In a story reminiscent of a Tom Clancy plot, the Wall Street Journal reported last Thursday on “meticulously documented” cyberespionage conducted by China’s People’s Liberation Army (“PLA”) Unit 78020 to further strategic Chinese foreign policy objectives in the South China Sea.  The article discusses a joint report by U.S. cybersecurity company ThreatConnect and security consulting firm Defense Group Inc. (“DGI”) entitled Project CAMERASHY: Closing the Aperture on China’s Unit 78020, which is available here. 

PLA Unit 78020 also is known as “Naikon” within the information security industry.  According to the Project CAMERASHY report, Naikon uses emails infected with malware to penetrate the networks of diplomatic, economic (including public and private energy organizations), and military targets throughout Southeast Asia.  The report therefore contrasts with recent statements made by Chinese President Xi Jinping before his official State Visit to the White House that China does not engage in cybercrime.  The report is also noteworthy in light of cybersecurity agreements between the United States and China, announced during the State Visit, “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”  The Project CAMERASHY report’s authors acknowledge “the controversial nature” of their findings, but counter that their conclusions are supported by “detailed infrastructure analysis” and “‘pattern of life’ activities,” including social media activity by a known member of PLA Unit 78020. 

In particular, the report states that Naikon malware included instructions to send stolen data to the Internet domain “greensky27.vicp.net.”  Researchers determined that the majority of “greensky27”-related domain activity over a five-year period could be traced to Kunming, which is the primary operating location of PLA Unit 78020.  The researchers also canvassed social media and found multiple “greensky27” accounts in operation over the past decade that were operated by a known member of PLA Unit 78020.  For example, social media activity on “greensky27” accounts includes photographs from within the military compound where PLA Unit 78020 is located, among other corroborating information.

In sum, the Project CAMERASHY report has been released at a time of heightened tensions between the United States and China regarding cybercrime, including new developments in a significant fingerprint data breach at the U.S. Office of Personnel Management that U.S. investigators privately believe to have been conducted by the Chinese government.  While the Project CAMERASHY report does not suggest that Naikon directly targeted the U.S. government or U.S. businesses, this does not ameliorate the ongoing nature of this threat.

Reporter, Patrick J. Togni, Washington, DC and Charlotte, NC, +1 202 626 2958, ptogni@kslaw.com.