Cyber threat intelligence companies ThreatConnect and Defense Group released on Thursday a joint report linking the advanced persistent threat (APT) group known as “Naikon” to a unit of the Chinese People’s Liberation Army (PLA).
Naikon, a threat actor that has been active since at least 2010, has been targeting organizations around the South China Sea in search for geopolitical intelligence. The group has focused its efforts on breaching the systems of government, military and civil organizations in countries such as Malaysia, the Philippines, Cambodia, Vietnam, Indonesia, Myanmar, Singapore, Laos and Nepal.
The activities of what later would become known as the Naikon APT came to light in 2012 when a hacktivist using the online moniker “Hardcore Charlie” published thousands of documents allegedly stolen from the systems of a Beijing-based military contractor named the China National Import & Export Corp (CEIEC). The files appeared to come from the networks of various governments and businesses in the U.S. and countries in the South China Sea region.
The group’s operations and tools were later analyzed by researchers at Trend Micro, ThreatConnect, which in may 2014 noted that the actor’s efforts were aligned with the Chinese government’s interests, and Kaspersky, which noted in a report published earlier this year that the members of the group were Chinese speakers.
The report published now by ThreatConnect and Defense Group covers various aspects of Naikon’s operations, including infrastructure, tools and tactics. However, researchers have focused on the connection between Naikon and one of the PLA’s technical reconnaissance bureaus (TBRs), namely the one located in the Chinese city of Kunming and known as Unit 78020.
The report has been released just as Chinese President Xi Jinping heads to Washington for summit talks with his U.S. counterpart Barack Obama on topics such as cyber theft and the South China Sea.
The intelligence gathered by ThreatConnect and Defense Group for attribution purposes focuses on a dynamic domain used by Naikon since at least 2010, namely greensky27.vicp.net.
An analysis of the IP addresses associated with this domain shows that the city of Kunming is a central hub since a majority of connections have been traced there.
This and other data collected by experts has led them to believe that the individual controlling greensky27.vicp.net is located near or in Kunming. Further analysis has revealed that this person is likely a PLA officer named Ge Xing.
One of the clues tying Ge Xing to the greensky27.vicp.net domain is the “GreenSky27” moniker. The man has utilized this username on several online platforms, including the microblogging platform QQ Weibo, forums, and social media websites.
Account information collected by researchers along with photographs posted by GreenSky27 on the Web allowed investigators to determine that Ge Xing from Kunming is behind this online moniker. Furthermore, evidence available on Chinese websites and his online profiles shows the connection between this individual and the PLA.
“He launched his career as a PLA officer by attending the PLA International Studies University in 1998. Academic papers written by Ge Xing as a graduate student specifically place him at the Kunming TRB in 2008. Photos from his GreenSky27 QQ Weibo account from 2011 to 2014 place him at the Kunming TRB headquarters compound, underscoring his ongoing connection with the PLA,” researchers wrote in their report.
After finding evidence linking Ge Xing to the PLA, experts looked for clues showing the man’s involvement in the Naikon campaigns. Researchers determined that whenever Ge’s posts on personal accounts indicated that he was traveling outside of Kunming, the greensky27.vicp.net infrastructure was either offline or parked. The domain went dormant when Ge’s child was born and when he visited a memorial hall dedicated to his family’s ancestors.
ThreatConnect and Defense Group also noted that activity on the domain dropped considerably in May 2014 when the U.S. Department of Justice announced charging five Chinese military officers from the Army’s Unit 61398. On the same day, ThreatConnect published a report on Naikon’s activities.
In the report published this year, Kaspersky Lab pointed out that Naikon’s activities align closely with a group dubbed by FireEye “APT30.” Toni Gidwani, director of analysis and production at ThreatConnect, noted that APT30 is a different group.
“Although there appears to be some common targeting between the two APTs, there are differences between how the two register and manage their infrastructure,” Gidwani told SecurityWeek. “At this point in our research, we would not say they align closely although that certainly does not preclude the possibility of multiple China-based APTs targeting South China Sea equities.”