #1

    migod, mandiant sure have egg on their faces but something tells me the US media aint going to give it a fair treatment-like how there was no followup on so called ‘chinese cyber attacks’ that pop up on the american mainstream media like an outbreak of herpes.

  2. pug_ster
    February 26th, 2013 at 04:45 | #2

    As a parody, some Chinese reporter should go into this ‘infamous compound’ and interview these kids if they are hacking into America companies.

  3. February 26th, 2013 at 10:35 | #3

    Lol, the response of the western media would be simple and predictable:

    Variant 1:

    “These evil chi-coms are using kids as human shields for their top-secret underground hacking facility!”

    Variant 2:

    “These evil chi-coms are enslaving kindergarteners and training them as brainwashed super-hackers!”

  4. February 26th, 2013 at 10:38 | #4

    pug_ster :
    As a parody, some Chinese reporter should go into this ‘infamous compound’ and interview these kids if they are hacking into America companies.

    Oh dude, that’s GENIUS! You could totally do it Daily Show style! Do we have any HH readers/contributors in Shanghai at the moment? With a few volunteers & a good script, no reason why we can’t make it happen!

  5. Hong Konger
    March 2nd, 2013 at 11:45 | #5

    The alleged PLA building is supposedly off Datong Rd, not on it. Datong Rd. itself is a big thoroughfare with a bunch of normal commercial enterprises, like a school, wine shop, and spa. It also, confusingly, splits into two branches at one point (near the rail station), though both have the same name. It also possible that they mixed up Datong Rd (Datong Lu) and Datong Highway (Datong Gonglu)?

    Also, as is often the case with big Asian cities, sometimes one address will be used to represent a whole city block. Anyone who’s gone crazy looking for a restaurant at say, 1 ABC Road — and then found yourself at an entrance around the corner from ABC Road on an unnamed side alley — knows what I mean. Online address address listings both in HK and on the mainland are notoriously inaccurate. Twice in the last month I went to the wrong place because of a Chinese-language address that was wrong, and I only found my way after calling the place and reconfirming verbally. Sometimes it’s not just wrong, it’s just that 1 ABC Road is a whole block with 125 units in it, with entrances on three sides, or something.

    Search for 20号 大同路上海 in Chinese (not English), and you will also get a steel manufacturer and a hardware store. Not saying there is some huge conspiracy — just that address mix-ups happen alot here.

    According to the below map, the alleged PLA building is set back from Datong Lu. It looks like there’s an empty space (car park?) in front that might make the building not easily visible from Datong Lu. It looks like the actual entrance is on the cross street.
    http://www.nytimes.com/imagepages/2013/02/19/business/19hack-map.html

    I’m not saying I believe all the hacking reports – and I appreciate your sleuthing! But just finding a nursery that shares an address online doesn’t say much, given how unreliable addresses are.

  6. Hong Konger
    March 2nd, 2013 at 12:16 | #6

    Actually, I looked on Google map.
    There is a Datong Rd on the Puxi side, which is why I remember it near the train station.
    Datong Highway (Datong Gonglu) is on the Pudong side. #208 is near the intersection with Tonggang Rd, which is where the NYT map puts the “hidden” PLA unit.
    The above kindergarden is listed at 208 Datong Rd, Pudong, which just goes to show how these two places (the road and the highway) are frequently mixed up in name, even in Chinese, much less in English.
    Neither the kindergarden or PLA unit (obviously) show up on the Google map version of that intersection — but there seems to be some missing stuff. All I can find nearby is a hotpot restaurant.

    Sorry, I have no answer to your dilemna. (If I’m really curious, I can go take a look next time I’m up there). But clearly the address thing is a bit of a mess.
    God knows, there could be a sushi joint, a clothing store and a florist all claiming to be at the same address!
    Anyway, there’s an alleged photo of the 12-story PLA building here: http://www.guardian.co.uk/technology/2013/feb/23/mandiant-unit-61398-china-hacking
    From the angle, looks like it was taken from the Tonggang Rd entrance.

  7. March 2nd, 2013 at 12:24 | #7

    @Hong Konger

    So what we have so far are kindergartens, steel factories, hardware stores, & hotpot restaurants… well, I’m sure any of them could be a front for a top-secret PLA hacker base… >;-]

  8. Hong Konger
    March 2nd, 2013 at 12:43 | #8

    There’s another photo and what looks like a satellite map here.
    http://qz.com/54963/hacking-against-the-us-is-traced-to-the-front-door-of-a-chinese-army-unit/
    The image from Mandiat simply says Datong (neither Rd nor Hwy).

