Chinese Military Behind South China Sea Cyber Espionage Attacks

25 Sep 2015 | Author: | No comments yet »

Asia-focussed Chinese PLA hacking crew surfaces.

ThreatConnect and Defense Group Inc. (DGI) point the finger at Ge Xing—a member of PLA Unit 78020—whose Internet activity links him to cyber attacks against Southeast Asian targets. “Along with DGI, we followed widely available and public evidence for several months not knowing where it would lead us,” ThreatConnect CEO Adam Vincent said in a statement. It is growing far more difficult for China’s leaders to deny that a computer hacking campaign against U.S. business and interests has ties to China’s government. “Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions,” China president Xi Jinping told the Wall Street Journal in a written interview before his visit to the U.S. this week.

A cybersecurity analytics firm believes that a Chinese cyber espionage campaign targeting the South China Sea has affected regional South China Sea energy companies. Kunming-based Unit 78020 of the People’s Liberation Army (PLA) specialises hacking Southeast Asian military, diplomatic, and economic targets, according to new research by security intelligence firm ThreatConnect. Send legitimate-looking emails to unsuspecting victims, who inadvertently infect their computer with malware and open the door to criminals hunting for sensitive information. In the past, Naikon has used a U.N. vote on nuclear proliferation and disarmament, the missing Malaysian Airlines MH730 flight, and construction on the Phillippines’ Raytheon-built National Coast Watch Center as decoy content.

For nearly five years, PLA Unit 78020 used an array of global midpoint infrastructure to proxy the command and control of customized malware variants embedded within malicious attachments or document exploits. Targets of the PLA’s campaign have included the governments of Cambodia, Indonesia, Laos, Malaysia, Nepal, Philippines, Singapore, Thailand and Vietnam, as well international organizations such as the United Nations Development Programme and the Association of Southeast Asian Nations.

The C&C domain “greensky27.vicp[.]net” consistently appeared within unique Naikon malware, where the moniker “greensky27” is the personification of the entity who owns and operates the malicious domain. ThreatConnect believes that regional energy companies also have been affected, given Unit 78020’s capabilities and infrastructure, themes and naming conventions observed in their campaigns, as well as observations from others in the industry, Rich Barger, CIO and co-founder of ThreatConnect, told Rigzone in an email statement. “But, this is bigger than just one advanced persistent group or one regional campaign,” Barger explained. “Many APTs are targeting oil and gas companies as well as their supply chain. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government. Further research shows many social media accounts with the “greensky27” username are maintained by a People’s Republic of China (PRC) national named Ge Xing (葛星), who is physically located in Kunming.

A letter sent to American technology companies this summer, a New York Times report last week, said that China would ask American firms to store Chinese user data in China. Ge Xing, aka “GreenSky27”, has been identified as a member of the PLA specializing in Southeast Asian politics, specifically Thailand, according to ThreatConnect. The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually.

China also reportedly asked U.S.-built software and devices sold in China to be “secure and controllable,” which likely means the Chinese would want backdoor access to these products, or access to private encryption keys. The study combines a “data-driven statistical analysis of malicious infrastructure on the internet” with a “human-focused view into the social media activities of the adversary to arrive at its conclusions”, using a metrology explained in greater depth here. He was just at Microsoft headquarters in Redmond, where he also met with tech leaders like Mark Zuckerberg, Tim Cook, Jeff Bezos, IBM’s Virginia Rometty, and Alibaba chief Jack Ma. Almost five years of exploitation activity were accessed, but ThreatConnect is careful to say that the report is “one chapter of a larger story” and by no means even a comprehensive listing of all malware and infrastructure leveraged by Naikon globally.

In 2013, Mandiant traced a prolific group of computer hackers to PLA Unit 61398, an APT group that stole hundreds of terabytes of data from at least 141 organizations worldwide. Given that businesses worldwide are being impacted, both ThreatConnect and DGI felt they had a responsibility to inform their global user base about their findings.

In addition to the report, ThreatConnect has released technical indicators it has associated with Naikon activity within the ThreatConnect Common Community. The release of the report to the public also helps demonstrate ThreatConnect’s commitment to the ideal of sharing threat intelligence and providing and industry-recognized platform to allow other to aggregate, analyze, and act against common threats.

Like most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The institution is one of China’s principal centers for electronic intelligence, where professors train junior officers to serve in operations throughout China, says Mark Stokes of the Project 2049 Institute, a think tank in Washington.

The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in. China will likely continue with this policy and operations, but their dismissal of allegations will become harder to defend, given that one of their own, Ge Xing, unwittingly provided incriminating evidence. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.” The report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group’s infrastructure, even embedding certain names in families of malware attributed to them.

Besides its land reclamation efforts in Asia, China also is believed to be the source of recent cyberattacks against U.S. commercial targets, Reuters reported Sept. 1.

Here you can write a commentary on the recording "Chinese Military Behind South China Sea Cyber Espionage Attacks".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site