As Chinese President Xi Jinping promised U.S. technology leaders in Seattle that China would not support hacking for economic gain, two security research firms released a joint report linking a Chinese intelligence unit with attacks on national and international government groups in the Asia-Pacific region.
The espionage group, known as “Naikon,” has been active for at least five years, compromising targets in Southeast Asia, including Cambodia, Indonesia, Malaysia, Nepal, Philippines, Singapore, Thailand and Vietnam. On Sept. 24, ThreatConnect, along with strategic analyst firm Defense Group Inc., linked the malware group to the activities of an intelligence bureau within the People’s Liberation Army (PLA).
The Chinese group has built an espionage platform consisting of custom-made and publicly available tools, using them to compromise a wide variety of strategic and economic targets, Toni Gidwani, director of analysis and production at ThreatConnect, told eWEEK.
“While the technical sophistication is not what we see with other espionage attacks, the operation’s reach is very long-range and their activity very longstanding,” Gidwani said. “Basically, it’s as sophisticated as it need to be to get the job done.”
The research report comes as Chinese President Xi Jinping visits the United States and spoke to technology CEOs, claiming that the country has taken a hard line against hacking. “The Chinese government will not in whatever form engage in commercial thefts or encourage or support such attempts by anyone," Xi said, according to a Reuters report Tuesday.
Despite the claims, however, the overwhelming body of evidence compiled by security researchers and government agencies, support assertions that China has made it a national policy to gain advantage by using cyber-operations to conduct espionage against its rivals.
A number of successful espionage campaigns against U.S. companies and government agencies, for example, appear to lead back to China. A two-year operation against the U.S. Office of Personnel Management (OPM) resulted in attackers stealing information on the results and investigations of 26 million federal employees’ and contractors’ background checks.
In February, healthcare firm Anthem reported a breach of its systems, with ThreatConnect linking the theft of almost 80 million health records to China.
ThreatConnect and DGI used public sources and intelligence to investigate the infrastructure of the Naikon espionage network. The researchers found that much of the infrastructure led back to the city of Kunming, the capital of Yunan province in China, which is also home to a People’s Liberation Army’s Technical Reconnaissance Bureau (TRB)—an intelligence unit designated as Unit 78020.
The Naikon attackers focused on countries surrounding the South China Sea, where China, Vietnam and the Philippines have asserted ownership of various groups of disputed islands. The Naikon attackers also focused on international political agencies, such as the United Nations Development Program (UNDP) and the Association of Southeast Asian Nations (ASEAN).
Showing how wide the operation reached, other parts of the infrastructure, including command-and-control servers, led back to Denver, Colorado; Seoul, South Korea; and various Internet addresses in Thailand.
In addition, the operation did not just go after strategic data, ThreatConnect's Gidwani said. "What you are seeing here is the integration between China’s intent to pull together economic espionage and its political interests," she said.