{ "id": "63fc0893-6d80-41df-8983-72be15f90063", "created_at": "2026-04-06T00:21:35.837354Z", "updated_at": "2026-04-10T13:12:36.069876Z", "deleted_at": null, "sha1_hash": "7210709e0485a3217c30c7a51fe9a781bb1a32b3", "title": "PLA Unit 61398", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 165240, "plain_text": "PLA Unit 61398\r\nBy Contributors to Wikimedia projects\r\nPublished: 2013-02-19 · Archived: 2026-04-05 14:08:37 UTC\r\nPeople's Liberation Army Unit 61398\r\n61398部队\r\nEmblem of the People's Liberation Army\r\nActive 2002–present\r\nCountry China\r\nAllegiance Chinese Communist Party\r\nBranch People's Liberation Army Cyberspace Force\r\nType Cyber force, Cyber-espionage Unit\r\nRole\r\nCyber warfare\r\nElectronic warfare\r\nPart of  People's Liberation Army\r\nGarrison/HQ Tonggang Road, Pudong, Shanghai\r\nNicknames\r\nAPT 1\r\nComment Crew\r\nComment Panda\r\nGIF89a\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61398\r\nPage 1 of 4\n\nByzantine Candor\r\nGroup 3\r\nThreat Group 8223\r\nEngagements\r\nOperation GhostNet\r\nOperation Aurat\r\nOperation Shady RAT\r\nPLA Unit 61398 (also known as APT1, Comment Crew, Comment Panda, GIF89a, or Byzantine Candor;\r\nChinese: 61398部队, Pinyin: 61398 bùduì) is the military unit cover designator (MUCD)[1] of a People's\r\nLiberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking\r\nattacks.[2][3][4] The unit is stationed in Pudong, Shanghai,\r\n[5]\r\n and has been cited by US intelligence agencies since\r\n2002.\r\nFrom left, Chinese military officers Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and\r\nWen Xinyu indicted on cyber espionage charges.\r\nA report by the computer security firm Mandiant stated that PLA Unit 61398 is believed to operate under the 2nd\r\nBureau of the People's Liberation Army General Staff Department (GSD) Third Department (总参三部二局)\r\n[1]\r\nand that there is evidence that it contains, or is itself, an entity Mandiant calls APT1, part of the advanced\r\npersistent threat that has attacked a broad range of corporations and government entities around the world since at\r\nleast 2006. APT1 is described as comprising four large networks in Shanghai, two of which serve the Pudong New\r\nArea. It is one of more than 20 APT groups with origins in China.[1][6] The Third and Fourth Department,\r\nresponsible for electronic warfare, are believed to comprise the PLA units mainly responsible for infiltrating and\r\nmanipulating computer networks.[7]\r\nOn 19 May 2014, the US Department of Justice announced that a federal grand jury had returned an indictment of\r\nfive 61398 officers on charges of theft of confidential business information and intellectual property from U.S.\r\ncommercial firms and of planting malware on their computers.[8][9] The five are Huang Zhenyu (黄振宇), Wen\r\nXinyu (文新宇), Sun Kailiang (孙凯亮), Gu Chunhui (顾春晖), and Wang Dong (王东). Forensic evidence traces\r\nthe base of operations to a 12-story building off Datong Road in a public, mixed-use area of Pudong in Shanghai.\r\n[2]\r\n The group is also known by various other names including \"Advanced Persistent Threat 1\" (\"APT1\"), \"the\r\nComment group\" and \"Byzantine Candor\", a codename given by US intelligence agencies since 2002.[10][11][12]\r\n[13]\r\nThe group often compromises internal software \"comment\" features on legitimate web pages to infiltrate target\r\ncomputers that access the sites, leading it to be known as \"the Comment Crew\" or \"Comment Group\".[15] The\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61398\r\nPage 2 of 4\n\ncollective has stolen trade secrets and other confidential information from numerous foreign businesses and\r\norganizations over the course of seven years such as Lockheed Martin, Telvent, and other companies in the\r\nshipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors.[11]\r\nDell SecureWorks says it believed the group includes the same group of attackers behind Operation Shady RAT,\r\nan extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea,\r\nTaiwan and Vietnam, were targeted.[2]\r\nThe attacks documented in the summer of 2011 represent a fragment of the Comment group's attacks, which go\r\nback at least to 2002, according to incident reports and investigators. In 2012, FireEye, Inc. stated that they had\r\ntracked hundreds of targets in the last three years and estimated the group had attacked more than 1,000\r\norganizations.[12]\r\nMost activity between malware embedded in a compromised system and the malware's controllers takes place\r\nduring business hours in Beijing's time zone, suggesting that the group is professionally hired, rather than private\r\nhackers inspired by patriotic passions.[7]\r\nA 2020 report in Daily News and Analysis stated that the unit was eyeing information related to defense and\r\nresearch in India.[16]\r\nPublic position of the Chinese government\r\n[edit]\r\nUntil 2013, the government of China has consistently denied that it is involved in hacking.