Virustracker 2015/10/16 15:57
0x00 Perform summary
ThreatConnect Inc. worked with Defense Group Inc.(DGI) and found that the “Naikon” APT team belonged to Bureau XXX (Force Number 7XXX). This assessment is well-founded and we reached this conclusion through technical analysis of the threat activities of Naikon’s group and by studying some of the statements made by Ge XX, an officer of Unit 7XXX.
For nearly five years, Force 7XXX has been leveraging a global midpoint infrastructure to command and control custom Trojans through proxies. These trojans often embed malicious attachments or document vulnerabilities that are then spread through phishing campaigns to infect targeted organizations for further exploitation.
Unit 7xxx is used to launch cyber espionage operations against military, diplomatic and economic organizations in southeast Asia. The targets included government agencies in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand and Vietnam, as well as international organizations such as the United Nations Development Program (UNDP) and the Association of Southeast Asian Nations (ASEAN).
We believe that unit 7XXX’s focus is on the South China Sea dispute, and with that comes fast-paced intelligence gathering. The strategic implications for the United States lie not only in military alliances and security partnerships in the region, but also in the aorta of international trade, which reaches tens of billions of dollars a year.
We used the diamond model to study both technical and non-technical evidence of exploitation activities to discover relationships among complex data points. Diamond model is a method to analyze network intrusion events. The model captures the name and shape of any event based on the four interconnected core elements that make it up: enemies, infrastructure, abilities, and victims. So, to analyze a security event, from a simple intrusion to a complete activity, you need to gather information about all four elements, and then use that information to piece together the diamond model so that you can understand the threat at different times, based on the complete context.
Past work
In April 2012, ShadowServer first introduced the Naikon threat, but at that time they did not have a name for this threat, just recorded it as an “unknown” threat. At that time, they obtained fishing bait from HardCore Charlie data dumps and shared the results of their analysis. The Naikon APT didn’t come to the public’s attention until June 2013, when TrenMicro released a detailed report on the Naikon Rartsone Trojan.
In May 2014, ThreatConnect published an article “Piercing the Cow’s Tongue,” citing China’s territorial claims to the South China Sea, confirming that Naikon’s group had launched numerous attacks against southeast Asian countries. A year later, Kaspersky Lab also published a detailed white paper detailing Naikon’s historical activities and key technological discoveries. Kaspersky also believes Naikon has a clear purpose and sufficient resources to target countries in Southeast Asia. They also noted that “the Naikon team has been responsible for a large number of attacks around the South China Sea since at least 2010.”
NAIKON APT diamond model
The Diamond model is an analytical framework for assessing cyber intrusion events and is the basis for our assessment of the Naikon APT team. To help readers understand, we will highlight some important aspects.
Key findings
The “Naikon” APT group is associated with unit 7XXX of XXX Bureau.
0x01 Tensions in the South China Sea and a country’s Cyber Response
In a word, the South China Sea is important, energy and economic.
Figure 1- Disputed areas and exclusive economic zones in the South China Sea
There are a number of islands and atolls in the South China Sea that have long been the subject of territorial disputes. China, the Philippines, Vietnam, Malaysia and Taiwan all claim the Spratly Islands, which are rich in energy and fishing resources. China has claimed most of the disputed areas as its own. Conflicts between countries have gradually escalated from simple harassment by fishing boats to naval confrontations.
China has taken a very hard line on the South China Sea because of its growing military strength and will use force if necessary to defend its territorial sovereignty.
In addition to its military deployment, China is also relying on its cyber defense capabilities to gather regional military, diplomatic and economic intelligence related to the South China Sea. Under the radar, China has also launched a massive computer network spying campaign against the countries involved, with Unit 7XXX being a major fighting force.
Fiery Cross Reef case Study: How does one country mobilize other National forces for cyber warfare
Photo 2: Fiery Cross Reef
In order to consolidate their claims in the South China Sea, some regional countries have begun to reclaim islands and leave some seafloor material on coral reefs, causing irreversible damage in the process. In the past 18 months, “China has regained 2,000 hectares, more than all other countries combined and the most in the history of the region.” The most obvious is on Fiery Cross Reef. When the tide rises naturally, the Everheat reef is submerged. Between August and November 2014, China expanded its existing reefs 11 times.
The Philippines has taken a different approach. They are pursuing their interests through international law.
Although Beijing has been reluctant to resort to international arbitration, it has been monitoring the situation.
Naikon APT: Region-driven activity since 2010
Kaspersky Lab has the most detailed analysis of Naikon APT, which it believes was responsible for a large number of regionally motivated attacks over a five-year period. Kaspersky says Naikon’s team has had a high success rate in infiltrating government organizations in a number of ASEAN countries, with early victims mostly in Myanmar, Vietnam, Singapore, Laos, Malaysia and the Philippines. The targets included high-level government and military organizations involved in the South China Sea, as well as state media and state-owned and private energy organizations.
