People's Liberation Army Cyber Units (PLA Unit 61398 / 3PLA Successor)

Attributed Cases

TTP Pattern Summary

PLA cyber units have historically relied on high-volume spearphishing with custom backdoor families (WEBC2, BACKSPACE, BISCUIT, BANGAT, STARSYPOUND, as catalogued in the Mandiant APT1 report) and long-duration credential-based access for intellectual property exfiltration. Operational security has been substantially uneven across operators, with Mandiant's APT1 analysis identifying specific operator personas and Pudong, Shanghai-based infrastructure.

Behavioural Signature

PLA cyber operations have been characterised by emphasis on industrial and economic targets aligned with PRC five-year-plan priorities, dwell times measured in months to years, and tolerance of operational signatures that allowed extensive private-sector attribution. The 2014 DOJ indictment of five PLA Unit 61398 officers, the first US criminal charges against named foreign uniformed military personnel for cyber economic espionage, defines the canonical PLA-cyber-attribution case and is analytically distinct from MSS contractor operations.

Governance Footprint

Subject to the foundational US indictment-as-attribution exercise (US v. Wang Dong et al., W.D. Pa., May 2014). The case established the indictment-without-enforcement template for cyber statecraft; no defendant has appeared. Activity catalysed the 2015 Obama–Xi understanding on cyber-enabled economic espionage and informed the design of Executive Order 13694 cyber sanctions authority (though that authority was not invoked against PLA Unit 61398).