Chinese military hacker accidentally outs himself in blog posts

---

By LIAT CLARK

• 10 Jun 2014

A US cyber security firm has fingered yet another Chinese military branch as being the culprit behind a wide ranging hacking program targeting US industry.

According to Crowdstrike's report, Shanghai-based Unit 61486 of the People's Liberation Army 12th bureau has been spying on US government agencies and defence contractors for the past seven years, including those from the technology, space, aerospace and communications sectors. The assault team -- nicknamed Putter Panda -- used applications like Adobe Reader and Microsoft Office to deploy malware hidden in email links. Some of the work was linked to a Chen Ping, who identified himself as a soldier on his personal blog, and images he posted online titled "office" depict the Shanghai military HQ, reports Reuters. It seems rather bizarre though, that a government agent given the responsibility to hack for his country would be frankly stupid enough to post that kind of identifiable information online. It's perhaps even more bizarre that his colleagues would not have already spotted it, taken it down and reprimanded the "soldier" at some point in the past seven years. "This actually happens all the time," Crowdstrike CTO and cofounder Dmitri Alperovitch told Wired.co.uk. "The number of times soldiers in Afghanistan publicise missions on night raids and things like that on Facebook... we're living in a generation where young kids in the military, either in China or Britain, grew up with these technologies and want to share with friends and families."

Ping, AKA cpyy, didn't publicise that he worked for the 12th bureau, said Alperovitch, but there was enough of a trail online to help join the dots. Ping spoke about his life experiences in the military and even posted a picture of where he worked, which the Crowdstrike team identified. "It confirmed our hypothesis that this is the 12th bureau because of that unit's satellite and communications technology mission."

Adam Meyers, VP of Intelligence, explains: "We have a pretty comprehensive overview of how the PLA's structured in the backend -- and the 12th bureau has a functional mission focussed on satellite communication technologies. Together with the technical information, intelligence and linguistic analysis, we started drawing the lines."

In one of Ping's photos posted online, he actually had a hat tucked away in a corner of his dormitory that Crowdstrike's image analysis revealed was a standard issue PLA officer's hat.

The kicker had to be the historical registration of one of the domains used for the malware call out -- Ping had actually used the physical location of his work address. "Literally as soon as you put it in Goggle Maps, it takes you to the 12th bureau HQ," says Meyers. "People think nobody is surely this stupid so it must be deliberate -- but I always go with the passive stupidity on these things. This guy isn't the most elite cyber hacker in all of China.

He's a 27-year-old who's got some skills, is working for the Chinese military and ended up in this unit. He's going to make mistakes and unfortunately for him the internet is a pretty unfair place -- leave something for five minutes on a domain registration and we'll be able to exploit that data and track it back."

When Wired.co.uk asks if there's any possibility someone could have crafted the trail to look as though it came from within the military, Meyers says the level of complexity would have to mean "an evil genius" was behind it all.

Earlier this year US security company Mandiant released a report detailing how Unit 61398of the People's Liberation Army was responsible for attacking at least 141 organisations across the world to steal insider's secrets. Some of those organisations were national networks like the United States Steel Corporation, and last month the country's Justice Department finally reacted by indicting five members of the Chinese military. The Chinese government was naturally horrified by the move, particularly in light of the Snowden revelations that showed how the NSA spied on corporations around the globe (allegedly for "national security" purposes -- though many countries feel trade secrets were the target here). "The so-called evidence reminds me of the Iraqi war early this century," Geng Yansheng, spokesman for the Ministry of National Defense, said in a combative statementat the time. "The United States claimed that it had sufficient proof of Iraq's weapons of mass destruction. However, more than a decade on, there is still no evidence of them before the international community, just an enormous war and tragedy for the Iraqi people."

The spokesman continued, aiming squarely at programmes like NSA's Prism, designed to extract huge amounts of surveillance data from companies and civilians: "The US side is not qualified to finger point at others while its own notorious misbehaviour stands uncorrected." "Whenever the US armed forces want to enlarge their cyberspace force, it hypes the cyber threat from other countries as a pretext for its development of offensive force. The indictment is long premeditated and ill-intentioned."

Alperovitch could not disagree more. When Wired.co.uk asked how the company felt about China's suggestions that US complaints over cyber espionage are hugely hypocritical, he responded: "You have to look at motivation -- in the US it's for the purposes of national security. What is different about this case, is that the reason China is doing this is not just for purposes of collecting intelligence -- in addition they are focusing on an economic sphere by enabling private industry to receive these stolen goods from western countries. If the US is looking at a company they may be doing operations for the purpose of informing policy makers, but they don't benefit private industry." "You can see this with the Justice Department laying out it case -- the brief included major minerals and nuclear energy companies in China. It's a clear case where they are hacking to steal intellectual property to give companies the upper hand -- something the US does not do. The US may have hacked companies, but there's no evidence they went to Exxon or Chevron and gave that information to them. It's not something the US government ever does."

Wired.co.uk may have grown a little cynical in the last 12 months, post-Snowden, but the definitive nature of that statement sounds a little too hopeful. After all, if there's a member of the military of one of the most stringently controlled countries on this Earth able to sway into "passive stupidity", couldn't a US agent also? And given the close ties between policy makers and lobbying groups that fight for industry on a daily basis in Washington, it doesn't seem all that far fetched information would be passed on my a member of the intelligence services with clearance.

According to Alperovitch, the idea behind releasing the Crowdstrike report now was to show that far from the Justice Department indictment being based on inaccurate information, it in fact didn't show the scope and depth of the cyber assault. "We wanted to highlight that this is not just five individuals -- it's a much more sophisticated system coming from China."

Crowdstrike does not just target Chinese hackers -- the company published another reportin January blaming the Russian government for a spy assault on European, American and Asian businesses, and Alperovitch says it's keeping its eyes on players in Iran and Korea as well.

The company, does not, however, discriminate, it says. According to Meyers they simply have not come across any US-born malware infecting their customer's systems, which are global.

Considering the state of China-US relations in the aftermath of the Justice Department indictment, it's unclear how good of a move the US State Department will think this Crowdstrike release is. On the other hand, if Geng Yansheng is right, this may be just the scaremongering it was hoping for all along. Meyers says the government was given a heads up prior to the report release, so there was no chance of jeopardising any ongoing operations or investigation, but they had no concerns of this nature.