Unravelling China’s state sponsored cyber war with Project CameraShy

A new intelligence report claims to have uncovered Chinese state-sponsored cyber attacks against military, diplomatic and economic targets across South-East Asia. Julian Turner talks to Rich Barger of ThreatConnect about Project CameraShy and the fight for supremacy in the South China Sea.


Cyber security

Located at the crux of where the Pacific and Indian Oceans meet, the South China Sea is one of the most hotly-contested geopolitical regions on Earth. A critical thoroughfare for the global economy, five trillion dollars in bilateral trade and nearly a third of all global oil transit the territory every year.

Concerns that the South China Sea could become a military flashpoint have now escalated as China's increasingly aggressive policy strains relationships with the US and its South-East Asian neighbours.

Beijing has drawn a so-called "nine-dash line" over the South China Sea, a huge territorial claim that stretches 200 miles south and east from the province of Hainan, backed by island-building and naval patrols. In October, the US challenged Chinese hegemony by sailing a destroyer within 12-nautical miles of the artificial islands, the first in a series of actions planned to assert freedom of navigation.

The battle for political and tactical primacy in the South China Sea is also being fought in cyberspace; and the publication of Project CameraShy has brought the scale of that espionage into sharp relief.

The report into Chinese hacking groups attributes surveillance activity associated with the Naikon advanced persistent threat (APT) group to a specific unit in the Chinese People's Liberation Army (PLA). For nearly five years, the report claims, Unit 78020 targeted the South-East Asian military, diplomatic and economic sectors with malicious email attachments and spear phishing campaigns.

Not only that, the team behind Project CameraShy says it was able to piece together information linking a specific PLA officer to the infrastructure and unit responsible for cyber espionage attacks.

"Project CameraShy is unique − it's not often that you can attribute specific cyber activity to a warm body behind a keyboard," states Rich Barger, chief intelligence officer at ThreatConnect, the private sector US intelligence company that produced the report in collaboration with Defense Group Inc.

"Our earlier research highlighted Beijing's resolve to surreptitiously monitor the 2013 Permanent Court of Arbitration Case between China and the Philippines, so we watched and researched spear phishing attacks carried out by the Naikon group for several years looking for patterns and mistakes.

"What we uncovered was significant targeting against multiple claimants in the South China Sea across public, military, diplomatic and commercial sector entities. The mandate of Unit 78020 is clear as is the current geopolitical context. China does not want multilateral dialogue in the South China Sea; instead, it wants to leverage the region for its own economic and security interests."

Inside Project CameraShy: the Naikon APT and Unit 78020

Project CameraShy employed the US Department of Defence-derived Diamond Model for Intrusion Analysis, whereby information about four core interconnected facets of a cyber attack − adversary, infrastructure, capability and victim − is pieced together to understand the threat in its full context.

"The Diamond Model for Intrusion Activity uses an investigative approach, in which the researcher overlays technical findings with geopolitical pattern-of-life activity," explains Barger. "You can't just work with ones and zeroes; you have to look at how that granular data impacts the real world."

"Unit 78020 used customised malware - the term given to hostile software - embedded in malicious email attachments."

By fusing technical analysis with Chinese language expertise, the ThreatConnect team compiled a meticulously documented case against the organisation behind the Naikon APT, the PLA's Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).

The report claims that Unit 78020 used customised malware - the term given to hostile software - embedded in malicious email attachments and distributed via spear phishing campaigns that appear to originate from trusted sources to infiltrate and monitor communications within multiple targets.

"The spear phishing attacks predominantly used a crafted implant unique to the Naikon group; for example, a Thai language news stories that leveraged a specific Microsoft Office vulnerability," says Barger. "The message entices the user to interact with the content and then they were hooked."

Targets included government entities in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam as well as international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).

"After monitoring thousands of command and control (C2) moves and IP addresses mapped over time by Naikon domains, we noticed that some of the infrastructure use was regionalised, meaning the hackers leveraged a 'campaign identifier' that might refer to the UNDP or ASEAN. Then, we saw that the IT infrastructure appeared to be personified and contained the hacker's name or 'handle'."

Now it's personal: the search for GreenSky27

It was this discovery that allowed Barger to scale down its investigation to a single officer in the PLA, Ge Xing aka GreenSky27. By monitoring activity linking the operative to Unit 78020, ThreatConnect was able to gather evidence suggesting that the Naikon cyber espionage group is state sponsored.

"We dug down and found significant profiles posted on various social media sites by GreenSky27, the primary focus of the project," explains Barger. "He claimed to be part of the PLA, attended PLA universities and had written various papers on political and regional issues under the banner of the military unit. What we saw was a person that fit the criteria of what we were seeing in cyberspace."

The C2 domain 'greensky27.vicp.net' consistently appeared within unique Naikon malware, where the moniker GreenSky27 is the personification of the entity who owns and operates the malicious domain. Further research shows that several social media accounts with the GreenSky27 username are maintained by Ge Xing, who is located in Kunming, Unit 78020's base in South-Western China.

In addition, in eight individual cases, notable overlaps of Ge Xing's pattern-of-life activities matched patterns identified within five years of greensky27.vicp.net infrastructure activity, as Barger explains.

"For example, with the help of the US China Economic Review Commission, we were able pinpoint a date and time when GreenSky27 was in Beijing," he says. "There are only two IP addresses that resolve in Beijing and they just happen to do so when the target posted social media messages from that location. These activity and corresponding inactivity patterns over years, combined with open source pictures of the target in military compounds, meant we were certain that we had our man."

Disputed waters: geopolitical and corporate espionage

Project CameraShy claims that the Naikon APT supports Unit 78020's mandate to perform regional computer network operations, signals intelligence and political analysis of the South-East Asian border nations, particularly those claiming disputed areas of the resource-rich South East China Sea.

"You can go back and read all sorts of Order of Battle analysis confirming that the unit is there."

"You can go back and read all sorts of 'Order of Battle' analysis confirming that the unit is there, has 18m array dishes oriented to specific geo-sequenced satellites that cover the South China Sea and is mandated to leverage signals intelligence to target that region and the neighbours," states Barger.

In addition to disputes over territory and sovereignty - China, the Philippines, Vietnam, Malaysia and Taiwan all claim the disputed Spratly Islands - the South China Sea is of huge economic importance.

The nine-dash line would give China control over a zone that's estimated to handle about two-thirds of global liquid natural gas shipments and more than a tenth of the Earth's fish catch. The South China Sea is also home to an estimated 11 billion barrels of oil and 190 trillion cubic feet of natural gas.

What has been the reaction of the Chinese authorities to Project CameraShy, and is it indicative of a trend toward private sector players in cyber espionage in light of the US Government's Executive Order 13691, which obligates private companies to share information to mitigate common risks?

"The Wall Street Journal reached out for an official statement; usually Beijing says something but this time they didn't even respond," Barger tells me from the floor of Infosecurity Europe in London. "The report runs to 65 pages and is very compelling. It's much harder for China to distance itself.

"Project CameraShy used unclassified commercial sources and methods, with no support from the US Government. I hope that the project encourages businesses to look at cyber attacks in a broader context and ask: how does a spear phishing attack impact business decisions and my bottom line?

"We have a responsibility to get this type of information out there to allow people to make decisions about specific vulnerabilities − and to help companies mitigate potential risks and potential losses."