Skip to Content

Old fashioned detective work unmasks Chinese military hacker

The word 'password' is pictured on a computer screen in this picture illustration taken in BerlinThe word 'password' is pictured on a computer screen in this picture illustration taken in Berlin

Attribution is difficult in cyberspace. But it’s not impossible.

A report this week from the threat intelligence company ThreatConnect and research firm Defense Group, Inc., shows just how effective good old-fashioned detective work can be. The two paired up, issuing a convincing report that allegedly identifies a Chinese military hacker by face and name: one Mr. Ge Xing, a Thai politics expert and member of Unit 78020 of the People’s Liberation Army of China, a reconnaissance division.

Fortune spoke to Wade Baker, VP of strategy and analytics at ThreatConnect who worked on the report, a couple of days ago. Initially, his team was tipped off to Ge’s alleged illicit activities when they discovered a connection between his social media user names and a malicious domain linked to a hacking campaign targeting China’s neighbors in the South China Sea. Each operated under the same alias: “greensky27.”

Following that lead, Baker’s team continued to dig, looking for more clues, more evidence that might implicate the possible, albeit unassuming, hacker. Eventually, they struck upon a damning correlation: Whenever Ge absconded on vacation, the hacking campaign’s infrastructure went dark. “That’s what sealed the deal,” Baker says. (You can read about that bit in chapter four of the report.)

Ge is, of course, a person. He is, as the Wall Street Journal describes him, “a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.” There are pictures of him online. He has a family, a job, hobbies. He is not just another faceless cyberthief.

“What I find extremely interesting is that you have this man and machine blend that shows you both sides of the adversary,” Baker said of the report. “A lot of people forget that there’s a person writing that malware, a person controlling that command and control infrastructure.”

We should not forget this point. The so-called cyber world does not exist in a vacuum. It has very real, human operatives. Someone pulls the strings.

To that end, I urge you to check out Fortune’s latest 40 Under 40 list, which we unveiled this week. Three security pros made the cut this year, all tied at no. 21. There’s Alex Stamos, security chief at Facebook; Orion Hindawi, co-founder of Tanium, the world’s hottest cybersecurity startup; and Will Ackerly, a former NSA database architect who decided to devote himself todeveloping a technology to protect the email messages of people around the world. These are just some of the many faces of security. Get to know them.

This essay first appeared in Data Sheet, Fortune’s daily newsletter about the business of technology. Sign up for it here.