Thanks to cybersecurity firm Mandiant, we now have a video of a hacker believed to be linked to the Chinese military infiltrating and stealing files from unidentified English language targets.
The video comes as part of Mandiant's 60-page report, first reported by the New York Times, that claims China's military is responsible for cyberattacks on more than 140 foreign businesses, many of which are in the United States.
In the video, a hacker is seen registering a Gmail account with a U.S. IP number, then verifying it with a phone number located in Shanghai. From the email account, the narrator says it is clear the attacker has used it for spearphishing, particularly "focused on military exercises in the Philippines." The attacker then installs command-and-control servers, tests them, and, after an hour of failed attempts to issue commands to a victim backdoor (which the video omits), uses stolen credentials to log into an email account. Once there, the attacker uses several tools to launch spearphishing campaigns and steal files.
The report lifts the veil on a Chinese operation, pinpointing the activity to a specific unit - PLA Unit 61398 - located in a building "on the outskirts of Shanghai," the Times says.
"Either they are coming from inside Unit 61398," Kevin Mandia, the founder and chief executive of Mandiant, told the Times in an interview last week, "or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood."
Mandiant and the New York Times have also recently collaborated in efforts to identify hackers that had infiltrated the news company's networks. However, that attack and those in Mandiant's most recent report appear to be unrelated, the Times says.