The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin
Photograph by Pawel Kopczynski — Reuters

Old fashioned detective work unmasks Chinese military hacker

Sep 26, 2015

Attribution is difficult in cyberspace. But it’s not impossible.

A report this week from the threat intelligence company ThreatConnect and research firm Defense Group, Inc., shows just how effective good old-fashioned detective work can be. The two paired up, issuing a convincing report that allegedly identifies a Chinese military hacker by face and name: one Mr. Ge Xing, a Thai politics expert and member of Unit 78020 of the People’s Liberation Army of China, a reconnaissance division.

Fortune spoke to Wade Baker, VP of strategy and analytics at ThreatConnect who worked on the report, a couple of days ago. Initially, his team was tipped off to Ge’s alleged illicit activities when they discovered a connection between his social media user names and a malicious domain linked to a hacking campaign targeting China’s neighbors in the South China Sea. Each operated under the same alias: “greensky27.”

Following that lead, Baker’s team continued to dig, looking for more clues, more evidence that might implicate the possible, albeit unassuming, hacker. Eventually, they struck upon a damning correlation: Whenever Ge absconded on vacation, the hacking campaign’s infrastructure went dark. “That’s what sealed the deal,” Baker says. (You can read about that bit in chapter four of the report.)

Ge is, of course, a person. He is, as the Wall Street Journal describes him, “a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.” There are pictures of him online. He has a family, a job, hobbies. He is not just another faceless cyberthief.

“What I find extremely interesting is that you have this man and machine blend that shows you both sides of the adversary,” Baker said of the report. “A lot of people forget that there’s a person writing that malware, a person controlling that command and control infrastructure.”

We should not forget this point. The so-called cyber world does not exist in a vacuum. It has very real, human operatives. Someone pulls the strings.

To that end, I urge you to check out Fortune’s latest 40 Under 40 list, which we unveiled this week. Three security pros made the cut this year, all tied at no. 21. There’s Alex Stamos, security chief at Facebook; Orion Hindawi, co-founder of Tanium, the world’s hottest cybersecurity startup; and Will Ackerly, a former NSA database architect who decided to devote himself todeveloping a technology to protect the email messages of people around the world. These are just some of the many faces of security. Get to know them.

This essay first appeared in Data Sheet, Fortune’s daily newsletter about the business of technology. Sign up for it here.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions