In the heart of Shanghai’s Pudong New Area, amid ordinary apartment buildings, restaurants, and shops, stands a nondescript 12-story structure that once served as the nerve center for one of the world’s most prolific state-sponsored hacking operations. This building, located off Datong Road near Tonggang Road, housed elements of People’s Liberation Army (PLA) Unit 61398—better known globally as APT1 or the “Comment Crew.”
The unit first drew worldwide attention in 2013 when cybersecurity firm Mandiant (now part of Google) released a groundbreaking report publicly attributing years of sophisticated cyber espionage to this specific PLA outfit. For the first time, investigators had connected the dots from digital intrusions across the globe directly to a physical military headquarters operating in plain sight within a bustling Chinese neighborhood.
The Building and Its Operations
Satellite imagery and on-the-ground reporting revealed a mixed-use facility with satellite dishes on the roof and a secured perimeter. The surrounding area featured typical urban amenities, including a daycare center that reportedly supported unit personnel. Mandiant’s analysis traced command-and-control servers and hacking activity to IP addresses linked to networks serving this Pudong location. At its peak, the unit was believed to involve hundreds to thousands of personnel, functioning as part of the PLA’s Third Department under the General Staff Department before China’s 2015 military reforms.
Unit 61398 specialized in advanced persistent threat (APT) campaigns. Operators conducted long-term intrusions into target networks, often maintaining access for months or years. Their primary mission: economic espionage. Targets included companies in aerospace, energy, technology, manufacturing, defense, and other strategic sectors. Tactics ranged from spear-phishing emails to custom malware—frequently leveraging web comment sections, which earned them the “Comment Crew” moniker.
By the time Mandiant published its findings, the group had stolen terabytes of intellectual property and sensitive data from hundreds of organizations, primarily in the United States and other Western nations. Earlier operations linked to similar techniques included incidents like Operation Aurora (targeting Google and others) and widespread intrusions documented under names like Shady RAT.
International Exposure and Consequences
The 2013 Mandiant report marked a turning point in public understanding of state cyber operations. It included detailed technical evidence, IP address mappings, and even profiles of individual operators. In 2014, the U.S. Department of Justice took the unprecedented step of indicting five officers from Unit 61398, including Wang Dong (known online as “UglyGorilla”), for computer hacking, economic espionage, and other charges.
China has consistently denied any state involvement in cyber espionage, dismissing such accusations as “groundless” and politically motivated. Officially, Beijing does not acknowledge the unit’s existence or activities.
Evolution of China’s Cyber Forces
Unit 61398 represented an earlier phase of China’s cyber strategy. Following major military reforms in 2015, the PLA restructured its cyber units under the new Strategic Support Force, and later the dedicated PLA Cyberspace Force. Today, Chinese cyber operations involve a more complex ecosystem that blends military units, Ministry of State Security (MSS) personnel, and various proxy or contractor groups. While espionage remains a core focus, capabilities have expanded to include potential wartime disruptive and offensive operations.
The Shanghai building, once the public face of APT1, symbolizes a broader shift. China’s hacking apparatus has grown more sophisticated, distributed, and professionalized since the days when a single PLA unit could be so clearly fingerprinted.
Though the specific operations of Unit 61398 have evolved and dispersed, the 2013 exposure remains a landmark case in cyber attribution. It demonstrated that even sophisticated state actors could be tracked from keyboard to doorstep—transforming how governments and companies understand and respond to digital threats originating from powerful nation-states.
About The Author
