Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Chinese Military Behind South China Sea Cyber Espionage Attacks

An infamous advanced persistent threat hacking group known as Naikon is actually China's PLA Unit 78020 and a military intelligence expert there, traced to the attacks via his social media and other activity.

Add one more contentious cyberattack issue to the mix for tomorrow's meeting in Washington, D.C. between President Obama and Chinese president Xi Jinping: researchers have identified a member of a Chinese military unit that they say is behind an infamous cyber espionage attack campaign against governments in Asia as well as the United Nations.

Researchers from ThreatConnect and Defense Group Inc. (DGI) today published a report detailing their findings that China's People's Liberation Army Unit 78020 is the body behind the infamous Naikon advanced persistent threat group known for attacking military, diplomatic, and economic targets in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, Vietnam, the UN Development Programme, and the Association of Southeast Asian Nations (ASEAN). The five-year hacking campaign has targeted key individuals in those regions and organizations, all in the name of stealing information in its efforts to gain control of the strategic South China Sea. China is trying to reclaim islands in the oil-rich and highly strategic South China Sea.

The researchers outed the People’s Liberation Army Chengdu Military Region (MR) Second Technical Reconnaissance Bureau (TRB) Military Unit Cover Designator (MUCD) 78020 as the perpetrator of the attack campaign after discovering the activity of a PLA officer in that unit named Ge Xing. Ge's name is tied to one of the command-and-control domains associated with the attacks, as is his location of Kunming. The "greensky27.vicp.net" domain was found in Naikon's malware and the owner of the C2 domain in question was "GreenSky27," which they traced to Ge.

Cyberattacks are a contentious issue that Obama and Xi likely will address in their meetings. While the Naikon/PLA Unit 78020 attackers technically appear to be cyberspies conducting traditional spycraft intel-gathering, the US has vowed to punish China for economic cyber espionage attacks it conducts in order to steal intellectual property. The US in 2014 indicted five Chinese PLA officers for hacks that infiltrated US steel companies and stole trade secrets.

But like the massive Office of Personnel Management breach, which is widely believed to be the handiwork of Chinese cyberspies, traditional spycraft hacking is quietly understood to be mutual among many nations. It's unclear whether this latest campaign will be discussed, although the US is publicly concerned with China's movements in the South China Sea. Meanwhile, Xi told US businesses earlier this week that China will work to help the US combat cybercrime and that his government does not conduct IP theft hacks.

Photo of PLA's Ge Xing
Source: ThreatConnect

Photo of PLA's Ge Xing

Source: ThreatConnect

ThreatConnect and DGI researchers were able to identify Ge via multiple social media accounts using the GreenSky27 moniker, and match his online photos -- some taken at the military unit's location -- and movements via his social media posts to the domain and the hacking operation. They say Ge is a PLA member who specializes in Southeast Asian politics; they also found academic papers he wrote online that demonstrate his expertise in this area. According to the report, each of the PLA's seven military regions has its own technical recon bureau.

"He's probably not a keyboard jockey. He's probably the geopolitical guy who helps" with reconnaissance analysis, says Jonathan Ray, research associate with DGI.

"The way we got to [his] name was that it was part of a user name that he had with a lot of social media accounts. And his location matches up with the technical analysis" of the campaign, Ray says.

Ge also holds a Master's degree in Southeast Asia politics and likely holds a mid-level position in the PLA, according to the researchers.

Attributing cyber espionage attacks to individuals or nations is always a tricky endeavor fraught with the risk of false flags, but DGI and ThreatConnect maintain this is no decoy and that Ge Xing is indeed his real name. "A false flag op is an op itself," says Rich Barger, chief intelligence officer with ThreatConnect. "There would have to be some sort of outcome" they would want for such an operation, and this doesn't fit that bill, he says.

ID'ing Ge and his role shines light on the PLA's reconnaissance operation. "We're introducing a technical reconnaissance bureau" here, he says. "And we're highlighting that [Chinese cyberspying] is not just a US problem. There is global impact … [with] ancillary issues for the US and the West in general. Although that region seems far away, it's much closer to home in that we are a global economy and the economic impacts are … less obvious to some."

