The Wall Street Journal reports on a study from cybersecurity group ThreatConnect and the security consultants at Defense Group, Inc., indicating that China’s military is heavily involved in hacking and cyber crime.
The study is designed to chip away at the barrier of plausible deniability China maintains between its military and the supposedly rogue “hacker collectives” who collectively do all the hacking.
China claims these hackers are just coincidentally pulling off capers that line up with Beijing’s interests. They are also coincidentally able to slip through some of the most formidable firewalls and Internet blockades in the world and commit some of the biggest cyber crimes in history, without ever getting caught by the military or law-enforcement arms of an authoritarian regime.
The marquee evidence for links between China’s military and these deniable “rogue” collectives is the career of one Ge Xing, who was on the receiving end of sensitive data pilfered by a virus-laced Microsoft Word document concerning China’s controversial moves in the South China Sea.
Ge is a member of a Chinese military recon unit, PLA Unit 78020, and an academic with work published on Thai politics. He was set up with a nice cover profile that makes him look like a prosperous fellow who “occasionally criticizes the government.” Working under the online alias “GreenSky27,” he appears to be the PLA’s liaison to a “rogue hacker collective” called Naikon that just happens to spend its time raiding computer networks in countries lined up against China in the struggle over those hotly-contested South China Sea islands.
The ThreatConnect-DGI report describes a sprawling Chinese network of military bureaucracy manipulating these hacker groups. The WSJ writes that Unit 78020 is “one of more than two dozen such bureaus within the PLA tasked with intelligence gathering, analysis and computer network defense and exploitation, according to Mark Stokes, executive director at Virginia think tank Project 2049 Institute and an authority on the role of China’s military in signals intelligence like cyberspying.”
Stokes described another “reconnaissance bureau” involved in hacking the Dalai Lama’s computer networks. ThreatConnect’s Project Camerashy details numerous other exploits of Unit 78020 and its pet hacker collective, which uses “spear phishing” techniques like Ge Xing’s virus-infested Microsoft Word document to target “government entities in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam, as well as international bodies such as United Nations Development Program (UNDP) and the Association of Southeast Asian Nations (ASEAN).”
According to the Project Camerashy report, China is using cyber-espionage to accumulate information that could be useful for naval aggression in the South China Sea, economic warfare against anyone who opposes its ambitions in the region, and efforts to disrupt the United States’s military alliances and seurity partnerships with Pacific Rim nations.
One disturbing passage in the report breaks down the Naikon hackers’ techniques, noting that to penetrated targeted computer networks, the collective “relies on email as the attack vector, and precise social engineering to identify appropriate targets.” This involves gathering personal information on users of the targeted network, such as “full names, email addresses, date of birth, interests in current events, nationality, gender, and previous email and social network communications to and from a target.” The Office of Personnel Management hack has given Chinese hackers the largest trove of such information ever assembled, ready to fuel “social engineering” against American government employees and contractors.
A great deal of painstaking detective work was conducted to trace Naikon malware back to PLA Unit 78020 and its headquarters in Kunming, in southeast China. The case laid out by ThreatConnect is extremely difficult to refute—they have built detailed infrastructure maps of the hacking operation and its complicated computer network, which bounced the network traffic from Naikon’s malware between routers all over Asia, plus a big one in Denver.
An entire chapter of the 86-page report deals with the links between Ge Xing, his PLA unit, and the Naikon hackers, leaving “no room for coincidence,” as ThreatConnect puts it. Running the hacker network is quite literally Ge Xing’s day job—cybersecurity detectives watched Naikon activity spike each day, after Ge showed up for work at 9:00 AM local time and opened a secure link to the hackers’ infrastructure. They even got a pretty good handle on the sort of maintenance tasks Ge takes care of before and after he breaks for lunch. The Chinese hid their tracks well, but not as well as they thought.
Will President Obama confront Xi Jinping with this kind of evidence? Not very likely. The smart money is still on a few quiet backroom conversations at most, a whispered entreaty to knock off the hacking, perhaps followed by the sort of joint cyberspace security declaration that lets China off the hook and validates its false narrative about desiring a secure worldwide Internet above all other things.
The Project Camerashy report concludes that China’s cyber-espionage aggression “clearly comes at an expense to China’s reputation regionally and internationally as credible proof of these operations continues to mount.” The Naikon hackers have settled down quite a bit since they were exposed, and their PLA boss “GreenSky27” has, at least temporarily, ceased activity.
However, the report predicts China will “undoubtedly continue their routine of blase denials and dismissals of all allegations.” Their state-managed, deniable hacking operation is too big to be seriously damaged by the loss of a few individual bureaus and network nodes. They won’t stop what they’re doing because a few security consulting firms catch them red-handed.