[17] In response to the\r\nMandiant Corporation report about Unit 61398, Hong Lei, a spokesperson for the Chinese foreign ministry, said\r\nsuch allegations were \"unprofessional\".[17][4]\r\nTitan Rain\r\nChinese espionage in the United States\r\nNational Security Agency of the United States\r\nPLA Unit 61486\r\nSignals intelligence\r\nTailored Access Operations of the United States\r\nMandiant\r\nFireEye\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"APT1: Exposing One of China's Cyber Espionage Units\" (PDF). Mandiant. Archived\r\n(PDF) from the original on 19 February 2013. Retrieved 19 February 2013.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Sanger, David E.; Barboza, David; Perlroth, Nicole (19 February 2013). \"Chinese\r\nArmy Unit Is Seen as Tied to Hacking Against U.S.\" The New York Times. ISSN 0362-4331. Archived from\r\nthe original on 19 February 2013. Retrieved 28 May 2023.\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61398\r\nPage 3 of 4\n\n3. ^ \"Chinese military unit behind 'prolific and sustained hacking'\". The Guardian. 19 February 2013.\r\nArchived from the original on 20 December 2013. Retrieved 19 February 2013.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \"Hello, Unit 61398\". The Economist. 19 February 2013. ISSN 0013-0613. Archived from\r\nthe original on 28 May 2023. Retrieved 28 May 2023.\r\n5. ^ \"中国人民解放军61398部队招收定向研究生的通知\" [A notification of PLA Unit 64398 to recruit\r\npostgraduate students as PLA-funded scholarship student.]. Zhejiang University. 13 May 2004. Archived\r\nfrom the original on 2 December 2016. Retrieved 5 January 2019.\r\n6. ^ Joe Weisenthal and Geoffrey Ingersoll (18 February 2013). \"REPORT: An Overwhelming Number Of\r\nThe Cyber-Attacks On America Are Coming From This Particular Army Building In China\". Business\r\nInsider. Archived from the original on 20 February 2013. Retrieved 19 February 2013.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n Bodeen, Christopher (25 February 2013). \"Sign That Chinese Hackers Have Become\r\nProfessional: They Take Weekends Off\". The Huffington Post. Archived from the original on 26 February\r\n2013. Retrieved 27 February 2013.\r\n8. ^ Finkle, J., Menn, J., Viswanatha, J. U.S. accuses China of cyber spying on American companies.\r\nArchived 12 April 2017 at the Wayback Machine Reuters, 20 Nov 2014.\r\n9. ^ Clayton, M. US indicts five in China's secret 'Unit 61398' for cyber-spying. Archived 20 May 2014 at the\r\nWayback Machine Christian Science Monitor, 19 May 2014\r\n10. ^ David Perera (6 December 2010). \"Chinese attacks 'Byzantine Candor' penetrated federal agencies, says\r\nleaked cable\". fiercegovernmentit.com. Fierce Government IT. Archived from the original on 19 April\r\n2016.\r\n11. ^ Jump up to: a\r\n \r\nb\r\n Clayton, Mark (14 September 2012). \"Stealing US business secrets: Experts ID two huge\r\ncyber 'gangs' in China\". CSMonitor. Archived from the original on 15 November 2019. Retrieved 24\r\nFebruary 2013.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n Riley, Michael; Dune Lawrence (26 July 2012). \"Hackers Linked to China's Army Seen\r\nFrom EU to D.C.\" Bloomberg.com. Bloomberg. Archived from the original on 11 January 2015. Retrieved\r\n24 February 2013.\r\n13. ^ Michael Riley; Dune Lawrence (2 August 2012). \"China's Comment Group Hacks Europe—and the\r\nWorld\". Bloomberg Businessweek. Archived from the original on 19 February 2013. Retrieved 12 February\r\n2013.\r\n14. ^ Dave Lee (12 February 2013). \"The Comment Group: The hackers hunting for clues about you\". BBC\r\nNews. Archived from the original on 12 February 2013. Retrieved 12 February 2013.\r\n15. ^ Shukla, Manish (3 August 2020). \"Chinese Army's secret '61398' unit spying on India's defense and\r\nresearch, warns intelligence\". DNA India. Archived from the original on 20 November 2022. Retrieved 6\r\nJanuary 2024.\r\n16. ^ Jump up to: a\r\n \r\nb\r\n Xu, Weiwei (20 February 2013). \"China denies hacking claims\". Morning Whistle.\r\nRetrieved 8 April 2013. {{cite web}} : CS1 maint: deprecated archival service (link)\r\n31°20′57.43″N 121°34′24.74″E / 31.3492861°N 121.5735389°E\r\nSource: https://en.wikipedia.org/wiki/PLA_Unit_61398\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61398\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398" ], "report_names": [ "PLA_Unit_61398" ], "threat_actors": [ { "id": "b7aa23d0-65c8-49f4-8052-837ce6251b63", "created_at": "2022-10-25T16:07:24.006105Z", "updated_at": "2026-04-10T02:00:04.831292Z", "deleted_at": null, "main_name": "Operation Shady RAT", "aliases": [], "source_name": "ETDA:Operation Shady RAT", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7210709e0485a3217c30c7a51fe9a781bb1a32b3.pdf", "text": "https://archive.orkl.eu/7210709e0485a3217c30c7a51fe9a781bb1a32b3.txt", "img": "https://archive.orkl.eu/7210709e0485a3217c30c7a51fe9a781bb1a32b3.jpg" } }