Wanted Posters Put Faces on China’s Hacker Army

May 19, 2014 Updated: May 19, 2014

“Chinese hackers” was once a vague reference, conjuring images ranging from cheap Internet cafes to a cyberarmy identified only by a string of numbers. After today, however, the hackers in China’s military have faces, and those faces are now pinned on “wanted” posters released by the U.S. Department of Justice (DOJ).

These faces are of Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui. All of them are officers of Unit 61398 in the Third Department of the Chinese People’s Liberation Army. That’s the same unit of China’s military identified in a February 2013 report by security company Mandiant, which was the first major report to trace cyberattacks to the Chinese military.

All five Chinese military officers are now being charged with 31 crimes, which together could put them each in prison for life. Listed among their crimes are economic espionage, aggravated identity theft, and theft of trade secrets.

The DOJ complaint includes details of their alleged crimes, and the U.S. companies that fell victim to them. From the complaint, it appears that U.S. companies became targets after getting into a trade dispute with a Chinese company, calling out Chinese trade practices, and just generally competing with a large company in China.

Among the victims are U.S. Steel, SolarWorld, ATI, Alcoa, USW, and Westinghouse.

The charges were announced during a DOJ press conference Monday. The story of China’s military hackers, however, goes back much further. According to DOJ, the story of Unit 61398 is one that began in 2006. It was a time when cybersecurity was still relatively unknown, and the realities of cyberespionage were as distant from the public as something from a sci-fi novel.

Hacking in Shifts

Yet for the Chinese military it wasn’t just a reality. It was a job. It was something they did in regular shifts and with days off on the weekends. Being run through China’s military, it was also organized like any military operation, with different units playing different roles.

For the victims of Unit 61398 outside China, the organization, sophistication, and work schedule of the attacks were among the first tips that these weren’t just regular cases of cybercrime. Attacks were often traced back to China and the Chinese military was often a prime suspect, yet the opaque nature of cyberattacks made it easy for the Chinese regime to deny the accusations.

The turning point was in 2010 when Google announced its withdrawal from China, and announced that it had been the victim of a “highly sophisticated” attack from Chinese hackers that targeted the Gmail accounts of human rights activists.

It was quickly revealed that Google was just one victim of a much larger attack by Chinese hackers. That attack was later dubbed “Operation Aurora,” and was found to have targeted at least 34 companies in the technology, financial, and defense sectors.

The revelation of Operation Aurora started something. It began a seemingly endless flow of uncovering cyberattacks pinned on China. Operation Aurora was also one of the major cases that led to the Mandiant report in 2013, which identified Chinese army Unit 61398 as the source of the attacks.

The significance of tracing the attacks to the Chinese military cannot be understated, and the importance of DOJ charging the officers of the Chinese military behind the attacks is more significant still.

Mandiant said it best, when it announced its discovery of Unit 61398: “Without establishing a solid connection to China, there will always be room for observers to dismiss APT [advanced persistent threat] actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”

Follow Joshua on Twitter: @JoshJPhilipp