Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

Old fashioned detective work unmasks Chinese military hacker

September 26, 2015, 9:33 PM UTC
The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin
The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin May 21, 2013. The Financial Times' website and Twitter feeds were hacked May 17, 2013, renewing questions about whether the popular social media service has done enough to tighten security as cyber-attacks on the news media intensify. The attack is the latest in which hackers commandeered the Twitter account of a prominent news organization to push their agenda. Twitter's 200 million users worldwide send out more than 400 million tweets a day, making it a potent distributor of news. REUTERS/Pawel Kopczynski (GERMANY - Tags: CRIME LAW SCIENCE TECHNOLOGY) - RTXZUYO
Photograph by Pawel Kopczynski — Reuters

Attribution is difficult in cyberspace. But it’s not impossible.

A report this week from the threat intelligence company ThreatConnect and research firm Defense Group, Inc., shows just how effective good old-fashioned detective work can be. The two paired up, issuing a convincing report that allegedly identifies a Chinese military hacker by face and name: one Mr. Ge Xing, a Thai politics expert and member of Unit 78020 of the People’s Liberation Army of China, a reconnaissance division.

Fortune spoke to Wade Baker, VP of strategy and analytics at ThreatConnect who worked on the report, a couple of days ago. Initially, his team was tipped off to Ge’s alleged illicit activities when they discovered a connection between his social media user names and a malicious domain linked to a hacking campaign targeting China’s neighbors in the South China Sea. Each operated under the same alias: “greensky27.”

Following that lead, Baker’s team continued to dig, looking for more clues, more evidence that might implicate the possible, albeit unassuming, hacker. Eventually, they struck upon a damning correlation: Whenever Ge absconded on vacation, the hacking campaign’s infrastructure went dark. “That’s what sealed the deal,” Baker says. (You can read about that bit in chapter four of the report.)

Ge is, of course, a person. He is, as the Wall Street Journal describes him, “a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.” There are pictures of him online. He has a family, a job, hobbies. He is not just another faceless cyberthief.

“What I find extremely interesting is that you have this man and machine blend that shows you both sides of the adversary,” Baker said of the report. “A lot of people forget that there’s a person writing that malware, a person controlling that command and control infrastructure.”

We should not forget this point. The so-called cyber world does not exist in a vacuum. It has very real, human operatives. Someone pulls the strings.

To that end, I urge you to check out Fortune’s latest 40 Under 40 list, which we unveiled this week. Three security pros made the cut this year, all tied at no. 21. There’s Alex Stamos, security chief at Facebook; Orion Hindawi, co-founder of Tanium, the world’s hottest cybersecurity startup; and Will Ackerly, a former NSA database architect who decided to devote himself todeveloping a technology to protect the email messages of people around the world. These are just some of the many faces of security. Get to know them.

This essay first appeared in Data Sheet, Fortune’s daily newsletter about the business of technology. Sign up for it here.