Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Researchers Link Hackers to China
Cybersecurity Researchers Link Hackers to Chinese Military
Cybersecurity Researchers Link Hackers to Chinese Military
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
A new report by cybersecurity company ThreatConnect and open source intelligence company Defense Group Inc. (DGI) has linked a hacker collective known as “Naikon” with the Chinese military. The “Project CAMERASHY: Closing the Aperture on China’s Unit 78020” report documents China's efforts to spy on foreign governments, corporations, and military forces that it sees as threats.

The Naikon Advanced Persistent Threat group is part of China’s infamous Unit 78020, which has been linked with a number of different cyberattacks in the past, according to the report. The unit has been operating for almost five years, often targeting U.S. companies and partners through the use of malware attacks, spear phishing, and malicious attachments.

Reliance on E-Mail Attacks

Naikon was first identified in April 2012, when ShadowServer, a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud, identified a then-unnamed group using a combination of spear-phishing lures obtained from the Hardcore Charlie data dump. (Hardcore Charlie, a hacker affiliated with the hacktivist group Anonymous, claimed to have broken into the IT systems of a Chinese military contractor and exposed documents related to the U.S. war effort in Afghanistan.)

The hacker collective gained mainstream awareness in June 2013 when TrendMicro published a detailed analysis of Naikon’s Rarstone malware.

"Naikon APT supports Unit 78020’s mandate to perform regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea," the report noted. The group appears to be specifically interested in attacking oil and gas infrastructure and companies.

ThreatConnect and DGI said that the Naikon APT relies on e-mail as an attack vector and precise social engineering to identify appropriate targets to get into target networks. Data collection prior to an attack has included full names, e-mail addresses, dates of birth, interests in current events, nationalities, genders, and previous e-mail and social network communications to and from targets.

“Like other APTs, Unit 78020 leverages dynamic domain infrastructure to improve the survivability and mobility of their custom malware,” the companies said in the report. “This allows network exploitation operators to quickly shift their C2 (command and control) to new hosts without expending costly resources to refit and redeploy their malware due to a hard-coded IP address.”

Linguistic and Technical Analysis

To positively identify the group and link it to China’s People’s Liberation Army (PLA), ThreatConnect and DGI combined technical analysis of the tools used by the group with Chinese language research focused in particular on a PLA officer named Ge Xing.

The companies found that the domain “” consistently appeared within unique Naikon malware, where the moniker “GreenSky27” is the personification of the entity that owns and operates the malicious domain. “Further research shows many social media accounts with the “GreenSky27” username are maintained by a [People's Republic of China] national named Ge Xing,” the companies reported.

To arrive at its conclusions, ThreatConnect and DGI used the Diamond Model for Intrusion Analysis developed by the U.S. Department of Defense. The companies then applied the analysis to a body of technical and non-technical evidence among data points spanning nearly five years of exploitation activity.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.