Security researchers have blown the lid off another Chinese PLA hacking group. Kunming-based Unit 78020 of the People’s Liberation Army (PLA) specialises hacking Southeast Asian military, diplomatic, and economic targets, according to new research by security intelligence firm ThreatConnect.
The APT group – commonly known as Naikon by Western security analysts – runs regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea.
"ThreatConnect, in partnership with Defense Group Inc., has attributed the targeted cyber espionage infrastructure activity associated with the 'Naikon' Advanced Persistent Threat (APT) group to a specific unit of the Chinese People’s Liberation Army (PLA)," the security intelligence firm explains.
"Our assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020," it added.
Key finding (extract below) from the report implicate a named individual in coordinating a wide-ranging spying pop direct against China's neighbours.
Analysis of historic command and control (C&C) infrastructure used consistently within Naikon malware for espionage operations against Southeast Asian targets has revealed a strong nexus to the city of Kunming, capital of Yunnan Province in southwestern China.
The C&C domain “greensky27.vicp[.]net” consistently appeared within unique Naikon malware, where the moniker “greensky27” is the personification of the entity who owns and operates the malicious domain.
Further research shows many social media accounts with the “greensky27” username are maintained by a People’s Republic of China (PRC) national named Ge Xing (葛星), who is physically located in Kunming.
Ge Xing, aka “GreenSky27”, has been identified as a member of the PLA specializing in Southeast Asian politics, specifically Thailand, according to ThreatConnect.
The study combines a "data-driven statistical analysis of malicious infrastructure on the internet" with a "human-focused view into the social media activities of the adversary to arrive at its conclusions", using a metrology explained in greater depth here.
Almost five years of exploitation activity were accessed, but ThreatConnect is careful to say that the report is "one chapter of a larger story" and by no means even a comprehensive listing of all malware and infrastructure leveraged by Naikon globally.
More detail on how cyber sleuths at ThreatConnect tracked a suspected hacker back to a member of the Chinese military can be found in a WSJ story (subscription required).
Publication of the research coincides with a US visit by Chinese President Xi Jinping. Xi began the visit by firmly denying Chinese involvement in commercial cyber espionage, as previously reported. The latest allegation will undoubtedly be shrugged off in much the same spirit.
ThreatConnect's research parallels the landmark expose of Shanghai-based PLA Unit 61398 hacking crew by Mandiant back in February 2013.
The US indicted five officers of the same People’s Liberation Army in May 2014 on charges of malware distribution and theft of commercial information, to little effect thus far. ®