Project CameraShy

CLOSING THE APERTURE ON CHINA’S UNIT 78020

ThreatConnect®, in partnership with Defense Group Inc., has uncovered intelligence linking malicious malware and spear phishing attacks launched by the “Naikon” Advanced Persistent Threat group to a specific unit of the Chinese People’s Liberation Army. Download Project CameraShy to study the pivot-by-pivot account of how we used the Diamond Model for Intrusion Analysis to identify the threat actors, infrastructure, and tactics. Then, explore the interactive resources below that demonstrate the intelligence and our methodology in greater detail.

The Naikon APT Diamond

The Diamond Model, an analytic framework for assessing network intrusion events, is the foundation of our assessment of the Naikon APT. In order to guide the reader, we will highlight which facet of the Diamond we are pivoting to throughout this assessment. Download the report

Key Findings

The Advanced Persistent Threat (APT) Group commonly known within the information security industry as “Naikon” is associated with the People’s Liberation Army Chengdu Military Region (MR) Second Technical Reconnaissance Bureau (TRB) Military Unit Cover Designator (MUCD) 78020. Download the report

Naikon Regionalized Infrastructure

Specific to our current research, a member of Unit 78020 maintained the personified hostname greensky27.vicp.net since 2010 or prior, during which time it has been referenced within at least eight custom malware samples. This subsection does not analyze the technical intricacies of those samples. Our goal is merely to highlight the subset of Naikon malware families configured to communicate with the dynamic domain greensky27.vicp.net and then pivot to an in-depth analysis of that infrastructure. Download the report

Timeline of Infrastructure Activity

and adversary-relevant events.

Our analysis concludes the evidence tying Ge Xing to Unit 78020 and its Naikon APT activity is quite strong. This section documents how Ge Xing’s background is ideal for supporting Naikon activities, and how his personal schedule correlates with activity by greensky27.vicp.net. To confirm the greensky27.vcip.net domain was not the work of a freelancer, we examined the time of day during which the domain made DNS record changes. We also found striking correlations when we overlaid Ge Xing’s social media postings with periods of greensky27.vcip.net domain inactivity. Download the report

Slide the timeline to zoom on specific events.

From the ThreatConnect Blog

The ThreatConnect Intelligence Research Team delivers detailed review and analysis of the Project CameraShy report in the ThreatConnect Blog. Explore key findings from the report, and walk step-by-step with the team as they put the pieces together. Go beyond the report to see how ThreatConnect and DGI collaborated, linking HUMINT, language analysis and infrastructure activity to connect Unit 78020 with Naikon activities.

FP 5 — January 14, 2019/by Drew Gidwani
5 Reasons to Mark a False Positive in ThreatConnect

shutterstock_766880638 — September 5, 2018/by Ethan Baker
ThreatConnect achieves ISO 27001:2013 certification

Fight Cyber Threats Together

Join the ThreatConnect Community

ThreatConnect® is an enterprise solution that bridges incident response, defense, and threat analysis. Our premier cyber Threat Intelligence Platform allows global organizations to effectively aggregate, analyze, and act on the massive volume of threat intelligence data that comes in daily. Currently, more than 5,000 users and organizations worldwide turn to ThreatConnect to make intelligent cybersecurity decisions. Now, you can join the ThreatConnect community for free. You too can leverage the the industry’s leading cyber intelligence community to protect your organization against cyber threats. Request your free account today, and discover the benefits of the industry’s most comprehensive Threat Intelligence Platform.

Get Your Free Account