Based on the structure of Naikon’s operations, their primary target is independent states, deploying specific tools to attack a large number of organizations in the target country. To gain access to targeted networks, Naikon relies on email as a means of attack, combined with social engineering to accurately identify targets. Before launching an attack, they first collect the target’s name, email address, date of birth, events of interest, nationality, gender, previous emails and social network communications. Kaspersky noted that the team used decoy content to launch attacks, including “UN discussion and vote on nuclear proliferation and disarmament,” “Malaysia Airlines Flight MH370 lost,” “Raytheon building a national coastal monitoring center in the Philippines,” and other decoy documents. Naikon often uses regional topics as bait, so it’s not hard to guess who they’re targeting, and every once in a while they use a new theme as bait, more so than other regular attackers.
Naikon’s activity structure, target characteristics, and precise social engineering also support our hypothesis that Naikon APT group is unit 7XXX, which is explained in Chapter 2.
0x02 “Naikon” with Kunming
After understanding the geopolitics of a country and the network operations in the South China Sea, we will analyze the operational infrastructure of unit 7XXX in depth around the data. We hope to better understand the scope, structure and activities of the enemy by analyzing the domain name gxxx.vicp.net.
As with other APT, Force 7XXX utilizes dynamic domain name infrastructure to enhance the Trojan’s survivability and mobility. This allows an attacker to quickly move C2 to a new host, and because the IP address is hardcoded into the Trojan, it does not cost too much to redeploy.
The infrastructure used by unit 7XXX is characteristically named after the south China Sea and Southeast Asian institutions in its area of responsibility. Next, we will classify the infrastructure used by Unit 7XXX.
In addition to this naming convention, unit 7XXX has on rare occasions named its infrastructure after a human. For example, Uglxxx is Wang XXX of Unit 6XXX.
Naikon Trojans
Our research confirms that a member of Unit 7XXX has been operating gXXX.vicp.net since at least 2010, during which time there have been at least eight custom Trojans referencing this host name. In this section, instead of analyzing the technology used by these samples, we simply emphasize that these Trojans communicate with GXXX.vicp.net and delve into this infrastructure.
Table 1- The Naikon Trojans that have been discovered. The CC address for these variants is gxxx.vicp.net
We found that one of the binary (a2378fd84cebe4b58c372d1c9b923542) will launch a bait document, the document is actually a bait self-extracting executable. The document, in Microsoft Word format, contains a Thai article and quotes images from a Thai Navy press conference on June 28, 2012 showing Vietnamese fishermen being arrested for fishing in Thailand’s exclusive economic zone. Naikon is a big fan of topical regional political events as bait. More important, however, is the direct link between Naion and the domain name gxxx.vicp.net. Having figured out this relationship, the focus of our investigation turned to the infrastructure behind Gxxx.vicp.net.
Figure 4- The contents of the Naikon Decoy document are taken from a Royal Thai Navy press conference in June 2012
Domain name infrastructure analysis
With DNS active and Passive data, we obtain the resolution timeline of GXXX.vicp.net. The earliest activity dates back to September 2010 and continued until the drafting of the report in August 2015. Our records show that over that time frame, 2,350 parses led to 1,235 different IP addresses, spanning 26 cities and eight countries. The distribution of Autonomous System numbers (ASN) for GXXX.VICp.net is circled on the world map in Figure 5.
Figure 5- ASN for the IP address associated with gXXX.vicp.net
The geographic distribution of ASN is very interesting and reveals a lot. We immediately saw a lot of signs in China and Southeast Asia. This also proves our previous judgment that Unit 7XXX is very concerned about the situation in the South China Sea. In addition, there are several hosts hosted in the United States, which seem to be far away from the battlefield, but as we investigate, we find that these hosts are very useful. Interestingly, we don’t see the usual economic and fraud cybercrime in the region.
The regional distribution of the GXXX.VICp.net infrastructure is shown in Figure 5 and the roles and relationships of these infrastructures are shown in Figure 6.
Important definitions in this section
- DNS resolution: We use “resolution” to refer to the mapping between domain names and IP addresses. Every time the DNS record shows that the domain name has been resolved to a different IP address, we record it as a resolution for analysis. By resolution, we don’t mean a single DNS request or query issued by a client.
- DNS duration: We use “duration” to indicate how long (hours) a domain name lasts in DNS records before it is resolved to another IP address.
Figure 6- IP address network diagram related to the dynamic domain name gxxx.vcip.net
The network diagram in Figure 6 judges the weight of each location based on its distance from the center of gXXX.vicp.net. The size of the dot represents the number of DNS resolutions for IP addresses in the city. The arcs represent the movement of DNS records from source to destination between IP addresses in different cities, and the dense arcs represent the associated transmission frequencies. Here are some of our takeaways.
- Almost all of them lead to Kunming. Of the 27 cities that have been identified, 22 DNS resolutions went to Kunming, and 23 resolutions were sent from Kunming. Other cities had less than half that number (Bangkok came closest, with 11 in and nine out). So we assume that Kunming is the operational centre or “home base” of GXXX.vicp.net.
- Bangkok, Seoul, Hong Kong and Denver are also important. These cities are constantly interacting with other nodes in the network, but not as frequently as Kunming. Subsequent analysis will prove that each of these nodes serves a different purpose.
- There are also many nodes with very few connections. There’s a lot of traffic just going through one central node. Although the network graph algorithm does not treat these nodes as “important nodes”, these nodes also have specific task functions. We will also discuss these types of nodes later.
Analytic index
We used two observation methods to examine GXXX.vicp.net and how attackers use this infrastructure to perform their tasks. One is the number of DNS resolutions and the other is the duration of each resolution. In addition, our analysis also considers contextual information (e.g., geographic location, ASN) or derived metrics (e.g., total time, or DNS resolution in a city), but these aspects are based on those two base metrics. FIG. 7 (analytic) and FIG. 8 (duration) show the specific distribution of measurement results.
Both figures show that the gXXX.vicp.net domain name is dynamic. In Figure 7, about half of the IP addresses were resolved only once during the five years, and less than 1% were resolved three times. Very few have more than a dozen DNS records. In Figure 8, 80% of the parses lasted less than a day, although some lasted several months. About a quarter were less than an hour. These results require further queries for those hosts with outstanding data. From a cyber defense perspective, it’s also a reminder not to play whac-a-mole with IP addresses, but to find more effective ways to identify, expose and block malicious infrastructure on the Internet.
Figure 9- Average resolution duration VS number of resolutions per IP address
The next objective of the investigation is to find the salient values, and in Figure 9 all IP addresses associated with GXXX.vicp.net are marked in the coordinate system. The X-axis represents the average resolution duration for each IP address, and the Y-axis represents the total number of resolutions for each IP address. Most IP features are similar, concentrated in the lower left corner. Interestingly, the most distant highlights represent three cities in three different countries, and the resolution durations of all three IP addresses show significant changes. Instead of just guessing, we’re going to take those values and do a simple statistical analysis, city-centered.
Figure 10- Average parsing time of resolved cities VS
Figure 10 redraws Figure 9, comparing the total number of parses and the average parsing time for each city. After considering the context and the role of gXXX.vicp.net, the major cities of Kunming, Seoul, Bangkok and Denver are highlighted in Figure 10. Accordingly, a more detailed comparison of analytical indicators is given in Figure 11, including these major cities and some other major cities.
Figure 11- Analytic metrics for each city
In Figure 11, the changes in cities are obvious. Kunming, the headquarters of unit 7XXX, dominates in all respects, proving once again to be the centre of activity for GXXX.vicp.net.
Resolution activity in Kunming is more frequent, the total time taken to transfer IP addresses is longer, and Kunming seems to “master” the infrastructure more than other cities. The average length of a single IP address in Denver is six times that in Kunming and twice that in Seoul.
The situation is similar in Seoul and Bangkok, but we analyzed Seoul more. It’s hard to tell the other cities from this map, but the next one is fine.
Figure 12 shows the percentages of all parse metrics, including all cities associated with GXXX.vicp.net. The data in Figure 12 is city-centric, rather than indicator centric as in Figure 11. In this way, the dominance of Kunming can be avoided and the differences among cities can be compared more equally. All factors are the same, and the RATIO and duration of IP resolution should be roughly the same from city to city. But, in fact, the resolution ratio varies so much that these findings are interesting. We also tested the statistical significance of domain name resolution data and confirmed that these differences are meaningful. Therefore, we think these findings are meaningful and are not random data changes. But what exactly do these findings mean?
Figure 12- Analytical indicator ratios by city
Infrastructure and location files
We assume that the different parse metric ratios reflect the purpose of a location, as well as the functionality of the infrastructure or activity. If the resolution rate of a location is high, it reflects the level of access, control, and comfort. If the attacker is careful, he cannot repeat the resolution to the high-risk area for long. Rather, it often parses into safe and familiar areas.
The skew of a particular IP corresponds to regional input and control. If there are a large number of single-use hosts in an area, this indicates that resolution often passes through these infrastructures and is not highly dependent on a single host. Conversely, if there are only one or two IP addresses in an area that have been resolved frequently over the years, that location is strategically significant and valuable, both at the host level and at the location level.
When the ratio of parses is higher than the number of parses or the number of special IP addresses, it indicates that the attacker has not changed the domain name for a long time. Chapter 4 explains why attackers do this.
By analyzing the infrastructure behind GXXX.vicp.net, we infer three common infrastructure patterns:
Local IP switching
Kunming falls into this category, and during these 5 years, a lot of short time resolution points to some IP that was used only once. This shows the close relationship between the attacker and Kunming, and also indicates the attacker’s lack of awareness of operational security and negligence. We suspect that the person controlling GXXX.vicp.net probably lives in or near Kunming and has installed the Oray Peanut Shell client, which automatically obtains IP addresses in Kunming from the address pool of the local ISP when the attacker does not establish a VPN connection. Just like a laptop, it gets a new IP address when it’s in a different location, like home, office, or store.
Remote CC
Another pattern to note is that there will be a small number of periodic parses to duplicate IPS in a given location. This is the pattern for most non-Chinese websites. The reason for this phenomenon may be the periodic collection of target intelligence in the South China Sea. Attackers connect to hosts for traditional remote CC communication, and exit these hosts after completing their tasks. We believe the withdrawal was hasty because the attacker simply wanted to check that the victim was hooked through a quick connection. In addition, the attacker’s operating environment may not be ideal. It may be because of network saturation, latency, or C2 IP interception that the attacker must use another C2 to re-access the Trojan horse on the victim’s device.
Domain parking
Patterns observed in Denver, Seoul and Non-routable (0.0.0.0) indicate that these locations are put to use when GXXX.vicp.net is offline or does not interact with the routable infrastructure. Only these locations had significantly higher total resolution times than their specific IP addresses and number of resolutions. Seoul is a hodgepodge, with the attackers using multiple IP addresses in Seoul for domain parking, as well as other IP addresses used as traditional C2 hosts. Figure 13 shows this more intuitively after removing ASN in Seoul. ASN 10036 is more like for C2 communication, while ASN 3786 is more like for domain parking.
Figure 13- Ratio of parse metrics associated with the selected ASN
To test our hypothesis, we ran a data test again, comparing the analytical metrics of Denver and Seoul. It turned out that there were no significant differences between the two cities, which is what we would expect if the two cities were similar. However, we went one step further and added “non-routable” resolution (which we know is domain parking) to another test, and the results made no difference. This proves that Denver and Seoul are following the same pattern. So, in order not to piss off those who think “data lies,” we have (with a few precautions) a simple visit to the Denver IP address and gxxx.vicp.net to prove it, at a manageable risk. This is what we found in Figure 4. This once confirmed our suspicion that when users of the Oray Peanut Shell client logged out, the GXXX.vicp.net domain name pointed to an IP address at the Denver ISP. For “Why Denver”, please refer to the Oray infrastructure information in more detail.
Figure 14- This is what we see when we try to parse gXXX.vicp.net and Denver IP 174.xxx.xxx.xxx
Larger image with richer pixels
A typical picture might take 1,000 words to explain, but Figure 15 needs at least 2,000 words to explain, and so far we have used over 2,000 words in this section to analyze the infrastructure of Gxxx.vicp.net. The figure shows all the IP addresses that have been resolved by the gXXX.vicp.net domain name in the past five years, showing all the information we know at once.
Figure 15- Diagram of all IP networks associated with GXXX.vicp.net
A few relationship nodes highlighted in bright colors are associated with more hosts. The three patterns mentioned above are already apparent. The largest points are Denver, Seoul and 0.0.0.0 parked/offline IP. The area with dense dots in the middle is the fast and changing local exchange infrastructure of Kunming. Other smaller dots of the same color, but slightly larger, are also local switching infrastructure in Kunming, but they are used for a longer time and frequency than disposable IP. Other small and medium-sized mid-level nodes constitute the collection infrastructure, most of which are C2 hosts located in target countries in the South China Sea region. In Figure 15, Thailand’s C2 infrastructure is particularly prominent, indicating that Thailand may be a prime collection target for an attacker.
Figure 16- Relative analytical temporal flow chart for each city at different times
Figure 15 is good enough, but before we conclude, there is one more topic worth discussing. The flow diagram in Figure 16 shows the ratio of the resolution time of IP bound to gXXX.vicp.net in different cities at different times. From the figure, it can be concluded that:
In the first two years, exchanges with Kunming and surrounding areas dominated, at a time when the attackers were probably just beginning their missions and activities. In the two years from 2012, overseas collection activities began to increase, mainly in Thailand and South Korea. As the collection activity declined (possibly because tasks were completed or cut back), attackers began to park more domain names in Seoul and then, when offline, to contact service providers in Denver more often, up to the time of this writing. Whether this explanation is correct or not, further investigation is clearly needed. To that end, let’s look at the real identity of Gxxx.
0x03 Chapter 3 Ge XX of Unit 7XXX – “Gxxx”
Similar to the previous chapter, in this chapter we will try to determine the identity of the attacker. Through open source mother tongue research, we have found a relationship between Ge XX, a PLA officer in Unit 7XXX, and Naikon’s infrastructure. Ge xx registered an account with “Gxxx” on many social media. The earliest registration date can be traced back to 2004. According to his public information, he is located in Kunming. In addition, we identified his relationship with unit 7XXX through his published articles and photographs.
Of all the C2 domain names used by Naikon APT, gxxx.vicp.net stands out because this domain name is often resolved to a host in Kunming, Yunnan, and is closely associated with the Naikon Trojan that directly attacks targets in Southeast Asia. In further investigation, we found a connection between “GXXX” and the Tencent Weibo user name GXXX used by Ge XX, a PLA officer, in 2010 through Chinese analysis.
Figure 17-Gxxx relationship status and identity
Make sure Gxxx is Ge XXX
Through open source research “GXXX”, we found a large number of online forum and social platform accounts in China, all of which belong to a user in Kunming. In one Tencent Weibo account named Gxxx, we found more than 700 posts and more than 500 photos. The account appears to be active, with more than 300 followers, and was last updated in November 2014. By linking this information to photos posted on Tencent’s weibo, we get a rough idea of Ge XXX, an officer in Unit 7XXX of the PEOPLE’s Liberation Army known as Gxxx.
Figure 18A-GXXX’s Tencent Weibo account has more than 700 blog posts and more than 500 photos
Photo 18B-gXXX – These two photos appeared on his Tencent Micro blog in 2013
Figure 19-GXXX, mountain bike, uploaded in 2014
We got his real name based on his Tencent Weibo account, third-party websites and information he posted about models and mountain bikes for sale. First of all, through the photos he posted on November 23, 2013, we visited the Memorial Hall of ge’s ancestors, from which we know indirectly that his family name is Ge. Second, Gxxx’s Tencent Microblog nickname is XX. Typically, users do not register their accounts with their real names, but instead use nicknames that are close to their real names.
Figure 20- Google search results
Through a third-party website that specializes in QQ identification, we learned that THE owner of Gxxx is Ge XXX. Search other Gxxx QQ number XXXXX “4 + ge”, in the return link qun.594sgk.com/qq/xxxxxx1.htm, according to Mr XXX is the owner of this account.
The online activities of GE XXX /Gxxx confirm this registration information. In 2004, a user named Gxxx, who lives in Yunnan province, posted some advertisements for model airplane parts on the model forum 5IRC.com. One post included QQ number 4XXXXXX and telephone number 1360XXXXXXXX (tel: 136XXXXXXXX).
Through searching the QQ number and telephone number, we found 2014 posts on the second-hand website of Lincang bicycle, all of which were selling advertising mountain bikes, and the contact person was Mr. Ge. The post is no longer accessible, but the Images are still accessible through Google Images’ cache. The mountain bike in Ge’s AD was taken in the same room as the bike in Gxxx’s Tencent microblog. Thus, the surname of Gxxx is Ge.
Picture 21-left: “Mr. Ge” is selling mountain bikes in lincang second-hand bicycle forum. Right: Gxxx’s Tencent Weibo photo shows another mountain bike in the same room
Finally, in 2012, Gxxx posted a message on Baidu Tieba asking netizens to recommend a three-character name for his child, ge.
Location confirmed: Ge XXX is in Kunming
In the above advertisement, Ge XXX is located in Kunming. Although his Tencent Weibo account says he is in Ireland, numerous photos uploaded to the account, including his license plate, GPS records of his bike and photos of kunming landmarks, prove ge is in Kunming.
The license plate in yunnan
Ge XXX’s car, Volkswagen Golf license plate is yunnan license plate, cloud A refers to Kunming city, Yunnan Province.
Figure 22- License plate of Gxxx
kunming
Ge shared a photo of her ride in Kunming on Her Tencent Weibo account. The routes may have been recorded via a smartwatch or smartphone app. In the image below, he shared his bike route from Wuhua district to central Kunming.
Figure 23- Ge XXX’s cycling route
In addition to these routes, Gxxx once shared its location using a SOSO map, also in Kunming. The location in the picture is Kunming Health School, No.6 Jiaochang West Road, Kunming city, Yunnan Province. This position is close to where the ride ended in the image above.
Figure 24A- Ge XXX sharing his position
Photo taken in Kunming
In Gxxx’s Tencent microblog, there are many photos of restaurants, gardens, traffic stations and museums in Kunming and its surrounding areas. The image below is one of the samples, and the photos range from 2012 to 2014, indicating that Gxxx still lives in Kunming.
On January 2, 2013, Ge XXX also posted some photos titled “Dear Party School”. There are many schools in the Party school of Kunming Municipal Committee of the COMMUNIST Party of China. It is possible that Ge XXX attended the short-term training of the Party school because of the political requirements of the PLA.
Figure 24B- “Dear Party School” photo published by Ge XXX
Figure 25-Gxxx photo of Kunming
Residential address of Gxxx
Gxxx’s residential address does not appear on his Tencent microblog, but there is an account on The Website of Kunming Moms with the user name Gxxx and user number 7xxxxx, and the street address of the account is XXX Road, XXX District, Kunming City, Yunnan Province.
It is very likely that the GXXX on Kmingmom.com is the same person as the GXXX on Tencent weibo. Both profiles show the user’s residence in Kunming. Kunming mumsnet registered his account in the “newborn” section of the site in 2012, and pictures posted on his Tencent Weibo account show that his baby was born in the same year. Gxxx also posted the birth information on Baidu tieba in November 2012.
In addition, the lianhua Street community address displayed on The Kunming Mums website is the same as the address information on the Tencent Weibo account of Gxxx. In the picture above, Gxxx is near XXX School in Kunming. On the right side of the picture is XXX Street community, and on the east side is Jiaochang Middle Road. The location shown in the picture below is in XXX District of Kunming.
Figure 26- Location of XXX Subdistrict community, XXX District, Kunming, approximately 0.42 miles from Unit 7XXX
Ge XXX’s background and relationship with unit 7xxx
On his Gxxx Tencent microblog and some websites, there is plenty of evidence that Ge XXX has a long-term relationship with Jiefangjun. Ge entered China’s XXX College in 1998 and became an officer in the People’s Liberation Army. According to the academic paper he wrote upon graduation, he entered XXX Bureau of Kunming in 2008. On his Tencent weibo, a large number of photos taken from 2011 to 2014 show his headquarters at the XXX Bureau in Kunming, confirming his relationship with the PLA.
Institute of XXX
According to Gxxx’s Tencent Weibo profile, he enrolled in THE XXX College in 1998. The XXX College in Nanjing, founded in 1961, has produced a large number of PLA officers proficient in international strategy, military and diplomatic relations and foreign languages. The school is affiliated with the General Staff headquarters, and its graduates perform intelligence translation, reporting work, military liaison, or foreign language teaching at military academies. The school also has a branch school in Kunming, but we do not know whether Gxxx has maintained contact with the branch school.
Recently, I attended a PLA event
On Gxxx’s Tencent micro blog, there are photos proving his ties to the PLA. A series of photos taken in 2014 showed him attending a celebration of the 87th anniversary of the founding of the People’s Liberation Army in Kunming. The event was an internal one within the PLA and was closed to the public. Activities include outdoor firefighting plays and indoor talks.
Photo 27- Ge attends a PLA event in 2014
In 2014, XXX College
A series of photos Gxxx took when he went to XXX College in 2014 can also prove his relationship with the PLA.
Picture 28- Ge XXX went to XXX College in 2014
Academic papers confirm that Ge XXX belonged to unit 7XXX
We searched cnKI database and found two research papers related to Gxxx. Both papers were written in 2008 by ge XXX, Unit 7XXX, Kunming.
Figure 29- Paper written by Ge XXX, showing that he was attached to Unit 7XXX, Kunming, Yunnan, 6XXXXX
The topic of both papers is the political situation in Thailand. One of the papers is entitled “Analysis of the causes of XXX”. The author’s introduction shows that Ge XXX was born in 1980 and received his master’s degree in XXX Political Science from XXX University in 2008.
Ge XXX, who lives in Kunming, is an officer of the People’s Liberation Army. The information also matches Gxxx’s Tencent Weibo profile. From the model aircraft forum, we know that Gxxx has been living in Kunming since at least 2004, so he may have been living in Kunming in 2008. His date of birth, 1980, also matches his Weibo profile. It is also realistic for a man born in 1980 to enter college in 1998 and become a father in 2012.
Ge XXX took photos at the headquarters of XXX Bureau
Several photos of Gxxx on QQ were taken when he went to the headquarters of XXX Bureau in Kunming in 2011. By using QQ map and Google Earth, we found that Ge XXX may have taken the photos in a hotel and the main building of the base.
Figure 30-7 Main building of XXX Troop and XXX Hotel
Photo of the parking lot taken at XXX Hotel in the base
On December 16, 2013, Ge XXX posted some photos taken at XXX Hotel, the guest house of unit 7XXX of the PEOPLE’s Liberation Army. We know from some Chinese websites that the address of the hotel is XXX, XXX Road, XXX District, Kunming City, Yunnan Province, next to the Kunming XXX Hospital. Western analysts also identified this as the location of Unit 7XXX.
Figure 31- Picture on Gxxx account, parking lot in front of XXX hotel
Based on this address, we checked the street view around the gate on QQ Map. From the picture, we can see that there is a red five-star symbol on the gate, and the features behind the gate are hard to distinguish.
Picture 32-7 QQ street view of XXX army gate
Based on this information, we determined that the hotel where Ge XXX was staying was in the base. Ge XXX’s perspective is from the parking lot facing the gate. In the photo, you can see a wall, a red gate and the sign of XXX Hospital in Kunming.
Figure 33- Ge XXX’s possible perspective when taking photos in front of XXX hotel. In the car photo, note the features of the XXX hotel, the red safety gate and the kunming XXX hospital sign in the background.
Taken from the main building of XXX Bureau
According to ge xxxQQ’s photos, he took photos in at least three locations near the main building of XXX Bureau. Please see the locations circled in the above picture. The first group of photos is about 4 photos of a tall building, the roof of this building is very special, was taken near the basketball court. The second group is a parking garage with a very special tower in the background. Finally, a picture of the courtyard.
What stands out in these photos is that they include the central structure of the base, with a large number of satellite dishes visible on the roof, which is consistent with our assessment: the headquarters building of XXX Bureau in Kunming.
Figure 34-7 general picture of troop XXX, with the areas marked as possible photo sites
Photos of buildings with special decorations on the roof
All four images of the building appear to have been taken from the same location between November 2011 and March 2013. All four photos were taken and uploaded at 8:30 am on different dates. Due to different shooting angles, one of the photos (the first one) captured the basketball frame and backboard, and part of the basketball court, which is now missing in the headquarters of XXX Bureau in Kunming.
Figure 35- Taken from the tower of Unit 7XXX, the building has special decorations on the roof
Parking lot and what looks like a water tower
Others showed a parking lot and several buildings around the base of the Kunming Technical Reconnaissance Bureau. The photos were taken between March and December 2013. Using Google Maps and QQ Street View, we found a structure similar to a water tower.
Figure 36- The parking lot of unit 7XXX is taken. A water tower appears in the background (below three photos). The photo on the right in the middle is a landmark building in QQ Street View
Yard in XXX bureau
On March 3, 2013, Ge XXX took a photo in the courtyard. The style of the courtyard in the photo was consistent with the two courtyards in the middle of the main building of XXX Bureau in Kunming.
Figure 37-7 Yard in XXX troop
In short, there is enough evidence to prove that Gxxx is Ge XXX and belongs to Unit 7XXX. Through online social media, geographic itinerary and photos, as well as the quoted address, it was confirmed once again that Ge XXX was in Kunming. Ge XXX’s military and academic publications also indicate that Ge XXX has jiefangjun status. The photos he took at bureau XXX are strong evidence.
Our guess is that XXX Ge was in Unit 7XXX to help a technical team and provide them with specialized regional knowledge. According to his academic papers and the XXX degree he has earned, Ge is capable of doing just that. Based on his academic qualifications, 10-15 years of military service, and his occasional business trips to Beijing, Chengdu and Nanjing, Ge XXX should be at least a mid-level cadre. Apart from Naikon C2 Infrastructure, there is no indication that he received technical training.
0x04 can’t be a coincidence – evidence of ge XXX and 7XXX’s involvement in Naikon activities
Our analysis shows that there is a strong link between ge XXX, Unit 7XXX and Naikon ATP activities. In this section we explain why XXX Ge’s background is well suited to support the activities of Naikon’s group and how XXX Ge’s personal arrangements relate to the activities of GXXX.vicp.net. To prove that the gxxx.vcip.net domain name was not hired, we examined the time when the DNS records were changed for the domain name. We also found that XXX Ge’s social media became active whenever there was no activity at GXXX.vcip.net.
The strongest evidence that Ge belonged to Unit 7XXX and participated in Naikon’s activities is the connection between his personal life and Naikon’s activities. We take ge XXX’s activities on social media as an event in her personal life. Our analysis found that whenever Ge XXX left Kunming, GXXX.vicp.net was offline or parked. Then, we further analyze the passive and activeDNS resolution data of gxxx.vicp.net domain name in the five years. Finally, we find that the resolution of domain name is closely related to the events, dates and times posted by ge XXX on social media.
For a clearer comparison, please refer to Figure 38 for the relationship between the activities of GXXX.vCIP.net and XXX Ge’s personal life over the past five years.
Figure 38- Infrastructure activities and Ge XXX’s personal life
The red line shows the number of times that gXXX.vcip.net changes IP addresses per day. The higher the bar, the more active the domain, constantly changing IP addresses to avoid detection. As you can see from the graph, there are four distinct periods: from October 2010 to July 2011, domain activity was high, followed by a decline in activity from October 2011. Then in June 2014, the activity became very frequent again, and then the activity decreased, and occasionally several activities were very frequent.
The blue line shows the cumulative increase in the number of special IP addresses resolved by domain names over the past five years. There is a clear correlation between the red line and the blue line: when domain names are inactive (red line activity decreases), the blue line is flat (no new IP usage increases), whereas when domain names are active, the blue line steadily increases.
The vertical lines represent several personal activities of XXX Ge and are clearly related to those of GXXX.vcip.net. Don’t worry, we’ll take a closer look at these events.
Year of the Rabbit, Year of the Dragon and year of the snake
The most important part of the Chinese New Year is visiting friends and family. There is not much activity at this time of year for the domain name gcip.net. The graphs below provide a look at the events of 2011 (year of the Rabbit), 2012 (Year of the Dragon) and 2013 (Year of the Snake). As expected, there was little domain activity during the New Year’s week. In 2014, domain name activity has been inactive, so there was nothing out of the ordinary about the events during the Chinese New Year period of 2014 and 2015.
Figure 39- Infrastructure activity during Chinese New Year 2011 (Thursday, 3 February)
Figure 40- Infrastructure activity during Chinese New Year 2012 (Monday, January 23)
Figure 41- Infrastructure activities during Chinese New Year 2013 (Sunday, 10 February)
Of the three examples, 2012 was the most interesting. Chinese New Year fell on January 23. For one day, domain activity decreased, but it wasn’t long before gxxx.vicp.net came back to life at 10:55 am (Beijing time) on January 27, 2012. Parsing continued to change until Thursday, February 2, then went quiet for a week, then resumed on Monday, February 6, 2012.
The reason for this is that the U.S. and the Philippines have been negotiating for military cooperation along the border. On February 26 and 27, 2012, western media such as The New York Times, Reuters and Time magazine reported on the visit of the Philippines’ senior representative to Washington, D.C. We estimate that this incident may be the cause of the interruption of the Spring Festival holiday and the domain name recovery activity.
We acknowledge that merely the inactivity of the domain name during the Chinese New Year period does not prove that XXX Ge operated GXXX.vicp.net, as the whole of China is on holiday during this period. In order to find conclusive evidence, we selected some specific events related to domain name activities based on Ge XXX’s online social activities.
In February 2012, the domain name was resolved to an IP address in Beijing
Figure 42- In the area marked by the red bar in the figure, Ge XXX went to Beijing in February 2012, and the infrastructure rarely resolved to Beijing IP.
Figure 43 Ge XXX went to the background in February 2012
After the Spring Festival, Ge XXX was in Beijing from February 12 to 16, 2012, the area marked by the red column in the picture. We assumed it was a business trip, during which time we found that GXXX.vicp.net had resolved to a Beijing IP address. Of the nearly 2,500 DNS records, less than 0.5% were resolved to Beijing – a third occurred in that period. Combined with Ge XXX’s trip to Beijing, we do not think it is a coincidence.
Ge XXX’s child was born in November 2012
On November 21, 2012, “GXXX” posted a post on Baidu Tieba, asking netizens to help him name his child. When we looked at the resolution activity, we found that there was no activity for the domain name during the eight days from November 21 to 29.
Picture 44- A photo of Ge XXX’s child
Figure 45- Infrastructure activities during the week of Ge XXX’s birth
In connection with other relevant evidence, we have to believe that XXX was involved in activities at GXXX.vicp.net.
The domain ceased to be active during ancestor worship in 2013
On November 23, 2013, Ge XXX went to worship his ancestors.
Photo 46- Picture posted on QQ
By analyzing GXXX.vicp.net, we found that Ge XXX was still actively using infrastructure from Kunming and Thailand in the week before the ancestor worship on November 23, 2013. On November 23, however, gXXX.vicp.net ceased its activities and parked in Seoul and Denver. Note that this interval is only 28 hours, so after 28 hours, the domain name is active. In the figure below, the parking of domain names during this period is not fully captured according to the daily resolution, but the horizontal line before the event is clearly noted.
Picture 47- Infrastructure activities during Ge XXX’s ancestor worship
While Ge XXX was traveling in the summer of 2014, the domain name was parked
From his QQ updates, we know that he left Kunming for a road trip from June 28 to July 1, 2014. On July 21 -22, he took another route to Nanjing. During these periods, we noticed that the domain was parked in Seoul four days before June 30 and resumed activity on July 24 after a trip to Nanjing.
Photo 48- Photo taken outside Kunming
Photo 49- During the trip to Nanjing, XXX College on the left and center, XXX Building on the right.
Figure 50- Infrastructure activities during ge XXX’s two trips in summer 2014
Changes at the end of May 2014
So far we have been discussing the relationship between the short-term changes in GXXX.vicp.net and XXX Ge’s personal life. However, in general, domain names were active from October 2010 to May 2014, and the cumulative number of related special IP addresses grew. The blue line in Figure 15, which shows the trend in IP numbers, suddenly became horizontal towards the end of 2014. The significant decrease in the number of IPS is not unrelated to the overall decrease in the number of activities.
Figure 51- Infrastructure activities around May 19, 2014
One possible explanation is that on May 19, 2014, the U.S. Department of Justice indicted five PLA officers from Unit 6XXX. That same day, ThreatConnect released a detailed report on Naikon’s activities.
Ge XXX’s working hours
Another interesting observation is to observe the time when GXXX.vicp.net changes the DS record. One possible guess, contrary to our conclusion, is that the person operating gXXX.vicp.net is a freelancer. However, by looking at the DISTRIBUTION of DNS records in Figure 52, we can see that this person’s working hours are very regular. The time in the picture is Chinese standard time, which is very similar to ge XXX’s working time. For example, domain activity peaks around 9 a.m., and at lunchtime, domain activity slows down, and the end of the day is between 6 p.m. and 8 p.m. In the middle of the day, DNS records are evenly distributed, and between 9:00 a.m. and 5:00 p.m., there’s a lot of data.
Figure 52- Total analytical activity time from 2010 to 2015
Some temporal data for other cities such as Bangkok, Denver and Seoul also confirm our conclusion and the role of these cities. As we mentioned before, Ge XXX’s academic background focuses on Thai politics, and a large number of short-term analyses are directed to Bangkok, which is only second to Kunming. Analysis time mainly focuses on the working days of Ge XXX, generally a few hours in the morning. It is possible that XXX Ge went to work at 9 am, took control of Naikon’s remote C2 infrastructure via VPN, manually updated Oray Peanut clients or set them to automatically resolve to C2 IP addresses in Bangkok, because that’s where most of his targets are.
Figure 53- Total analytical time per day in Bangkok, Denver and Seoul (China Standard Time), 2010-2015
Bangkok shows the collection activity, and Denver and Seoul also have daily data times consistent with the normal pattern of domain parking. Most of the parsing in Denver happens before lunch or just before the end of the day. In Seoul, the number of parses is higher and the ratio of parses is smaller than the time spent. The situation in Seoul is much the same as in Denver, but some of the parsing happened earlier. Again, at noon and before the end, there is a lot of parsing, and the maximum deviation is less than Denver.
0 x05 conclusion
Adjusted for the proportion of military-grade intelligence, unit 7XXX does more than simply extract intelligence from corporate networks. And these cyber intrusions are just one way. The gXXX.vcip.net infrastructure we analyzed is just the tip of the iceberg.
Translation source: http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=8 1f1c199-859f-41e9-955b-2eec13777720