"In seeking to identify the organisation behind this

activity, our research found that People�s Liberation Army (PLA�s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. "PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate," it alleged. It pinpointed the group's location in facilities in Shanghai's Pudong district. It also reprinted a memo from a Chinese telecommunications provider supplying communications links to the facility that said it would "smoothly accomplish this task for the military based on the principle that national defense construction is important." "Though our visibility of APT1's activities is incomplete, we have analysed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area," it said. Shanghai is China's largest metropolis as well as the country's financial capital. "We uncovered a substantial amount of APT1�s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). N an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others," Mandiant said. Releasing the findings of its investigations, Mandiant said the nature of 'Unit 61398�s" work is considered by China to be a state secret; however, we believe it engages in harmful "Computer Network Operations". "We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398's physical infrastructure," the report alleged adding that the China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defence. Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language. Mandiant has traced APT1�s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is base, it said According to the report, since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries. "The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organisation behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398," it said. The report, for the first time, has revealed three personas that are associated with APT1 activities � UglyGorilla, DOTA and SuperHard. "We have observed both the 'UglyGorilla' persona and the 'DOTA' persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1," the report alleged. APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property, it said. Once APT1 establish access, they periodically revisit the victim's network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organisations' leadership.