Chinese Military Behind South China Sea Cyber Espionage Attacks

An infamous advanced persistent threat hacking group known as Naikon is actually China's PLA Unit 78020 and a military intelligence expert there, traced to the attacks via his social media and other activity.

Photo of PLA's Ge Xing Source: ThreatConnect

Add one more contentious cyberattack issue to the mix for tomorrow's meeting in Washington, D.C. between President Obama and Chinese president Xi Jinping: researchers have identified a member of a Chinese military unit that they say is behind an infamous cyber espionage attack campaign against governments in Asia as well as the United Nations.

Researchers from ThreatConnect and Defense Group Inc. (DGI) today published a report detailing their findings that China's People's Liberation Army Unit 78020 is the body behind the infamous Naikon advanced persistent threat group known for attacking military, diplomatic, and economic targets in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, Vietnam, the UN Development Programme, and the Association of Southeast Asian Nations (ASEAN). The five-year hacking campaign has targeted key individuals in those regions and organizations, all in the name of stealing information in its efforts to gain control of the strategic South China Sea. China is trying to reclaim islands in the oil-rich and highly strategic South China Sea.

The researchers outed the People’s Liberation Army Chengdu Military Region (MR) Second Technical Reconnaissance Bureau (TRB) Military Unit Cover Designator (MUCD) 78020 as the perpetrator of the attack campaign after discovering the activity of a PLA officer in that unit named Ge Xing. Ge's name is tied to one of the command-and-control domains associated with the attacks, as is his location of Kunming. The "" domain was found in Naikon's malware and the owner of the C2 domain in question was "GreenSky27," which they traced to Ge.

Cyberattacks are a contentious issue that Obama and Xi likely will address in their meetings. While the Naikon/PLA Unit 78020 attackers technically appear to be cyberspies conducting traditional spycraft intel-gathering, the US has vowed to punish China for economic cyber espionage attacks it conducts in order to steal intellectual property. The US in 2014 indicted five Chinese PLA officers for hacks that infiltrated US steel companies and stole trade secrets.

But like the massive Office of Personnel Management breach, which is widely believed to be the handiwork of Chinese cyberspies, traditional spycraft hacking is quietly understood to be mutual among many nations. It's unclear whether this latest campaign will be discussed, although the US is publicly concerned with China's movements in the South China Sea. Meanwhile, Xi told US businesses earlier this week that China will work to help the US combat cybercrime and that his government does not conduct IP theft hacks.

ThreatConnect and DGI researchers were able to identify Ge via multiple social media accounts using the GreenSky27 moniker, and match his online photos -- some taken at the military unit's location -- and movements via his social media posts to the domain and the hacking operation. They say Ge is a PLA member who specializes in Southeast Asian politics; they also found academic papers he wrote online that demonstrate his expertise in this area. According to the report, each of the PLA's seven military regions has its own technical recon bureau.

"He's probably not a keyboard jockey. He's probably the geopolitical guy who helps" with reconnaissance analysis, says Jonathan Ray, research associate with DGI.

"The way we got to [his] name was that it was part of a user name that he had with a lot of social media accounts. And his location matches up with the technical analysis" of the campaign, Ray says.

Ge also holds a Master's degree in Southeast Asia politics and likely holds a mid-level position in the PLA, according to the researchers.

Attributing cyber espionage attacks to individuals or nations is always a tricky endeavor fraught with the risk of false flags, but DGI and ThreatConnect maintain this is no decoy and that Ge Xing is indeed his real name. "A false flag op is an op itself," says Rich Barger, chief intelligence officer with ThreatConnect. "There would have to be some sort of outcome" they would want for such an operation, and this doesn't fit that bill, he says.

ID'ing Ge and his role shines light on the PLA's reconnaissance operation. "We're introducing a technical reconnaissance bureau" here, he says. "And we're highlighting that [Chinese cyberspying] is not just a US problem. There is global impact … [with] ancillary issues for the US and the West in general. Although that region seems far away, it's much closer to home in that we are a global economy and the economic impacts are … less obvious to some."

Naikon's hacking operations have been well-documented over the past few years by several security organizations in addition to ThreatConnect, including Kaspersky Lab, Shadowserver, and Trend Micro. The attack group is relatively aggressive: Most recently, Kaspersky spotted Naikon targeting another APT organization and that organization then retaliating. It was the first case seen of spies hacking other spies, Costin Raiu, head of Kaspersky's global research and analysis team, reported.

The targeted APT group -- aka "Hellsing," also known for targeting individuals associated with diplomacy and political ties to the South China Sea region -- then turned the tables on Naikon, Raiu discovered. "In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack," Raiu said in June when Kaspersky revealed the attacks.

The new research provides more evidence to dispute Chinese President Xi's denials of his military's hacking activities. "The new report brings welcome attention to the problem of Chinese military hacking activities, despite President Xi's repeated denials," says Richard Bejtlich, chief security strategist for FireEye. "The report is another example of the revolution in private sector intelligence capabilities. Online commercial imagery, sound analysis, and integration of technical and geopolitical indicators combine to produce professional and grounded conclusions."

Control over the South China Sea region has global trade ramifications. "The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually," the report says of the military unit's hacking of targets in the South China Sea region.

Now that the report is public, one of Ge's social media accounts has disappeared, and one of the servers is now resolving to a Denver-based location. The researchers are now looking at other elements of the operation, too. "This was a cross-section of the Naikon group, around one domain personified by Ge. So we're zooming back out again and looking at the broader connections," ThreatConnect's Barger says.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights