PLA Unit 61398: A Notorious Chinese Cyber Hacking Group

PLA Unit 61398

PLA Unit 61398: A Notorious Chinese Cyber Hacking Group

The PLA Unit 61398 poses a significant cyber threat due to the sophisticated strategies it employs and the wide variety of targets it targets. In order for enterprises to successfully defend themselves against such advanced cyber espionage tactics, awareness, and preparation are absolutely necessary

There are a number of crucial procedures that must be taken in order to mitigate the danger that is posed by this unit. These activities include implementing effective cybersecurity measures, maintaining updated software, and teaching workers how to recognize phishing attempts.

Other Known Names

Another name for PLA Unit 61398 is the “Comment Crew” or the “Shanghai Group.” Both of these names are widely used synonymously.  Patterns that were detected in the cyber operations that were attributed to the unit led to the creation of these aliases.  These patterns were particularly prevalent in the comment areas of websites, where the unit posted encoded messages.

Historical Context

Around the year 2013, the cybersecurity company Mandiant, which is now a part of FireEye, published a comprehensive study that attributed a considerable amount of cyber espionage actions to PLA Unit 61398.  This research brought the unit to the forefront of public attention.

A direct connection was established between the cyber attacks and the actual location of the unit in Shanghai, as demonstrated by the report that was compiled by Mandiant.

This report included persuasive evidence like IP addresses and malware samples.  A state-sponsored cyber espionage campaign was publicly connected to a particular military unit for the very first time, which was one of the first instances that this discovery occurred.

Main Features

The People’s Liberation Army Unit 61398, more commonly referred to as PLA Unit 61398, is a section of the Chinese military that specializes in cyber warfare.  Within the 3rd Department of the General Staff Department (GSD) of the People’s Liberation Army (PLA), it is classified as one of the most notorious groups.

As a result of its outstanding skills in cyber espionage, this unit is known for its ability to target a wide variety of entities all over the world.  One of the signs that eventually led to the identification of the unit by cybersecurity researchers was the fact that its headquarters are housed in a building that is twelve stories tall and is situated on the outer limits of Shanghai.

Operational Scope and Objectives

The gathering of intelligence that can contribute to the advancement of China’s economic and geopolitical objectives is the primary purpose of PLA Unit 61398. This includes the following:

  1. Intellectual Property Theft:

The objective of the team is to acquire proprietary technology and trade secrets by infiltrating businesses, particularly those operating in high-tech industries. This information has the potential to provide Chinese businesses with a competitive advantage and to support efforts to innovate within the country.


  1. Strategic Intelligence Collection:

In order to gather information on military strategy, defense assets, and geopolitical plans, the unit objectives foreign governments and defense companies as its primary targets. The diplomatic and military strategies of China are susceptible to being influenced by this intelligence.

  1. Economic Espionage:

Additionally, corporations that are essential to the functioning of the global economy, such as energy industries, financial institutions, and others, are on the target list. It is possible for China’s economic policies to be informed by the information acquired from these industries, which can also provide insights into market patterns.

Typical Techniques

There is a high level of sophistication and complexity in the methods that are utilized by PLA Unit 61398. A number of their most important methods include:

Spear Phishing The team frequently employs specially designed spear-phishing emails in an effort to deceive victims into divulging critical information or installing malware on their computers. These e-mails frequently imitate reputable connections or organizations, giving the impression that they are authentic.
Advanced Persistent Threats (APTs) PLA Unit 61398 is notorious for its use of advanced persistent threats (APTs), which are covert and ongoing hacking activities that are designed to extract data and conduct long-term surveillance. As a general rule, these assaults are difficult to detect and can go undiscovered for extended periods of time.
Zero-Day Exploits Through the utilization of zero-day exploits, which are flaws in software that have not been published to the public, the team is able to infiltrate systems before the creators have the opportunity to repair them. They are able to get illegal access and control over the systems that are being targeted as a result of this.
Custom Malware A number of operations, including data exfiltration, remote control, and system disruption, can be carried out via the unit’s proprietary malware, which is developed specifically for its targets and is designed to match their needs. It is common practice for these malicious programs to masquerade as legitimate software in order to avoid discovery.
Watering Hole Attacks Watering hole assaults are another method that PLA Unit 61398 uses. These attacks involve the hacking of websites that are often visited by their targets. Those who visit these websites may download malicious software or disclose sensitive information without their knowledge.

Who is at Risk?