Naikon's hacking operations have been well-documented over the past few years by several security organizations in addition to ThreatConnect, including Kaspersky Lab, Shadowserver, and Trend Micro. The attack group is relatively aggressive: Most recently, Kaspersky spotted Naikon targeting another APT organization and that organization then retaliating. It was the first case seen of spies hacking other spies, Costin Raiu, head of Kaspersky's global research and analysis team, reported.

The targeted APT group -- aka "Hellsing," also known for targeting individuals associated with diplomacy and political ties to the South China Sea region -- then turned the tables on Naikon, Raiu discovered. "In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu said in June when Kaspersky revealed the attacks.

The new research provides more evidence to dispute Chinese President Xi's denials of his military's hacking activities. "The new report brings welcome attention to the problem of Chinese military hacking activities, despite President Xi's repeated denials," says Richard Bejtlich, chief security strategist for FireEye. "The report is another example of the revolution in private sector intelligence capabilities. Online commercial imagery, sound analysis, and integration of technical and geopolitical indicators combine to produce professional and grounded conclusions."

Control over the South China Sea region has global trade ramifications. "The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually," the report says of the military unit's hacking of targets in the South China Sea region.

Now that the report is public, one of Ge's social media accounts has disappeared, and one of the servers is now resolving to a Denver-based location. The researchers are now looking at other elements of the operation, too. "This was a cross-section of the Naikon group, around one domain personified by Ge. So we're zooming back out again and looking at the broader connections," ThreatConnect's Barger says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/30/2015 | 12:49:02 PM
The 78020 unit of the PLA and the territorial agrandizzement
The ThreatConnect and Defense Group Inc. have successfully managed to find and put in their report two documents of which the heading shows the involvement of:

  • Ge XingŠ‹¯ (as the greensky27 member of the Naikon Group such as described in the article)

  • whose unit is indeed the 78020 unit: 'æ78020•"'à

  • from the PLA:'†š l–¯‰ð•úŒR

  • located in the province of Yunnan: ‰_"ì

  • and more specifically in the city of Kunming:©–¾.


Ge Xing is actually involved in the study of the region through the titles of the available documents in the ThreatConnect – DGI report:

  • 'ך "ì•"–sz—Ñ•ª—£‰^"®"Iá¢"W–¨ŸÇÍ

A light analysis of the development trend of Muslim separatist movements in Southern Thailand.

  • DŒã'ך "I­¡–¯å‰»i'ö"I"Áêy‹yŒ´ˆö•ªÍ

Cause analysis and features of the political democratisation process in postwar Thailand.


At last, the South China Sea draws 'boundless' efforts from mainland China because of its reportedly strategic natural resources and because of its seapower augmentation as a countermeasure to freedom of navigation in what she considers as her patrimonial sea³PŠC.

Best regards,

Xavier Alfonsi

Analyst in naval and naval aviation affairs and in cyberdefense in Asia-Pacific from original sources in Chinese
User Rank: Apprentice
9/29/2015 | 3:38:55 PM
First comment, Re: PLA/China cyberspying,
"First comment" means there's a new player in the game. For full disclosure, I'm a Native North American, living and working in our new GLOBALLY - connected planet. Our HOME. We really are all in this together, now, folks. Let's remember Bucky Fuller, and acknowledge that we're all crew members of Spaceship Earth. The internet is the command-and-control communications and trade infrastructure for ALL of us. But we're flying through uncharted territory. Safety and security must remain high on our priority lists. Realistically, whether "Ge Xing" is or is not a PLA hacker matters little to me personally. But that's not the point.

Knowledge is power, and power is life. China is a great and ancient nation, but the current

"commmunist" government are as little children in a world of adults. And America is a very young adult.

We just can't afford to let bad actors and bad guys run rampant across our networks.

And the more good guys we have, and the more we know, and can do, the safer and more peaceful and productive we ALL are. We all mostly know all this, but we also need reminding.

(c)2015, Tom Clancy, Jr.,                     *NON-fiction

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.