ThreatConnect, in partnership with Defense Group Inc., has attributed targeted cyber espionage infrastructure activity associated with the “Naikon” Advanced Persistent Threat (APT) group to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). This assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020 named Ge Xing.
For nearly five years, Unit 78020 has used an array of global midpoint infrastructure to proxy the command and control of customized malware variants embedded within malicious attachments or document exploits. These malicious attachments are operationalized within spear phishing campaigns that establish beachheads into target organizations, facilitating follow on exploitation activities.
Unit 78020 conducts cyber espionage against Southeast Asian military, diplomatic, and economic targets. The targets include government entities in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam as well as international bodies such as United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).
We assess Unit 78020’s focus is the disputed, resource-rich South China Sea, where China’s increasingly aggressive assertion of its territorial claims has been accompanied by high-tempo intelligence gathering. The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually.
This report applies the Department of Defense-derived Diamond Model for Intrusion Analysis1 to a body of technical and non-technical evidence to understand relationships across complex data points spanning nearly five years of exploitation activity. The Diamond Model is an approach to analyzing network intrusion events. The model gets its name and shape from the four core interconnected elements that comprise any event – adversary, infrastructure, capability, and victim. Thus, analyzing security incidents – from a single intrusion up to a full campaign – essentially involves piecing together the diamond using elements of information collected about these four facets to understand the threat in its full and proper context over time.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program