The hackers are coming, the hackers are coming

It seems that China's 'Unit 61398' hasn't yet got round to hacking any Australian companies' computer systems, but chief executives and company directors in this country shouldn't get too cocky: it may only be a matter of time, if it hasn't happened already.

The United States is now engaged in virtually all-out cyber warfare against Iran, Russia and China, with much of the effort focusing on Iran's nuclear weapons program. But revelations in the past week have highlighted the big investment China has been making in industrial cyber espionage since 2006.

Internet security firm Mandiant published a 76-page report last week detailing the work of what it calls Advanced Persistent Threat No.1 (APT1) or Unit 61398, based in the Pudong New Area of Shanghai.

The firm says hundreds, if not thousands of computer hackers are employed there, and that it has evidence that it has stolen hundreds of terabytes of data from at least 141 organisations across a diverse range of industries beginning as early as 2006.

"We believe that organisations in all industries related to China's strategic priorities are potential targets of APT1's comprehensive cyber espionage campaign. While we have certainly seen the group target some industries more heavily than others, our observations confirm that APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.”

According to Mandiant, the unit maintains access to a victim's network for an average 356 days. The longest period it was continuously inside a firm's databases was four years and ten months.

Mandiant has identified APT1 as a unit of the People's Liberation Army called Unit 61398. It concludes: "In a state that rigorously monitors internet use, it is highly unlikely that the Chinese government is unaware of an attack group that operates from the Pudong New Area of Shanghai.

"…the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government.”

China has vehemently denied the charges, saying the report "lacks technical proof”. However it is a detailed and convincing report. You can download it here: http://www.mandiant.com/apt1.

None of the 141 companies targeted by the PLA since 2006, according to Mandiant, is Australian, but some of the industries are – specifically energy, metals and mining and food and agriculture.

Moreover, Mandiant's chief executive, Kevin Mandia, told The New York Times that those 141 attacks were "only the ones we could easily identify”. The Times says "other security experts estimate that the group is responsible for thousands of attacks.”

The New York Times says it assigned a team of reporters to test its conclusions with a range of experts, both inside and outside government.

The newspaper reports that although the unit has drained terabytes of data from companies like Coca Cola, increasingly its focus is on critical infrastructure operators: power grids, gas lines and water suppliers.

Paul Twomey, the Australian who used to head the global Internet Corporation for Assigned Names and Numbers (ICANN), recently told me the next war will be largely fought over the internet.

It's not just espionage and data theft. He says some countries now have the ability to permanently scramble the data bases of a nation's banks, to the point where they would never recover.

But at this stage it's all about data theft. In its report, Mandiant sets out an example of what China's Unit 61398 achieves for the government: "in 2008, APT1 compromised the network of a company involved in a wholesale industry. APT1 installed tools to create compressed file archives and to extract emails and attachments.

"Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the chief executive and general counsel. During this same time period, major news organisations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organisation for one of its major commodities.”

It hardly needs pointing out that China is now Australia's major trading partner, so the revelations about its cyber espionage activities need to be taken very seriously here.

For a start, the report makes the huge investment in Lockheed Martin's Joint Strike Fighter even more questionable than it already is (Awakening to a decade of defence failure, February 19). The next war will be fought in cyber space, and with unmanned drone aircraft, not with cumbersome planes like the JSF.

If Australia's military continues to spend its limited resources on hardware rather than internet defences, it will be left behind.

Chief executives and company directors also need to focus much more on data security, especially the operators of key infrastructure like banks, telcos and power companies.

Follow @AlanKohler on Twitter