Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Naikon Threat Group Linked to Chinese Army

Cyber threat intelligence companies ThreatConnect and Defense Group released on Thursday a joint report linking the advanced persistent threat (APT) group known as “Naikon” to a unit of the Chinese People’s Liberation Army (PLA).

Cyber threat intelligence companies ThreatConnect and Defense Group released on Thursday a joint report linking the advanced persistent threat (APT) group known as “Naikon” to a unit of the Chinese People’s Liberation Army (PLA).

Naikon, a threat actor that has been active since at least 2010, has been targeting organizations around the South China Sea in search for geopolitical intelligence. The group has focused its efforts on breaching the systems of government, military and civil organizations in countries such as Malaysia, the Philippines, Cambodia, Vietnam, Indonesia, Myanmar, Singapore, Laos and Nepal.

The activities of what later would become known as the Naikon APT came to light in 2012 when a hacktivist using the online moniker “Hardcore Charlie” published thousands of documents allegedly stolen from the systems of a Beijing-based military contractor named the China National Import & Export Corp (CEIEC). The files appeared to come from the networks of various governments and businesses in the U.S. and countries in the South China Sea region.

The group’s operations and tools were later analyzed by researchers at Trend Micro, ThreatConnect, which in may 2014 noted that the actor’s efforts were aligned with the Chinese government’s interests, and Kaspersky, which noted in a report published earlier this year that the members of the group were Chinese speakers.

The report published now by ThreatConnect and Defense Group covers various aspects of Naikon’s operations, including infrastructure, tools and tactics. However, researchers have focused on the connection between Naikon and one of the PLA’s technical reconnaissance bureaus (TBRs), namely the one located in the Chinese city of Kunming and known as Unit 78020.

The report has been released just as Chinese President Xi Jinping heads to Washington for summit talks with his U.S. counterpart Barack Obama on topics such as cyber theft and the South China Sea.

The intelligence gathered by ThreatConnect and Defense Group for attribution purposes focuses on a dynamic domain used by Naikon since at least 2010, namely greensky27.vicp.net.

An analysis of the IP addresses associated with this domain shows that the city of Kunming is a central hub since a majority of connections have been traced there.

Advertisement. Scroll to continue reading.

This and other data collected by experts has led them to believe that the individual controlling greensky27.vicp.net is located near or in Kunming. Further analysis has revealed that this person is likely a PLA officer named Ge Xing.

One of the clues tying Ge Xing to the greensky27.vicp.net domain is the “GreenSky27” moniker. The man has utilized this username on several online platforms, including the microblogging platform QQ Weibo, forums, and social media websites.

Account information collected by researchers along with photographs posted by GreenSky27 on the Web allowed investigators to determine that Ge Xing from Kunming is behind this online moniker. Furthermore, evidence available on Chinese websites and his online profiles shows the connection between this individual and the PLA.

“He launched his career as a PLA officer by attending the PLA International Studies University in 1998. Academic papers written by Ge Xing as a graduate student specifically place him at the Kunming TRB in 2008. Photos from his GreenSky27 QQ Weibo account from 2011 to 2014 place him at the Kunming TRB headquarters compound, underscoring his ongoing connection with the PLA,” researchers wrote in their report.

After finding evidence linking Ge Xing to the PLA, experts looked for clues showing the man’s involvement in the Naikon campaigns. Researchers determined that whenever Ge’s posts on personal accounts indicated that he was traveling outside of Kunming, the greensky27.vicp.net infrastructure was either offline or parked. The domain went dormant when Ge’s child was born and when he visited a memorial hall dedicated to his family’s ancestors.

ThreatConnect and Defense Group also noted that activity on the domain dropped considerably in May 2014 when the U.S. Department of Justice announced charging five Chinese military officers from the Army’s Unit 61398. On the same day, ThreatConnect published a report on Naikon’s activities.

In the report published this year, Kaspersky Lab pointed out that Naikon’s activities align closely with a group dubbed by FireEye “APT30.” Toni Gidwani, director of analysis and production at ThreatConnect, noted that APT30 is a different group.

“Although there appears to be some common targeting between the two APTs, there are differences between how the two register and manage their infrastructure,” Gidwani told SecurityWeek. “At this point in our research, we would not say they align closely although that certainly does not preclude the possibility of multiple China-based APTs targeting South China Sea equities.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...