recommended reading

Man Who May Be a Top Chinese Hacker Likes Grain Alcohol, Heineken

Sang Tan/AP

It turns out Chinese military hackers are way sneakier than anyone had realized. This is evident in a new report (registration required) by a security company called CrowdStrike. Throughout the last seven years, the People’s Liberation Army hackers have baited their targets—including foreign companies and governments involved in the space and satellite industry—with email attachments advertising French yoga retreats, project manager job openings and industry conferences.

While all that is alarming, it’s not exactly surprising. The details of the report that are perhaps more intriguing emerge in the rare glimpse of the day-to-day life of one of its alleged top hackers—from what he did on his birthday to what he likes to get drunk on.

Clearly, it’s not a life of James-Bond-like glamour. The star of the report is “cpyy,” a hacker that CrowdStrike concludes was employed by the PLA whose real name is probably Chen Ping.

(How did CrowdStrike determine this? The report says researchers first traced the domain names associated with the malware to several of cpyy’s email addresses. They then found that’s domain name lists one “Chen Ping” as the registrant, and then found still more domains registered to a Chen Ping being used to control malware. These domains were also registered to the physical address of the Shanghai headquarters of Unit 61486, a hacking division. CrowdStrike found blog and photo sites registered to the name Chen Ping with identical birthdate and occupational info; some featured the same photographs. However, CrowdStrike can’t be certain Chen Ping is the real name of these website owners, nor that the owner is a PLA hacker. Quartz has sent requests for comment to email accounts mentioned in the report, but neither Chen nor cpyy could be reached.)

So who is Chen Ping?

A Shanghai resident who just celebrated his 35th birthday and listed the military as his profession, Chen clearly spends a lot of time online; the researchers found two blogs, a now-defunct Picasa site, and a large body of commentary on the bulletin boards of a car forum. Here he is (photos included in the CrowdStrike report are no longer available online):

hacking china crowdstrike
A portrait of the man believed to be cpyy, found on a Picasa site from 2005.CrowdStrike

He also included images that appear to be shots of his dorm room:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image from cpyy’s Picasa folder labeled “dorm.”CrowdStrike

The report focuses on the hats in the background, which appear to be Type 07 PLA Army officer hats. But equally eye-catching are the open Heineken can and 12 bottles of a Chinese rice wine (a.k.a. baijiu) called Erguotou.

Shaken not stirred it ain’t. The Chinese equivalent of Everclear, Erguotou is not only cheap—it costs about 8 yuan ($1.28) for one of those bottles—but it’s more than 60% alcohol. Erguotou may or may not be involved in what Chen tagged as his 2002 birthday:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
Cpyy’s 23rd birthday.CrowdStrike

Based on his Picasa photos, CrowdStrike concludes that Chen may have gotten his start in the PLA pretty young. Here’s a photo from his blog that was tagged “high school,” which seems to involve more rigor than the usual mandatory ROTC-style military trainings:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image labelled “high school.”CrowdStrike

A previous profile of an ex-PLA hacker made the lifestyle seems pretty dreary—which Chen Ping’s pics seem to confirm. But that’s evidently not hurting recruitment much.

Just few weeks ago, the US government indicted five PLA members, charging them with hacking US companies and stealing trade secrets. Those guys worked for Unit 61398, whereas CrowdStrike’s report focuses on the work of a totally different unit, Unit 61486. Though they sometimes shared computing resources and communicated with each other, these are just two of the more than 10 elite PLA hacking units (paywall) with distinct missions.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.