A Chinese officer responsible for some of his government’s cyberattacks may be out of a job after American researchers reportedly found his social media accounts this week.
(Courtesy ThreatConnect)
The report, issued by analysts at ThreatConnect, traces an advanced persistent threat group called “Naikon” back to Unit 78020 of the Chinese People’s Liberation Army, in part because of the officer’s carelessness. The group’s targets have included a number of Southeast Asian countries over the past five years, in addition to the United Nations.
The researchers discovered malware distributed by the group called “greensky27.vicp.net.” By searching for “Greensky27,” they were able to locate an array of social media accounts held by a PLA officer name Ge Xing. Those accounts included photos of his car, license plate, newborn child, Xing riding his bicycle, in addition to his educational history, which included graduating from the PLA International Studies University in 1998.
Related Story: http://www.washingtonexaminer.com/article/2570631
Through gathering details on events in his personal life over the years, researchers were able to distinguish a pattern in the attacks, noting that when Ge was out posting pictures of various trips and vacations, cyberattacks from the group dipped.
As “Greensky27” was on a forum searching for baby name suggestions, researchers noted, there was an eight-day gap in activity surrounding the group’s attacks. When Ge was posting pictures of his trip to the Ge family’s ancestral memorial hall, there was a similar variance in activity. (“Returning home to pay respect to the ancestors, this ancestral memorial hall is not bad,” his photo captions read.) When he posted pictures of a trip to the countryside, there was a four-day gap.
ThreatConnect called its discoveries “a small shard in the tip of the Naikon iceberg.” However, they also pointed out that other researchers could learn from their findings by noticing “how a relatively small set of initial indicators can (with the right platform and processes) be developed into a much larger body of intelligence.”
Related Story: http://www.washingtonexaminer.com/article/2572015
The Naikon group was first identified by Kaspersky Lab in May. Its victims have included targets in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand and Vietnam, as well as the United Nations and the Association of Southeast Asian Nations.
