Cybersecurity Researchers Link Hackers to Chinese Military
A new report by cybersecurity company ThreatConnect and open source intelligence company Defense Group Inc. (DGI) has linked a hacker collective known as “Naikon” with the Chinese military. The “Project CAMERASHY: Closing the Aperture on China’s Unit 78020” report documents China's efforts to spy on foreign governments, corporations, and military forces that it sees as threats.
The Naikon Advanced Persistent Threat group is part of China’s infamous Unit 78020, which has been linked with a number of different cyberattacks in the past, according to the report. The unit has been operating for almost five years, often targeting U.S. companies and partners through the use of malware attacks, spear phishing, and malicious attachments.
Reliance on E-Mail Attacks
Naikon was first identified in April 2012, when ShadowServer, a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud, identified a then-unnamed group using a combination of spear-phishing lures obtained from the Hardcore Charlie data dump. (Hardcore Charlie, a hacker affiliated with the hacktivist group Anonymous, claimed to have broken into the IT systems of a Chinese military contractor and exposed documents related to the U.S. war effort in Afghanistan.)
The hacker collective gained mainstream awareness in June 2013 when TrendMicro published a detailed analysis of Naikon’s Rarstone malware.
"Naikon APT supports Unit 78020’s mandate to perform regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea," the report noted. The group appears to be specifically interested in attacking oil and gas infrastructure and companies.
ThreatConnect and DGI said that the Naikon APT relies on e-mail as an attack vector and precise social engineering to identify appropriate targets to get into target networks. Data collection prior to an attack has included full names, e-mail addresses, dates of birth, interests in current events, nationalities, genders, and previous e-mail and social network communications to and from targets.
“Like other APTs, Unit 78020 leverages dynamic domain infrastructure to improve the survivability and mobility of their custom malware,” the companies said in the report. “This allows network exploitation operators to quickly shift their C2 (command and control) to new hosts without expending costly resources to refit and redeploy their malware due to a hard-coded IP address.”
Linguistic and Technical Analysis
To positively identify the group and link it to China’s People’s Liberation Army (PLA), ThreatConnect and DGI combined technical analysis of the tools used by the group with Chinese language research focused in particular on a PLA officer named Ge Xing.
The companies found that the domain “greensky27.vicp.net” consistently appeared within unique Naikon malware, where the moniker “GreenSky27” is the personification of the entity that owns and operates the malicious domain. “Further research shows many social media accounts with the “GreenSky27” username are maintained by a [People's Republic of China] national named Ge Xing,” the companies reported.
To arrive at its conclusions, ThreatConnect and DGI used the Diamond Model for Intrusion Analysis developed by the U.S. Department of Defense. The companies then applied the analysis to a body of technical and non-technical evidence among data points spanning nearly five years of exploitation activity.