recommended reading

Man Who May Be a Top Chinese Hacker Likes Grain Alcohol, Heineken

Sang Tan/AP

It turns out Chinese military hackers are way sneakier than anyone had realized. This is evident in a new report (registration required) by a security company called CrowdStrike. Throughout the last seven years, the People’s Liberation Army hackers have baited their targets—including foreign companies and governments involved in the space and satellite industry—with email attachments advertising French yoga retreats, project manager job openings and industry conferences.

While all that is alarming, it’s not exactly surprising. The details of the report that are perhaps more intriguing emerge in the rare glimpse of the day-to-day life of one of its alleged top hackers—from what he did on his birthday to what he likes to get drunk on.

Clearly, it’s not a life of James-Bond-like glamour. The star of the report is “cpyy,” a hacker that CrowdStrike concludes was employed by the PLA whose real name is probably Chen Ping.

(How did CrowdStrike determine this? The report says researchers first traced the domain names associated with the malware to several of cpyy’s email addresses. They then found that’s domain name lists one “Chen Ping” as the registrant, and then found still more domains registered to a Chen Ping being used to control malware. These domains were also registered to the physical address of the Shanghai headquarters of Unit 61486, a hacking division. CrowdStrike found blog and photo sites registered to the name Chen Ping with identical birthdate and occupational info; some featured the same photographs. However, CrowdStrike can’t be certain Chen Ping is the real name of these website owners, nor that the owner is a PLA hacker. Quartz has sent requests for comment to email accounts mentioned in the report, but neither Chen nor cpyy could be reached.)

So who is Chen Ping?

A Shanghai resident who just celebrated his 35th birthday and listed the military as his profession, Chen clearly spends a lot of time online; the researchers found two blogs, a now-defunct Picasa site, and a large body of commentary on the bulletin boards of a car forum. Here he is (photos included in the CrowdStrike report are no longer available online):

hacking china crowdstrike
A portrait of the man believed to be cpyy, found on a Picasa site from 2005.CrowdStrike

He also included images that appear to be shots of his dorm room:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image from cpyy’s Picasa folder labeled “dorm.”CrowdStrike

The report focuses on the hats in the background, which appear to be Type 07 PLA Army officer hats. But equally eye-catching are the open Heineken can and 12 bottles of a Chinese rice wine (a.k.a. baijiu) called Erguotou.

Shaken not stirred it ain’t. The Chinese equivalent of Everclear, Erguotou is not only cheap—it costs about 8 yuan ($1.28) for one of those bottles—but it’s more than 60% alcohol. Erguotou may or may not be involved in what Chen tagged as his 2002 birthday:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
Cpyy’s 23rd birthday.CrowdStrike

Based on his Picasa photos, CrowdStrike concludes that Chen may have gotten his start in the PLA pretty young. Here’s a photo from his blog that was tagged “high school,” which seems to involve more rigor than the usual mandatory ROTC-style military trainings:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image labelled “high school.”CrowdStrike

A previous profile of an ex-PLA hacker made the lifestyle seems pretty dreary—which Chen Ping’s pics seem to confirm. But that’s evidently not hurting recruitment much.

Just few weeks ago, the US government indicted five PLA members, charging them with hacking US companies and stealing trade secrets. Those guys worked for Unit 61398, whereas CrowdStrike’s report focuses on the work of a totally different unit, Unit 61486. Though they sometimes shared computing resources and communicated with each other, these are just two of the more than 10 elite PLA hacking units (paywall) with distinct missions.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.