On the outskirts of Shanghai, in a run-down neighbourhood dominated by a 12-story white office tower, sits a People's Liberation Army base for China's growing corps of cyberwarriors. The building off Datong Road is the headquarters of PLA Unit 61398.
A growing body of digital forensic evidence - confirmed by U.S. intelligence officials who say they have tapped into the activity of the army unit for years - leaves little doubt that an overwhelming percentage of the attacks on U.S. corporations, organizations and government agencies originate in and around the white tower.
An unusually detailed 60-page study, to be released Tuesday by Mandiant, a U.S. computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups - known to many of its victims in the U.S. as "Comment Crew" or "Shanghai Group" - to the doorstep of the military unit's headquarters.
The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
"Either they are coming from inside Unit 61398," said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, "or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood."
A recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the U.S. intelligence agencies, makes a strong case that many of these hacking groups are either run by PLA officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.
Mandiant provided an advance copy of its report to The New York Times, saying it hoped to "bring visibility to the issues addressed in the report." (Mandiant was hired by The New York Times Co. to investigate a sophisticated Chinese-origin attack on the news operations, but concluded it was not the work of Comment Crew, but another Chinese group.)
While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States - its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 per cent of oil and gas pipelines in North America.
The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.
Contacted Monday, Chinese officials at its embassy in Washington again insisted that its government does not engage in computer hacking, and that such activity is illegal. They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the U.S.
But in recent years the Chinese attacks have grown significantly, security researchers say.
Mandiant has detected more than 140 Comment Crew intrusions since 2006. U.S. intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.
While the unit's existence and operations are considered a Chinese state secret, Rep. Mike Rogers, R-Mich., the chairman of the House Intelligence Committee, said in an interview that the Mandiant report was "completely consistent with the type of activity the Intelligence Committee has been seeing for some time."
The White House said it was "aware" of the Mandiant report, and Tommy Vietor, the spokesman for the National Security Council, said, "We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so."
The U.S. government is planning to begin a more aggressive defense against Chinese hacking groups, starting on Tuesday. Under a directive signed by President Barack Obama last week, the government plans to share with U.S. Internet providers information it has gathered about the unique digital signatures of the largest of the groups, including Comment Crew and others emanating from near where Unit 61398 is based.
The U.S. finds itself in something of an asymmetrical digital war with China.
"In the Cold War, we were focused every day on the nuclear command centers around Moscow," one senior defence official said recently. "Today, it's fair to say that we worry as much about the computer servers in Shanghai."
While the Obama administration has never publicly discussed the Chinese unit's activities, a secret State Department cable written the day before Barack Obama was elected president in November 2008 described at length U.S. concerns about the group's attacks on government sites.
The Defence Department and the State Department were particular targets, the cable said, describing how the group's intruders send emails, called "spearphishing" attacks, that placed malware on target computers once the recipient clicked on them. From there, they were inside the systems.
U.S. officials say that a combination of diplomatic concerns and the desire to follow the unit's activities have kept the government from going public. But Mandiant's report is forcing the issue into public view.
For more than six years, Mandiant tracked the actions of Comment Crew, so named for the attackers' penchant for embedding hidden code or comments into Web pages. Based on the digital crumbs the group left behind - its attackers have been known to use the same malware, Web domains, Internet protocol addresses, hacking tools and techniques across attacks - Mandiant followed 141 attacks by the group, which it called "APT 1" for Advanced Persistent Threat 1.
Mandiant discovered that two sets of IP addresses used in the attacks were registered in the same neighbourhood as the Unit 61398's building.
"It's where more than 90 per cent of the attacks we followed come from," said Mandia.
Mandiant believes Unit 61398 conducted sporadic attacks on U.S. corporate and government computer networks; the earliest it found was in 2006. Two years ago the numbers spiked.
Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the U.S. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.
What most worries U.S. investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate U.S. critical infrastructure: the power grids and other utilities.
The most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.
Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.
Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack confirmed that the perpetrators were the Comment Crew.
Obama alluded to this concern in the State of the Union speech, without mentioning China or any other nation.
"We know foreign countries and companies swipe our corporate secrets," he said. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing."
© 2013, The New York Times News Service