[Unit] 61398, The New Number of The Beast

Earlier Black Phoenix wrote about the problem with Mandiant attributing the Comment Crew hacking to the Chinese military. The recent media frenzy around yet another “China hacking” story focused on a supposedly shadowy PLA military unit in Shanghai, Unit 61398, as the “state actor” behind the cyber attacks. Their primary source, Mandiant APT1 report, even cited the address of Unit 61398 central office as 208 Datong Road in Gaochao, Pudong.

Only problem is 208 Datong Raod is the address of a kindergarden run by the not-so-secret military unit, and is open to the public:

Star Baby review

– Here’s Star Baby, a preschool ratings site, giving Unit 61298 Preschool a favorable review:

http://www.starbaby.cn/jigou/1368-jieshao

– Here’s another preschool review site with photos of the potential “hackers”:

http://www.studyget.com/youeryuan/item-660.html

– No, this is not a picture of PLA hackers using children as human shields. The kindergarden was practicing emergency preparedness, probably in response to a school attack that occurred in China:

http://www.pudong-edu.sh.cn/web/pd/45322-450000032148.htm

Having never been to the place, I would conceed the nursery school COULD be a front for China’s premier cyber espionage center – saved the fact the school’s online registration information shows it is one of the schools in Pudong that accepts foreign families.

I hope cooler heads prevail. While it is reasonable to believe the Chinese probably is doing everything we’re doing, to pin this on the Chinese military requires more compelling evidence than bunch of toddlers running around.

16 thoughts on “[Unit] 61398, The New Number of The Beast

  1. migod, mandiant sure have egg on their faces but something tells me the US media aint going to give it a fair treatment-like how there was no followup on so called ‘chinese cyber attacks’ that pop up on the american mainstream media like an outbreak of herpes.

  2. Lol, the response of the western media would be simple and predictable:

    Variant 1:

    “These evil chi-coms are using kids as human shields for their top-secret underground hacking facility!”

    Variant 2:

    “These evil chi-coms are enslaving kindergarteners and training them as brainwashed super-hackers!”

  3. pug_ster :
    As a parody, some Chinese reporter should go into this ‘infamous compound’ and interview these kids if they are hacking into America companies.

    Oh dude, that’s GENIUS! You could totally do it Daily Show style! Do we have any HH readers/contributors in Shanghai at the moment? With a few volunteers & a good script, no reason why we can’t make it happen!

  4. The alleged PLA building is supposedly off Datong Rd, not on it. Datong Rd. itself is a big thoroughfare with a bunch of normal commercial enterprises, like a school, wine shop, and spa. It also, confusingly, splits into two branches at one point (near the rail station), though both have the same name. It also possible that they mixed up Datong Rd (Datong Lu) and Datong Highway (Datong Gonglu)?

    Also, as is often the case with big Asian cities, sometimes one address will be used to represent a whole city block. Anyone who’s gone crazy looking for a restaurant at say, 1 ABC Road — and then found yourself at an entrance around the corner from ABC Road on an unnamed side alley — knows what I mean. Online address address listings both in HK and on the mainland are notoriously inaccurate. Twice in the last month I went to the wrong place because of a Chinese-language address that was wrong, and I only found my way after calling the place and reconfirming verbally. Sometimes it’s not just wrong, it’s just that 1 ABC Road is a whole block with 125 units in it, with entrances on three sides, or something.

    Search for 20号 大同路上海 in Chinese (not English), and you will also get a steel manufacturer and a hardware store. Not saying there is some huge conspiracy — just that address mix-ups happen alot here.

    According to the below map, the alleged PLA building is set back from Datong Lu. It looks like there’s an empty space (car park?) in front that might make the building not easily visible from Datong Lu. It looks like the actual entrance is on the cross street.
    http://www.nytimes.com/imagepages/2013/02/19/business/19hack-map.html

    I’m not saying I believe all the hacking reports – and I appreciate your sleuthing! But just finding a nursery that shares an address online doesn’t say much, given how unreliable addresses are.

  5. Actually, I looked on Google map.
    There is a Datong Rd on the Puxi side, which is why I remember it near the train station.
    Datong Highway (Datong Gonglu) is on the Pudong side. #208 is near the intersection with Tonggang Rd, which is where the NYT map puts the “hidden” PLA unit.
    The above kindergarden is listed at 208 Datong Rd, Pudong, which just goes to show how these two places (the road and the highway) are frequently mixed up in name, even in Chinese, much less in English.
    Neither the kindergarden or PLA unit (obviously) show up on the Google map version of that intersection — but there seems to be some missing stuff. All I can find nearby is a hotpot restaurant.

