Attribution is difficult in cyberspace. But it’s not impossible.
A report this week from the threat intelligence company ThreatConnect and research firm Defense Group, Inc., shows just how effective good old-fashioned detective work can be. The two paired up, issuing a convincing report that allegedly identifies a Chinese military hacker by face and name: one Mr. Ge Xing, a Thai politics expert and member of Unit 78020 of the People’s Liberation Army of China, a reconnaissance division.
Fortune spoke to Wade Baker, VP of strategy and analytics at ThreatConnect who worked on the report, a couple of days ago. Initially, his team was tipped off to Ge’s alleged illicit activities when they discovered a connection between his social media user names and a malicious domain linked to a hacking campaign targeting China’s neighbors in the South China Sea. Each operated under the same alias: “greensky27.”
Following that lead, Baker’s team continued to dig, looking for more clues, more evidence that might implicate the possible, albeit unassuming, hacker. Eventually, they struck upon a damning correlation: Whenever Ge absconded on vacation, the hacking campaign’s infrastructure went dark. “That’s what sealed the deal,” Baker says. (You can read about that bit in chapter four of the report.)
Ge is, of course, a person. He is, as the Wall Street Journal describes him, “a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.” There are pictures of him online. He has a family, a job, hobbies. He is not just another faceless cyberthief.
“What I find extremely interesting is that you have this man and machine blend that shows you both sides of the adversary,” Baker said of the report. “A lot of people forget that there’s a person writing that malware, a person controlling that command and control infrastructure.”
We should not forget this point. The so-called cyber world does not exist in a vacuum. It has very real, human operatives. Someone pulls the strings.
To that end, I urge you to check out Fortune’s latest 40 Under 40 list, which we unveiled this week. Three security pros made the cut this year, all tied at no. 21. There’s Alex Stamos, security chief at Facebook; Orion Hindawi, co-founder of Tanium, the world’s hottest cybersecurity startup; and Will Ackerly, a former NSA database architect who decided to devote himself to developing a technology to protect the email messages of people around the world. These are just some of the many faces of security. Get to know them.
Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.
THREATS
China and U.S. pledge against cyber theft. During Chinese president Xi Jinping’s first state visit, he and president Obama vowed not to engage in economic espionage in cyberspace. “The question now is are words followed by actions?” Obama afterward said. (Washington Post)
Chinese military hacker outed. A report published this week allegedly revealed the identity of a man—Ge Xing—behind a major state-sponsored hacking campaign in the South China Sea. Uncomfortably, the news arrived amid Chinese president Xi Jinping’s tour the U.S. (Wall Street Journal, Fortune)
Cyber investments surge despite market flux. Venture capital has been flowing into security startups at a wild pace, even at times when the stock market has been unstable. The number of firms raising funding rounds in the $100 million dollar range continues to grow. (Reuters)
French startup offers iPhone hacking prize. Security exploit brokerage firm Zerodium has announced that it will pay anyone who can crack Apple’s latest iOS 9 operating system a $1 million reward. The firm says it sells these secret tools to spy agencies and corporations. (Fortune)
CloudFlare raises $110 million. The networking and cybersecurity startup counts Fidelity Investments, Google Capital, Microsoft, Baidu, and Qualcomm Ventures among the investors in its latest round of funding. The firm has set its sight on a potential IPO. (Fortune)
British spying program details revealed. About seven years ago, a British intelligence agency began a surveillance program called "karma police." Newly disclosed leaked documents from the NSA whistleblower Edward Snowden shed light on the electronic eavesdropping initiative. (Intercept)
Cisco router attack affects hundreds. At first reported to have infected only 14 routers, the data-stealing “SYNful Knock” malware campaign appears to have compromised nearly 200 routers, according to a new report. Businesses in the U.S are the primary target, followed by ones in India. (Fortune)
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Fortune insider and VP of security initiatives at IBM Shelley Westman explains why women are missing out on tech's fastest-growing field.
"The shortage of women in cybersecurity struck home when I recently attended a conference at New York University’s Polytechnic School of Engineering, held to promote cybersecurity careers among female high school and college students. The young women I met had a passion for computer science, but were discouraged to go into cybersecurity by their friends at school. Their peers didn’t see the mysterious, male-dominated culture of cybersecurity as a place where girls belonged." Read the rest on Fortune.com.
TREATS
Hey, AI. Please don't kill us. (Hopes & Fears)
Daft Punk documentary. Harder, better, faster, stronger humans. (BBC Worldwide)
5 hack facts. Health care is target no. 1. (Fortune)
Interactive neurons. Fire away! (Nicky Case blog)
World games. A replacement for war? (Nautilus)
FORTUNE RECON
No, e-book sales are not falling, despite what publishers say by Mathew Ingram
What the Volkswagen scandal says about the rise of Tesla by Levi Tillemann
How John Boehner's pro-business agenda got derailed by Tory Newmyer
ONE MORE THING
Keep your eyes peeled for the super blood moon! This rare type of lunar eclipse won't appear again till 2033. (NASA)
EXFIL
"Inevitably someone in a high risk situation like me is going to get owned."
NSA secret-leaker Edward Snowden, responding to a question about why he doesn't seem to blog or use social media. He is concerned about revealing personal information—although he doesn't believe his operational security measures are foolproof, he said. The whistleblower also teased that he may participate "in a more open and active manner in the near future." (Fusion)
