Chinese Military Behind South China Sea Cyber Espionage Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


Chinese Military Behind South China Sea Cyber Espionage Attacks


An infamous advanced persistent threat hacking group known as Naikon is actually Chinas PLA Unit 78020 and a military intelligence expert there, traced to the attacks via his social media and other activity.



Add one more contentious cyberattack issue to the mix for tomorrows meeting in Washington, D.C. between President Obama and Chinese president Xi Jinping: researchers have identified a member of a Chinese military unit that they say is behind an infamous cyber espionage attack campaign against governments in Asia as well as the United Nations.
Researchers from ThreatConnect and Defense Group Inc. (DGI) today published a report detailing their findings that Chinas Peoples Liberation Army Unit 78020 is the body behind the infamous Naikon advanced persistent threat group known for attacking military, diplomatic, and economic targets in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, Vietnam, the UN Development Programme, and the Association of Southeast Asian Nations (ASEAN). The five-year hacking campaign has targeted key individuals in those regions and organizations, all in the name of stealing information in its efforts to gain control of the strategic South China Sea. China is trying to reclaim islands in the oil-rich and highly strategic South China Sea.
The researchers outed the People’s Liberation Army Chengdu Military Region (MR) Second Technical Reconnaissance Bureau (TRB) Military Unit Cover Designator (MUCD) 78020 as the perpetrator of the attack campaign after discovering the activity of a PLA officer in that unit named Ge Xing. Ges name is tied to one of the command-and-control domains associated with the attacks, as is his location of Kunming. The greensky27.vicp.net domain was found in Naikons malware and the owner of the C2 domain in question was GreenSky27, which they traced to Ge.
Cyberattacks are a contentious issue that Obama and Xi likely will address in their meetings. While the Naikon/PLA Unit 78020 attackers technically appear to be cyberspies conducting traditional spycraft intel-gathering, the US has vowed to punish China for economic cyber espionage attacks it conducts in order to steal intellectual property. The US in 2014 indicted five Chinese PLA officers for hacks that infiltrated US steel companies and stole trade secrets.
But like the massive Office of Personnel Management breach, which is widely believed to be the handiwork of Chinese cyberspies, traditional spycraft hacking is quietly understood to be mutual among many nations. Its unclear whether this latest campaign will be discussed, although the US is publicly concerned with Chinas movements in the South China Sea. Meanwhile, Xi told US businesses earlier this week that China will work to help the US combat cybercrime and that his government does not conduct IP theft hacks.
ThreatConnect and DGI researchers were able to identify Ge via multiple social media accounts using the GreenSky27 moniker, and match his online photos -- some taken at the military units location -- and movements via his social media posts to the domain and the hacking operation. They say Ge is a PLA member who specializes in Southeast Asian politics; they also found academic papers he wrote online that demonstrate his expertise in this area. According to the report, each of the PLAs seven military regions has its own technical recon bureau.
Hes probably not a keyboard jockey. Hes probably the geopolitical guy who helps with reconnaissance analysis, says Jonathan Ray, research associate with DGI.
The way we got to [his] name was that it was part of a user name that he had with a lot of social media accounts. And his location matches up with the technical analysis of the campaign, Ray says.
Ge also holds a Masters degree in Southeast Asia politics and likely holds a mid-level position in the PLA, according to the researchers.
Attributing cyber espionage attacks to individuals or nations is always a tricky endeavor fraught with the risk of false flags, but DGI and ThreatConnect maintain this is no decoy and that Ge Xing is indeed his real name. A false flag op is an op itself, says Rich Barger, chief intelligence officer with ThreatConnect. There would have to be some sort of outcome they would want for such an operation, and this doesnt fit that bill, he says.
IDing Ge and his role shines light on the PLAs reconnaissance operation. Were introducing a technical reconnaissance bureau here, he says. And were highlighting that [Chinese cyberspying] is not just a US problem. There is global impact … [with] ancillary issues for the US and the West in general. Although that region seems far away, its much closer to home in that we are a global economy and the economic impacts are … less obvious to some.
Naikons hacking operations have been well-documented over the past few years by several security organizations in addition to ThreatConnect, including Kaspersky Lab, Shadowserver, and Trend Micro. The attack group is relatively aggressive: Most recently, Kaspersky spotted Naikon targeting another APT organization and that organization then retaliating. It was the first case seen of
spies hacking other spies
, Costin Raiu, head of Kasperskys global research and analysis team, reported.
The targeted APT group -- aka Hellsing, also known for targeting individuals associated with diplomacy and political ties to the South China Sea region -- then turned the tables on Naikon, Raiu discovered. In the past, weve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack, Raiu said in June when Kaspersky revealed the attacks.
The new research provides more evidence to dispute Chinese President Xis denials of his militarys hacking activities. The new report brings welcome attention to the problem of Chinese military hacking activities, despite President Xis repeated denials, says Richard Bejtlich, chief security strategist for FireEye. The report is another example of the revolution in private sector intelligence capabilities. Online commercial imagery, sound analysis, and integration of technical and geopolitical indicators combine to produce professional and grounded conclusions.
Control over the South China Sea region has global trade ramifications. The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually,
the report
says of the military units hacking of targets in the South China Sea region.
Now that the report is public, one of Ges social media accounts has disappeared, and one of the servers is now resolving to a Denver-based location. The researchers are now looking at other elements of the operation, too. This was a cross-section of the Naikon group, around one domain personified by Ge. So were zooming back out again and looking at the broader connections, ThreatConnects Barger says.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese Military Behind South China Sea Cyber Espionage Attacks