Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Chinese Military Behind South China Sea Cyber Espionage Attacks

An infamous advanced persistent threat hacking group known as Naikon is actually China's PLA Unit 78020 and a military intelligence expert there, traced to the attacks via his social media and other activity.

Add one more contentious cyberattack issue to the mix for tomorrow's meeting in Washington, D.C. between President Obama and Chinese president Xi Jinping: researchers have identified a member of a Chinese military unit that they say is behind an infamous cyber espionage attack campaign against governments in Asia as well as the United Nations.

Researchers from ThreatConnect and Defense Group Inc. (DGI) today published a report detailing their findings that China's People's Liberation Army Unit 78020 is the body behind the infamous Naikon advanced persistent threat group known for attacking military, diplomatic, and economic targets in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, Vietnam, the UN Development Programme, and the Association of Southeast Asian Nations (ASEAN). The five-year hacking campaign has targeted key individuals in those regions and organizations, all in the name of stealing information in its efforts to gain control of the strategic South China Sea. China is trying to reclaim islands in the oil-rich and highly strategic South China Sea.

The researchers outed the People’s Liberation Army Chengdu Military Region (MR) Second Technical Reconnaissance Bureau (TRB) Military Unit Cover Designator (MUCD) 78020 as the perpetrator of the attack campaign after discovering the activity of a PLA officer in that unit named Ge Xing. Ge's name is tied to one of the command-and-control domains associated with the attacks, as is his location of Kunming. The "greensky27.vicp.net" domain was found in Naikon's malware and the owner of the C2 domain in question was "GreenSky27," which they traced to Ge.

Cyberattacks are a contentious issue that Obama and Xi likely will address in their meetings. While the Naikon/PLA Unit 78020 attackers technically appear to be cyberspies conducting traditional spycraft intel-gathering, the US has vowed to punish China for economic cyber espionage attacks it conducts in order to steal intellectual property. The US in 2014 indicted five Chinese PLA officers for hacks that infiltrated US steel companies and stole trade secrets.

But like the massive Office of Personnel Management breach, which is widely believed to be the handiwork of Chinese cyberspies, traditional spycraft hacking is quietly understood to be mutual among many nations. It's unclear whether this latest campaign will be discussed, although the US is publicly concerned with China's movements in the South China Sea. Meanwhile, Xi told US businesses earlier this week that China will work to help the US combat cybercrime and that his government does not conduct IP theft hacks.

Photo of PLA's Ge Xing
Source: ThreatConnect

Photo of PLA's Ge Xing

Source: ThreatConnect

ThreatConnect and DGI researchers were able to identify Ge via multiple social media accounts using the GreenSky27 moniker, and match his online photos -- some taken at the military unit's location -- and movements via his social media posts to the domain and the hacking operation. They say Ge is a PLA member who specializes in Southeast Asian politics; they also found academic papers he wrote online that demonstrate his expertise in this area. According to the report, each of the PLA's seven military regions has its own technical recon bureau.

"He's probably not a keyboard jockey. He's probably the geopolitical guy who helps" with reconnaissance analysis, says Jonathan Ray, research associate with DGI.

"The way we got to [his] name was that it was part of a user name that he had with a lot of social media accounts. And his location matches up with the technical analysis" of the campaign, Ray says.

Ge also holds a Master's degree in Southeast Asia politics and likely holds a mid-level position in the PLA, according to the researchers.

Attributing cyber espionage attacks to individuals or nations is always a tricky endeavor fraught with the risk of false flags, but DGI and ThreatConnect maintain this is no decoy and that Ge Xing is indeed his real name. "A false flag op is an op itself," says Rich Barger, chief intelligence officer with ThreatConnect. "There would have to be some sort of outcome" they would want for such an operation, and this doesn't fit that bill, he says.

ID'ing Ge and his role shines light on the PLA's reconnaissance operation. "We're introducing a technical reconnaissance bureau" here, he says. "And we're highlighting that [Chinese cyberspying] is not just a US problem. There is global impact … [with] ancillary issues for the US and the West in general. Although that region seems far away, it's much closer to home in that we are a global economy and the economic impacts are … less obvious to some."

