Secret warriors are supposed to bring home the bacon, so to speak. 

That being said, victories in intelligence work are rarely celebrated openly. They are more often subtle, only discernible in the silence that follows an operation. Silence is thundering though, letting you know of the embarrassment a rival state suffers when caught red-handed. By that measure, 2013 must be remembered as one of the CIA’s most favorite years in its long rivalry with the Red Dragon.

Mandiant

That year, a private cybersecurity firm, Mandiant, published a landmark report exposing APT1 (Advanced Persistent Threat 1), which is a group of hackers operating directly under the Chinese military, specifically PLA Unit 61398, based in Shanghai. Though presented as a private-sector breakthrough, this exposure dovetailed with U.S. intelligence priorities and amplified the CIA’s longstanding efforts to prove Beijing’s state-directed cyber campaigns.

PLA Unit 61398

For years, Western intelligence officials had tracked an unnerving pattern: targeted cyber intrusions against U.S. corporations, media outlets, defense contractors, and even critical infrastructure. Much of the activity traced back to servers in China. Yet in the murky world of cyber attribution, plausible deniability was Beijing’s shield. Chinese officials insisted that their country was actually a victim of hacking, not the aggressor.

The stalemate broke in February 2013, when Mandiant released its 60-page dossier, laying out in forensic detail the operations of APT1. The report documented:

• Over 140 U.S. and international companies hacked.

• Stolen terabytes of intellectual property ranging from aerospace blueprints to energy-sector data.

• Patterns of activity that matched the working hours and locations of a Shanghai-based military unit.

The clincher was Mandiant’s naming of PLA Unit 61398 as the culprit — an extraordinary public attribution. It transformed what had been whispered in classified briefings into an undeniable global narrative: the People’s Liberation Army was conducting state-sponsored cyber theft on an industrial scale.

A Victory by Exposure

Why was this a CIA “victory”? Because the release achieved something U.S. intelligence had long sought but could not itself orchestrate without escalating tensions or revealing sensitive collection methods. By leveraging an independent cybersecurity firm to go public, Washington sidestepped accusations of politicization while still delivering a crippling blow to Beijing’s denials.

The fallout 

• Diplomatic embarrassment: China’s carefully cultivated image as a “responsible rising power” took a hit. The exposure forced Beijing onto the defensive in international forums.

• Private sector alarm: CEOs who had ignored classified warnings suddenly saw their company names on a hacker’s hit list. Corporate boards began taking cyber espionage as seriously as physical theft.

• Strategic validation: For the CIA and the broader intelligence community, the Mandiant report validated years of quiet collection and analysis. What had been known in secret was now undeniable in public.

This was victory through sunlight, which is rare in the intelligence world, but devastatingly effective.

After the Losses, a Win

It is worth recalling that in the early 2010s, the CIA endured a devastating setback: its human networks in China were rolled up, with agents shot or imprisoned. This left the Agency bloodied and scrambling to rebuild tradecraft. Against that grim backdrop, the APT1 exposure in 2013 looked even more significant. Revenge is sweet. 

It showed that, even if HUMINT channels were compromised, the United States could still land blows through cyber counterintelligence, attribution, and exposure. The CIA’s role here wasn’t running the press conference. It's what it's, meaning that its job was to ensure the U.S. government had the confidence to back Mandiant’s findings, and that allies understood the weight of the revelation.

Long-Term Effects

The unmasking of APT1 and PLA Unit 61398 triggered ripple effects that continue today:

• Legal consequences: In 2014, the U.S. Department of Justice indicted five PLA officers tied to the unit — the first criminal charges ever filed against state hackers. Though symbolic, the indictments signaled that exposure would carry personal risk.

• Strategic deterrence: While cyber theft didn’t stop, China adjusted tactics, scattering operations and refining cover. The exposure forced adaptation, slowing momentum and complicating Beijing’s deniability.

• Global precedent: Other countries, emboldened by the U.S. example, began attributing cyberattacks more openly, blunting adversaries’ ability to hide.

The Nature of a Quiet Victory

The CIA’s victory in 2013 wasn’t about capturing spies or foiling a coup. It was about narrative control — forcing the world to see what Beijing wanted hidden. Intelligence bounties often look like this: the adversary is embarrassed, constrained, forced to alter its playbook. And crucially, the victory did not require open confrontation.

In the shadow war between Washington and Beijing, the APT1 exposure was a masterstroke of information dominance. It showed that sometimes the sharpest weapon is not the clandestine operation itself, but the decision to make it PUBLIC at the right time, in the right way.

Author: renqiulan 

Open Sources:

Mandiant Report (APT1: Exposing One of China’s Cyber Espionage Units) – [Mandiant, 2013] (PDF widely available online).

“Chinese Army Unit Is Seen as Tied to Hacking Against U.S.” – The New York Times, Feb 2013.

“APT1: The First Time PLA Hackers Were Outed” – Council on Foreign Relations, backgrounder.

U.S. Department of Justice Indictment of PLA Officers – Press Release, May 2014.

FireEye (post-Mandiant acquisition) Cyber Threat Intelligence Reports – Updates on APT1 and follow-on Chinese APTs.

“The PLA and China’s Cyber Strategy” – RAND Corporation analysis, 2015.