Cybersecurity

Man Who May Be a Top Chinese Hacker Likes Grain Alcohol, Heineken

Sang Tan/AP

It turns out Chinese military hackers are way sneakier than anyone had realized. This is evident in a new report (registration required) by a security company called CrowdStrike. Throughout the last seven years, the People’s Liberation Army hackers have baited their targets—including foreign companies and governments involved in the space and satellite industry—with email attachments advertising French yoga retreats, project manager job openings and industry conferences.

While all that is alarming, it’s not exactly surprising. The details of the report that are perhaps more intriguing emerge in the rare glimpse of the day-to-day life of one of its alleged top hackers—from what he did on his birthday to what he likes to get drunk on.

Clearly, it’s not a life of James-Bond-like glamour. The star of the report is “cpyy,” a hacker that CrowdStrike concludes was employed by the PLA whose real name is probably Chen Ping.

(How did CrowdStrike determine this? The report says researchers first traced the domain names associated with the malware to several of cpyy’s email addresses. They then found that cpyy.net’s domain name lists one “Chen Ping” as the registrant, and then found still more domains registered to a Chen Ping being used to control malware. These domains were also registered to the physical address of the Shanghai headquarters of Unit 61486, a hacking division. CrowdStrike found blog and photo sites registered to the name Chen Ping with identical birthdate and occupational info; some featured the same photographs. However, CrowdStrike can’t be certain Chen Ping is the real name of these website owners, nor that the owner is a PLA hacker. Quartz has sent requests for comment to email accounts mentioned in the report, but neither Chen nor cpyy could be reached.)

So who is Chen Ping?

A Shanghai resident who just celebrated his 35th birthday and listed the military as his profession, Chen clearly spends a lot of time online; the researchers found two blogs, a now-defunct Picasa site, and a large body of commentary on the bulletin boards of a car forum. Here he is (photos included in the CrowdStrike report are no longer available online):

hacking china crowdstrike
A portrait of the man believed to be cpyy, found on a Picasa site from 2005.CrowdStrike

He also included images that appear to be shots of his dorm room:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image from cpyy’s Picasa folder labeled “dorm.”CrowdStrike

The report focuses on the hats in the background, which appear to be Type 07 PLA Army officer hats. But equally eye-catching are the open Heineken can and 12 bottles of a Chinese rice wine (a.k.a. baijiu) called Erguotou.

Shaken not stirred it ain’t. The Chinese equivalent of Everclear, Erguotou is not only cheap—it costs about 8 yuan ($1.28) for one of those bottles—but it’s more than 60% alcohol. Erguotou may or may not be involved in what Chen tagged as his 2002 birthday:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
Cpyy’s 23rd birthday.CrowdStrike

Based on his Picasa photos, CrowdStrike concludes that Chen may have gotten his start in the PLA pretty young. Here’s a photo from his blog that was tagged “high school,” which seems to involve more rigor than the usual mandatory ROTC-style military trainings:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image labelled “high school.”CrowdStrike

A previous profile of an ex-PLA hacker made the lifestyle seems pretty dreary—which Chen Ping’s pics seem to confirm. But that’s evidently not hurting recruitment much.

Just few weeks ago, the US government indicted five PLA members, charging them with hacking US companies and stealing trade secrets. Those guys worked for Unit 61398, whereas CrowdStrike’s report focuses on the work of a totally different unit, Unit 61486. Though they sometimes shared computing resources and communicated with each other, these are just two of the more than 10 elite PLA hacking units (paywall) with distinct missions.

Threatwatch Alert

Data dump / Unauthorized use of user privileges / User accounts compromised

Nude photos of Jennifer Lawrence, Kate Upton, Other Female Hotties Emerge Online

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// 3:38 PM ET
X CLOSE Don't show again

Like us on Facebook