BEIJING - A U.S. security firm has linked China's military to cyberattacks on more than 140 U.S. and other foreign corporations and entities, according to a report released Tuesday.
It said 115 of those firms are in the United States.
The 60-page study by investigators at the Alexandria, Va.-based Mandiant security firm presents one of the most comprehensive and detailed analyses to date tracing corporate cyberespionage to the doorstep of Chinese military facilities. And it calls into question China's repeated denials that its military is engaged in such activities.
The document, first reported by the New York Times, draws on data Mandiant collected from what the company said was the systematic theft of data from at least 141 organizations over seven years. Mandiant traced the attacks back to a single group it designated "Advanced Persistent Threat 1," or "APT1," and now has identified the group as a Chinese military unit within the 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, going by the designation "Unit 61398."
Although most of the targets were U.S. companies, a Mandiant official said APT1 also hit about a dozen entities that he described as smaller U.S. local, state and federal government agencies unable to protect themselves, as well as international governmental organizations overseas, including bodies in which China might have membership.
At the White House, press secretary Jay Carney declined to address the findings of the Mandiant report or say whether it squared with U.S. intelligence assessments.
Carney told reporters: "We have repeatedly raised our concerns at highest levels about cybertheft with senior Chinese officials, including the military, and we will continue to do so. It's an important challenge, one the president has been working on and urging Congress to work on for quite some time. The United States and China are among the world's largest cyberactors, so it's critical."
Analysts have long linked the unit to the Chinese military's 3rd Department, and to extensive cyberespionage. But what Mandiant has done is connect the dots and add new ones by locating the Internet protocol addresses used in commercial cyberattacks, placing them on a map and linking that information to open-source data about people associated with the unit.
"Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries," the firm said in its report. Of those victims, 87 percent "are headquartered in countries where English is the native language," it said.
Mandiant did not identify the victims but said 115 of them are in the United States, two are in Canada and five are in Britain. Of the 19 others, all but two operate in English.
The report lists three victims each in Israel and India, two each in Taiwan, Singapore and Switzerland, and one each in Norway, Belgium, France, Luxembourg, Japan, South Africa and the United Arab Emirates.
These targeted entities include "international cooperation and development agencies, foreign governments in which English is one of multiple official languages, and multinational conglomerates that primarily conduct their business in English," the report said.
The top sectors targeted by the APT1 cyberespionage campaign, Mandiant said, are information technology, aerospace, public administration, satellites and telecommunications, and scientific research and consulting.
"We have figured things out in an unclassified way that the government has known through classified means," said Richard Bejtlich, Mandiant chief security officer, adding that the company shared the study with U.S. intelligence agencies before it was released.
The unit is just one of dozens working for the Chinese military in cyberespionage all over the country, analysts say. There are other units within the General Staff Department's 2nd Department, which conducts military intelligence; and within the Ministry of State Security, which conducts internal counterintelligence and external espionage, according to analysts.
APT1, also dubbed "Comment Crew" by security companies that have studied its tactics, focuses on commercial targets overseas, which makes its work more visible to the security firms tracking the intrusions. Chinese units focusing on military and intelligence targets are less visible to the security companies.
"Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years," Mandiant said. It said the activity it has uncovered appears to represent "only a small fraction of the cyberespionage that APT1 has committed."
The Chinese military has repeatedly denounced accusations that it is engaging in cyberespionage, and did so again Tuesday.