208 Datong Road is a nondescript concrete high rise on one of Shanghai's busiest roads. Amid the lingering smog rising like mist off the honking lines of traffic, and the trains screeching to a halt in the nearby main railway station, this building doesn't look like much. But this is exactly where five members of an elite People's Liberation Army group codenamed Unit 61398 were assigned to hack into some of the largest companies in the United States of America.
According to an indictment unveiled on Monday, "the co-conspirators used e-mail messages known as 'spearfishing' messages to trick unwitting recipients into giving the co-conspirators access to their computers."
The group is being indicted for "conspiracy to commit computer fraud and abuse".
"Spearfishing messages were typically designed to resemble e-mails from trustworthy senders, like colleagues, and encourage the recipients to open attached files or click on hyperlinks in the messages," it went on.
The group, whose members went by aliases such as "Jack Wang", "UglyGorilla", "jack Sun" and "KandyGoo", was also hired by Chinese firms to steal specific secrets from identified companies. The group would compromised emails to employees of a company, using details about their lives gleaned through social media or reconnaissance to make the emails convincing enough to click.
Once the compromised file is opened, the hackers can gain full access to the user's computer, and from there work on gaining further access to the corporate network.
For instance, back in 2008, the hackers of Unit 61398 sent e-mails to 19 senior employees at aluminium-manufacturer Alcoa, based in Pennsylvania. The account of the sender impersonated a member of the company's board of directors, and the message included malware in an attachment "disguised as an agenda for Alcoa's annual board meeting."
This sophisticated attack led to the theft of more than 2,900 e-mail messages and 863 attachments, "including internal messages among Alcoa senior managers" that discussed a Chinese acquisition, according to the indictment. It's not certain whether this intelligence was used to any advantage by any Chinese firms, but it's sensitive information nonetheless.
But the attacks were sometimes even more finely targeted. A 2010 strike saw just a single employee of United States Steel targeted by a spear-phishing e-mail. The effect was staggering, providing "hostnames and descriptions for more than 1,700 servers, including servers that controlled physical access to the company's facilities and mobile device access to the company's networks."
A 2012 attack allowed the hacking unit to access "network credentials for virtually every employee" at Allegheny Technologies, which employs over 9,500 full-time workers in the aerospace, defence and "specialty materials solutions" sectors.
Perhaps most worryingly, the group accessed secret files belonging to Westinghouse Electric, which contained details on nuclear power plants. Unit 61398 even hijacked emails from its CEO back in 2010.
According to the indictment, the Chinese military stole a total of at least 1.4 GB of data, "the equivalent of roughly 700,000 pages of e-mail messages and attachments, from Westinghouse's computers" alone, between 2010 and 2012.
The shocking series of attacks shows just how dangerous the spear-phishing technique can be, and just how important it is to properly train staff in defending against social engineering attacks.
When we spoke to Bullguard's Alex Balan back in November, he said that companies need "military-style drills" against social engineering attacks. Looks like he might have been right.