    Now that the story’s broken, it seems like everyone has gone out to take photos of this place, so you can just do a Google image search and find tons of stuff.
    But this one is probably best to depict what I mean. The alleged PLA building is behind a wall / complex barrier that contains several buildings, one of which looks like the standard Shanghai apartment block that often has daycare on the ground floor.
    http://12160.info/forum/topics/major-chinese-internet-hacking-base-exposed

  9. Hong Konger
    March 2nd, 2013 at 12:50 | #9

    @Mister Unknown

    No, not a front. No conspiracy theory.
    Just a shared address. It’s really common here. Don’t know where you are, but addresses in China don’t work like they do in the U.S.
    There are lots of photos showing a mixed residential commercial neighborhood, of which one building has a big DO NOT ENTER sign, an iron gate, a Communist Party star and a military guard in front of the same 12-story building that has been identified as the hacker base.
    I mean, they don’t really even try to hide these government / military buildings. They are all over the place.

    My point is that one guy finding one listing for a nursery is not exactly an “aha!” revelation to anyone who actually lives here.

  10. March 2nd, 2013 at 13:28 | #10

    @Hong Konger
    Your point is well-taken. I would however remind all who are reading this post here that the burden of proof lies with the western media & with Mediant, if they want to claim that some random nondescript building is some kind of a secret PLA hacker base.

  11. March 2nd, 2013 at 13:30 | #11

    While we’re on the topic, here is a great article on this from Al Jazeera:

    http://www.aljazeera.com/indepth/opinion/2013/02/201322510446268971.html

  12. Charles Liu
    March 4th, 2013 at 08:34 | #12

    @Hong Konger

    HKer, page 11 of the Mandiant APT1 report says 208 Datong Road, Gaochao, Pudong. It would be great if you can look around the area. AFAIK the address is smack in the middle of public access, including the kindergarden.

  13. Hong Konger
    March 15th, 2013 at 19:13 | #13

    Charles — I think you’re still missing the point.
    There’s no argument of whether there is a kindergarden or not at 208 Datong Rd. There probably is, along other businesses and residences on that block. And there’s no argument of whether there is a whopping huge military building — with guards, metal gate and Communist Party emblem — right behind 208 Datong Rd. Clearly, everyone else has already gone and taken pictures of it.
    It’s not like China is trying to hide its various PLA headquarters. They are as obvious as a police station would be in the U.S.
    The question is whether all those IP addresses related to the hacking can, indeed, be traced to this particular building. And to what extent China is hacking into US government or corporate websites.

    Nobody here is bothering with this frankly minor detail. Every Chinese person I know knows that the Chinese government uses cyberattacks on the West, the same way that the U.S. uses cyberattacks on Iran. If you read the Chinese-language media, there are lots of reports from young hackers who work with the Chinese government. (Same as the US government).

    This whole kindergarden thing is just a silly distraction. I think most of these posts are written from people who’ve lived a long time in the States, and don’t know how things work on the ground here.

  14. Charles Liu
    March 18th, 2013 at 13:27 | #14

    @Hong Konger

    Actually you need to read a liittle more on this. Mandiant’s claim these IP address are traceable to the building is questionable, beyond the kindergarten and public access around supposed secret operation. The fiber optics backbone was put in for all the multinational businesses in the area, not dedicated to the PLA.

    Read the HH blogpost I cited in the first sentence. Also here’s another security expert questioning Mandiant’s attribution:

    http://jeffreycarr.blogspot.com/#!/2013/02/more-on-mandiants-apt1-report-guilt-by.html

    Jeffrey Carr also questions Mandiant’s mission claim:

    http://jeffreycarr.blogspot.com/#!/2013/03/mandiants-apt1-mission-problem.html

  15. Zack
    March 18th, 2013 at 15:39 | #15

    what’s a complete mystery to me is why the NYT or the Washington Post or the fucking Guardian aren’t doing their goddamn jobs and rectifying these claims by Mandiant. So far i’ve only seen Al JAzeera english’s hosted article, courtesy of Mr Unknown, but precious little else.

  16. March 20th, 2013 at 21:54 | #16

    @Hong Konger
    While we all can speculate that the Chinese and American governments hack each other – and that most people believe they do – we have to remember this important point.

    This Mandiant report in conjunction with the U.S. media is precisely fanning the flame for the sake of it.

    If Mandiant have incontrovertible proof, that’d be one thing. It would be a grave mistake that the two countries escalate into more confrontation purely on such bad information and analysis.

    There is no media in the United States willing to take a critical view on the report. Why is that? Don’t you find that scary?

You must be logged in to post a comment.