6 Types of Data Chinese Hackers Pilfer

Mandiant Highlights Broad Range of Info Stolen from Victims
6 Types of Data Chinese Hackers Pilfer

IT security provider Mandiant lists six categories of information that's commonly pilfered from business and government computers by hackers from a Chinese military unit it dubs APT1.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Mandiant's findings appear in a comprehensive report issued Feb. 18 that the security firm contends documents how APT1 has breached computers in enterprises that conduct business mostly in English, especially in the United States [see map below]. China denies the allegations presented in the report.

According to Mandiant, the data stolen relate to:

  1. Product development and use, including information on test results, system designs, product manuals, parts lists and simulation technologies;
  2. Manufacturing procedures, such as descriptions of proprietary processes, standards and waste management processes;
  3. Business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures and acquisitions;
  4. Policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
  5. E-mails of high-ranking employees;
  6. User credentials and network architecture information.

Mandiant says it's often difficult to estimate how much data APT1 has stolen during its intrusions because the People's Liberation Army unit deletes the compressed archives after it pilfer them, leaving only trace evidence that is usually overwritten during normal business activities.

Another reason Mandiant cites for the difficulty to determine how data were stolen: Some victims are more intent on assigning resources to restore the security of their network in lieu of investigating the impact of the security breach.

The security firm estimates that the Chinese army unit had stolen as much as 6.5 terabytes of compressed data from a single organization over a 10-month time period and conjectures that APT1 has stolen hundreds of terabytes from its victims.

Mandiant says the report provides evidence linking APT1 to China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department. Other highlights from the report reveal that economic espionage conducted by APT1 since 2006 has been directed against 141 victims across multiple industries, most notably information technology, aerospace, public administration and satellites and telecommunications.

Mandiant Chief Executive Officer Kevin Mandia says the scale and impact of APT1's operation compelled the company to write this report.

"APT1 is among dozens of threat groups Mandiant tracks around the world and one of more than 20 attributed to China that are engaged in computer intrusion activities," Mandia said in a statement accompanying the report's release. "Given the sheer amount of data this particular group has stolen, we decided it was necessary to arm and prepare as many organizations as possible to prevent additional losses."

Dan McWhorter, Mandiant's managing director for threat intelligence, says the company expects retribution from China, but feels exposure outweighs such risks.

"It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively," he says in a preface to the report. "The issue of attribution has always been a missing link in the public's understanding of the landscape of APT (advanced persistent threat) cyber-espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns."


This article has been revised from an earlier version to reflect Mandiant's contention that APT1 mostly targets enterprises that conduct business in English and not mostly targets companies in English-speaking nation.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.