The People’s Liberation Army (PLA) Unit 61398 targets a diverse range of entities, with a primary emphasis on industries and nations that are of strategic relevance to China.  Typical goals include the following:

  1. Corporations:  There is a major risk for businesses operating in sectors that include manufacturing, aircraft, technology, and telecommunications.  With the intention of stealing intellectual property, trade secrets, and other valuable corporate data, the unit endeavors to steal.
  2. Government Agencies:  Institutions within the government, particularly those that are involved in matters of military, international relations, and economic policy, are potential targets.  Gaining intelligence on matters pertaining to economic policies, diplomatic strategy, and national security is the goal of this endeavor.
  3. Military Organizations:  Foreign military groups are the focus of strategic and operational information gathering, which may give an advantage in the event of possible confrontations or negotiations.
  4. Critical Infrastructure:  Additional entities that are in danger include those that are in charge of managing key infrastructure, like power grids, water supply systems, and transportation networks. It is possible that the disruption of these networks might have catastrophic repercussions for both public safety and national security.
  5. Think Tanks and Research Institutions:  These organizations are being targeted because of the research and policy suggestions that they have made, which can provide insights into potential approaches and breakthroughs.

Technical Capabilities

This particular PLA Unit, 61398, is well-known for its creativity and exceptionally superior technical capabilities. The following are some noteworthy aspects:

  • Cyber Infrastructure: Operating a broad cyber-infrastructure that includes a large number of command and control (C2) servers located all over the world is the responsibility of this unit. Through the use of this network, they are able to initiate and control significant cyber operations.
  • Resource Allocation: This unit has access to a substantial amount of financial and technological resources because it receives significant support from the state. Because of this support, they are able to consistently develop new security tools and methods that circumvent existing cybersecurity safeguards.
  • Human Talent: The organization seeks out highly talented cyber operatives, frequently from the most prestigious institutions in China. These individuals have received training in a variety of facets of cyber warfare, such as the creation of malware, the breach of networks, and the exfiltration of data.

Notable Incidents

It has been established that PLA Unit 61398 is accountable for a substantial number of cyber intrusions that have garnered significant attention.  Some of the prominent examples include situations such as the ones listed below:

Operation Shady RAT There was a cyber espionage operation that lasted for a considerable amount of time and targeted more than seventy entities all over the world. These entities included defense suppliers, international organizations, and global technical corporations. The purpose of the operation was to collect confidential data over the course of a number of years.
Titan Rain Concerted cyber attacks on networks associated with the United States government, especially those connected to the Department of Defense and NASA. Such attacks were carried out. These attacks, which took place in the middle of the 2000s, had the primary purpose of obtaining vital military secrets as their major target.
Advanced Persistent Threat 1 (APT1) When attempting to provide a description of the activities that PLA Unit 61398 is participating in, the phrase “APT1” is frequently utilized. The United States of America and its allies were the targets of a significant number of attacks throughout this campaign, which included a substantial number of strikes against corporations operating in a wide range of industries.

Countermeasures and Responses

A number of actions have been taken by nations as well as groups that have been targeted in response to the dangers presented by PLA Unit 61398, including the following:

  • Strengthening Cyber Defenses: In the realm of cybersecurity, organizations are making investments in cutting-edge technology like intrusion detection systems (IDS), endpoint protection, and threat intelligence platforms. Real-time detection and mitigation of assaults are both made possible by these tools.
  • International Collaboration: In the context of cybersecurity, governments are increasingly working together to share intelligence, coordinate their reactions to cyber threats, and cooperate on cybersecurity challenges. The issue of state-sponsored cyber operations is currently being addressed through the development of international frameworks and agreements.
  • Legal and Diplomatic Actions: Legal proceedings have been initiated by a number of nations against persons who are affiliated with PLA Unit 61398. For example, in 2014, the Department of Justice of the United States of America received indictments against five Chinese military hackers for engaging in cyber espionage activities against American businesses.
  • Cyber Hygiene and Awareness: It is of the utmost importance to educate individuals and employees about the dangers lurking online and the safe measures to follow. Attending regular training classes on how to identify phishing attempts, the importance of having strong passwords, and the importance of upgrading software can dramatically lower the danger of cyber attacks.


To this day, PLA Unit 61398 continues to be one of the most notorious examples of cyber espionage that is sponsored by a state. The sophistication of its activities and the breadth of its targets highlight the significance of effective cybersecurity measures and international collaboration in the fight against threats of this nature. As the cyber world continues to undergo change, it is vital to maintain vigilance and a proactive approach to defense methods in order to safeguard critical information and ensure the preservation of national security.

All in all, PLA Unit 61398 plays an important role in the cybersecurity upscale for the Chinese government.

one year cyber security diploma course


AI or IAS Officer? PadhAI Achieves an Impressive Achievement

Chinese Intruders Penetrate an East Asian Business for 3 Years by Employing F5 Devices

DISGOMOJI Malware is Employed by Pakistani Hackers in Indian Government Cyber Attacks


About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?