23 September 2015

Camerashy: Closing the Aperture on China’s Unit 78020

Camerashy: Closing the Aperture on China’s Unit 78020 (ThreatConnect Inc. and Defense Group Inc., 2015).

Read an overview of the report in the Wall Street Journal.

ThreatConnect Inc. and Defense Group Inc. (DGI) have partnered to share threat intelligence

pertaining to the Advanced Persistent Threat (APT) group commonly known as “Naikon” within the information security industry. Our partnership facilitates unprecedented depth of coverage of the organization behind the Naikon APT by fusing technical analysis with Chinese language research and expertise. The result is a meticulously documented case against the Chinese entity targeting government and commercial interests in South Asia, Southeast Asia, and the South China Sea.

ThreatConnect® is an enterprise solution that bridges incident response, defense, and threat analysis. Our premier cyber Threat Intelligence Platform allows global organizations to effectively manage the massive amounts of threat information that comes in daily. Organizations are able to move proactively against threats using ThreatConnect to increase productivity and deliver dynamic knowledge management, high context indicators, and automated responses. More than 5,000 users and organizations worldwide across industries, and ranging in size from the small business through the enterprise, turn to ThreatConnect to make intelligent decisions for their cyber security.

Led by Dr. James Mulvenon, one of the leading experts on Chinese cyber and espionage issues in the United States, DGI’s Center for Intelligence Research and Analysis (CIRA) is a premier open source exploitation organization with a particular focus on foreign cyber intelligence. CIRA is staffed by a mix of more than fifty highly trained linguist analysts who have native or near-native fluency in Chinese, Russian, and Farsi, as well as a dozen additional languages; technologists who are expert in building state-of-the-art misattributable collection architectures and analytic tools needed to process the immense quantities of foreign open source data now available; and methodologists who develop innovative approaches to solving tough analytic challenges. BLUE HERON is CIRA’s new commercial cyber intelligence product line, offering strategic cyber intelligence, critical indications and warning of foreign cyber intrusion planning, and detailed enumeration of your adversaries and their tactics, techniques, and procedures.

Executive Summary

ThreatConnect®, in partnership with Defense Group Inc., has attributed targeted cyber espionage infrastructure activity associated with the “Naikon” Advanced Persistent Threat (APT) group to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). This assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020 named Ge Xing.

For nearly five years, Unit 78020 has used an array of global midpoint infrastructure to proxy the command and control of customized malware variants embedded within malicious attachments or document exploits. These malicious attachments are operationalized within spear phishing campaigns that establish beachheads into target organizations, facilitating follow on exploitation activities.

Unit 78020 conducts cyber espionage against Southeast Asian military, diplomatic, and economic targets. The targets include government entities in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam as well as international bodies such as United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).

We assess Unit 78020’s focus is the disputed, resource-rich South China Sea, where China’s increasingly aggressive assertion of its territorial claims has been accompanied by high-tempo intelligence gathering. The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually.

This report applies the Department of Defense-derived Diamond Model for Intrusion Analysis to a body of technical and non-technical evidence to understand relationships across complex data points spanning nearly five years of exploitation activity. The Diamond Model is an approach to analyzing network intrusion events. The model gets its name and shape from the four core interconnected elements that comprise any event – adversary, infrastructure, capability, and victim. Thus, analyzing security incidents – from a single intrusion up to a full campaign – essentially involves piecing together the diamond using elements of information collected about these four facets to understand the threat in its full and proper context over time. …