    Sorry, I have no answer to your dilemna. (If I’m really curious, I can go take a look next time I’m up there). But clearly the address thing is a bit of a mess.
    God knows, there could be a sushi joint, a clothing store and a florist all claiming to be at the same address!
    Anyway, there’s an alleged photo of the 12-story PLA building here: http://www.guardian.co.uk/technology/2013/feb/23/mandiant-unit-61398-china-hacking
    From the angle, looks like it was taken from the Tonggang Rd entrance.

  6. There’s another photo and what looks like a satellite map here.
    http://qz.com/54963/hacking-against-the-us-is-traced-to-the-front-door-of-a-chinese-army-unit/
    The image from Mandiat simply says Datong (neither Rd nor Hwy).

    Now that the story’s broken, it seems like everyone has gone out to take photos of this place, so you can just do a Google image search and find tons of stuff.
    But this one is probably best to depict what I mean. The alleged PLA building is behind a wall / complex barrier that contains several buildings, one of which looks like the standard Shanghai apartment block that often has daycare on the ground floor.
    http://12160.info/forum/topics/major-chinese-internet-hacking-base-exposed

  7. @Mister Unknown

    No, not a front. No conspiracy theory.
    Just a shared address. It’s really common here. Don’t know where you are, but addresses in China don’t work like they do in the U.S.
    There are lots of photos showing a mixed residential commercial neighborhood, of which one building has a big DO NOT ENTER sign, an iron gate, a Communist Party star and a military guard in front of the same 12-story building that has been identified as the hacker base.
    I mean, they don’t really even try to hide these government / military buildings. They are all over the place.

    My point is that one guy finding one listing for a nursery is not exactly an “aha!” revelation to anyone who actually lives here.

  8. @Hong Konger

    HKer, page 11 of the Mandiant APT1 report says 208 Datong Road, Gaochao, Pudong. It would be great if you can look around the area. AFAIK the address is smack in the middle of public access, including the kindergarden.

  9. Charles — I think you’re still missing the point.
    There’s no argument of whether there is a kindergarden or not at 208 Datong Rd. There probably is, along other businesses and residences on that block. And there’s no argument of whether there is a whopping huge military building — with guards, metal gate and Communist Party emblem — right behind 208 Datong Rd. Clearly, everyone else has already gone and taken pictures of it.
    It’s not like China is trying to hide its various PLA headquarters. They are as obvious as a police station would be in the U.S.
    The question is whether all those IP addresses related to the hacking can, indeed, be traced to this particular building. And to what extent China is hacking into US government or corporate websites.

    Nobody here is bothering with this frankly minor detail. Every Chinese person I know knows that the Chinese government uses cyberattacks on the West, the same way that the U.S. uses cyberattacks on Iran. If you read the Chinese-language media, there are lots of reports from young hackers who work with the Chinese government. (Same as the US government).

    This whole kindergarden thing is just a silly distraction. I think most of these posts are written from people who’ve lived a long time in the States, and don’t know how things work on the ground here.

  10. @Hong Konger

    Actually you need to read a liittle more on this. Mandiant’s claim these IP address are traceable to the building is questionable, beyond the kindergarten and public access around supposed secret operation. The fiber optics backbone was put in for all the multinational businesses in the area, not dedicated to the PLA.

    Read the HH blogpost I cited in the first sentence. Also here’s another security expert questioning Mandiant’s attribution:

    http://jeffreycarr.blogspot.com/#!/2013/02/more-on-mandiants-apt1-report-guilt-by.html

    Jeffrey Carr also questions Mandiant’s mission claim:

    http://jeffreycarr.blogspot.com/#!/2013/03/mandiants-apt1-mission-problem.html

  11. what’s a complete mystery to me is why the NYT or the Washington Post or the fucking Guardian aren’t doing their goddamn jobs and rectifying these claims by Mandiant. So far i’ve only seen Al JAzeera english’s hosted article, courtesy of Mr Unknown, but precious little else.

  12. @Hong Konger
    While we all can speculate that the Chinese and American governments hack each other – and that most people believe they do – we have to remember this important point.

    This Mandiant report in conjunction with the U.S. media is precisely fanning the flame for the sake of it.

    If Mandiant have incontrovertible proof, that’d be one thing. It would be a grave mistake that the two countries escalate into more confrontation purely on such bad information and analysis.

    There is no media in the United States willing to take a critical view on the report. Why is that? Don’t you find that scary?

Leave a Reply