Naikon's hacking operations have been well-documented over the past few years by several security organizations in addition to ThreatConnect, including Kaspersky Lab, Shadowserver, and Trend Micro. The attack group is relatively aggressive: Most recently, Kaspersky spotted Naikon targeting another APT organization and that organization then retaliating. It was the first case seen of spies hacking other spies, Costin Raiu, head of Kaspersky's global research and analysis team, reported.

The targeted APT group -- aka "Hellsing," also known for targeting individuals associated with diplomacy and political ties to the South China Sea region -- then turned the tables on Naikon, Raiu discovered. "In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu said in June when Kaspersky revealed the attacks.

The new research provides more evidence to dispute Chinese President Xi's denials of his military's hacking activities. "The new report brings welcome attention to the problem of Chinese military hacking activities, despite President Xi's repeated denials," says Richard Bejtlich, chief security strategist for FireEye. "The report is another example of the revolution in private sector intelligence capabilities. Online commercial imagery, sound analysis, and integration of technical and geopolitical indicators combine to produce professional and grounded conclusions."

Control over the South China Sea region has global trade ramifications. "The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually," the report says of the military unit's hacking of targets in the South China Sea region.

Now that the report is public, one of Ge's social media accounts has disappeared, and one of the servers is now resolving to a Denver-based location. The researchers are now looking at other elements of the operation, too. "This was a cross-section of the Naikon group, around one domain personified by Ge. So we're zooming back out again and looking at the broader connections," ThreatConnect's Barger says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/30/2015 | 12:49:02 PM
The 78020 unit of the PLA and the territorial agrandizzement
The ThreatConnect and Defense Group Inc. have successfully managed to find and put in their report two documents of which the heading shows the involvement of:

  • Ge XingŠ‹¯ (as the greensky27 member of the Naikon Group such as described in the article)

  • whose unit is indeed the 78020 unit: 'æ78020•"'à

  • from the PLA:'†š l–¯‰ð•úŒR

  • located in the province of Yunnan: ‰_"ì

  • and more specifically in the city of Kunming:©–¾.


Ge Xing is actually involved in the study of the region through the titles of the available documents in the ThreatConnect – DGI report:

  • 'ך "ì•"–sz—Ñ•ª—£‰^"®"Iá¢"W–¨ŸÇÍ

A light analysis of the development trend of Muslim separatist movements in Southern Thailand.

  • DŒã'ך "I­¡–¯å‰»i'ö"I"Áêy‹yŒ´ˆö•ªÍ

Cause analysis and features of the political democratisation process in postwar Thailand.


At last, the South China Sea draws 'boundless' efforts from mainland China because of its reportedly strategic natural resources and because of its seapower augmentation as a countermeasure to freedom of navigation in what she considers as her patrimonial sea³PŠC.

Best regards,

Xavier Alfonsi

Analyst in naval and naval aviation affairs and in cyberdefense in Asia-Pacific from original sources in Chinese
User Rank: Apprentice
9/29/2015 | 3:38:55 PM
First comment, Re: PLA/China cyberspying,
"First comment" means there's a new player in the game. For full disclosure, I'm a Native North American, living and working in our new GLOBALLY - connected planet. Our HOME. We really are all in this together, now, folks. Let's remember Bucky Fuller, and acknowledge that we're all crew members of Spaceship Earth. The internet is the command-and-control communications and trade infrastructure for ALL of us. But we're flying through uncharted territory. Safety and security must remain high on our priority lists. Realistically, whether "Ge Xing" is or is not a PLA hacker matters little to me personally. But that's not the point.

Knowledge is power, and power is life. China is a great and ancient nation, but the current

"commmunist" government are as little children in a world of adults. And America is a very young adult.

We just can't afford to let bad actors and bad guys run rampant across our networks.

And the more good guys we have, and the more we know, and can do, the safer and more peaceful and productive we ALL are. We all mostly know all this, but we also need reminding.

(c)2015, Tom Clancy, Jr.,                     *NON-fiction

Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-14
A Symlink Traversal vulnerability exists in NETGEAR Centria WNDR4700 Firmware
PUBLISHED: 2019-11-14
The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteub/j7y17lte:8.1.0/M1AJQ/J730GUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName= that allows other pre-installed app...
PUBLISHED: 2019-11-14
The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteubm/j7y17lte:8.1.0/M1AJQ/J730GMUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName= that allows other pre-installed a...
PUBLISHED: 2019-11-14
The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812191721) that allows unautho...
PUBLISHED: 2019-11-14
The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireles...