How US researchers identified Chinese army officer, hacker

Maybe not at the state dinner, but President Obama could put Chinese President Xi Jinping on the defensive with a simple question. “So, how’s Ge Xing these days?”

Ge Xing is an obscure officer in the People’s Liberation Army, operating in reconnaissance Unit 78020, out of the Chengdu Military Region.  Only he’s not so obscure anymore. We know he’s behind a malware group known as Naikon. Using spear phishing emails with enticing Word documents, Naikon seeks to get secret information from users in the region of the South China Sea, including U.S. Navy and State Department information.

Federal Drive host Tom Temin
Federal Drive host Tom Temin

How do we know? Unit 78020 has been in the crosshairs of local cybersecurity companies ThreatConnect of Arlington and Defense Group Inc. of Vienna. They focused on Naikon for several years because it represented a nasty advance persistent threat (APT). They used the open-source Diamond Model for intrusion analysis.

You can read the findings here. But in essence, it’s another example of note just Chinese, but Chinese governmental cyber espionage. In other words, nothing to be shocked about, but a fine specimen nonetheless.

Advertisement

What I found interesting from my interview with Rich Barger, ThreatConnect’s chief intelligence officer, is that sharp Chinese officers can suffer from the same hubris as Western hackers who get slightly conceited and sloppy. The researchers were able to finger him by correlating his active and assertive social media activities. He used the online handle greensky27, a domain name also associated with Naikon.

In fact, a Wall Street Journal account of Ge Xing shows some of the pictures he posted online. There’s greensky27’s mountain bike for sale, together with an actual name and phone number. Here he’s visiting his family’s ancestral temple.

Barger says this politically knowledgeable officer simply made a common error that let researchers correlate a handle with the real person.

Speaking of the Naikon group, Barger said, “One of their operators  [Ge] slipped up and was really able to give us some details as to who the actual entity was behind the keyboard — which is pretty rare in our industry.”