recommended reading

Man Who May Be a Top Chinese Hacker Likes Grain Alcohol, Heineken

Sang Tan/AP

It turns out Chinese military hackers are way sneakier than anyone had realized. This is evident in a new report (registration required) by a security company called CrowdStrike. Throughout the last seven years, the People’s Liberation Army hackers have baited their targets—including foreign companies and governments involved in the space and satellite industry—with email attachments advertising French yoga retreats, project manager job openings and industry conferences.

While all that is alarming, it’s not exactly surprising. The details of the report that are perhaps more intriguing emerge in the rare glimpse of the day-to-day life of one of its alleged top hackers—from what he did on his birthday to what he likes to get drunk on.

Clearly, it’s not a life of James-Bond-like glamour. The star of the report is “cpyy,” a hacker that CrowdStrike concludes was employed by the PLA whose real name is probably Chen Ping.

(How did CrowdStrike determine this? The report says researchers first traced the domain names associated with the malware to several of cpyy’s email addresses. They then found that’s domain name lists one “Chen Ping” as the registrant, and then found still more domains registered to a Chen Ping being used to control malware. These domains were also registered to the physical address of the Shanghai headquarters of Unit 61486, a hacking division. CrowdStrike found blog and photo sites registered to the name Chen Ping with identical birthdate and occupational info; some featured the same photographs. However, CrowdStrike can’t be certain Chen Ping is the real name of these website owners, nor that the owner is a PLA hacker. Quartz has sent requests for comment to email accounts mentioned in the report, but neither Chen nor cpyy could be reached.)

So who is Chen Ping?

A Shanghai resident who just celebrated his 35th birthday and listed the military as his profession, Chen clearly spends a lot of time online; the researchers found two blogs, a now-defunct Picasa site, and a large body of commentary on the bulletin boards of a car forum. Here he is (photos included in the CrowdStrike report are no longer available online):

hacking china crowdstrike
A portrait of the man believed to be cpyy, found on a Picasa site from 2005.CrowdStrike

He also included images that appear to be shots of his dorm room:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image from cpyy’s Picasa folder labeled “dorm.”CrowdStrike

The report focuses on the hats in the background, which appear to be Type 07 PLA Army officer hats. But equally eye-catching are the open Heineken can and 12 bottles of a Chinese rice wine (a.k.a. baijiu) called Erguotou.

Shaken not stirred it ain’t. The Chinese equivalent of Everclear, Erguotou is not only cheap—it costs about 8 yuan ($1.28) for one of those bottles—but it’s more than 60% alcohol. Erguotou may or may not be involved in what Chen tagged as his 2002 birthday:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
Cpyy’s 23rd birthday.CrowdStrike

Based on his Picasa photos, CrowdStrike concludes that Chen may have gotten his start in the PLA pretty young. Here’s a photo from his blog that was tagged “high school,” which seems to involve more rigor than the usual mandatory ROTC-style military trainings:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image labelled “high school.”CrowdStrike

A previous profile of an ex-PLA hacker made the lifestyle seems pretty dreary—which Chen Ping’s pics seem to confirm. But that’s evidently not hurting recruitment much.

Just few weeks ago, the US government indicted five PLA members, charging them with hacking US companies and stealing trade secrets. Those guys worked for Unit 61398, whereas CrowdStrike’s report focuses on the work of a totally different unit, Unit 61486. Though they sometimes shared computing resources and communicated with each other, these are just two of the more than 10 elite PLA hacking units (paywall) with distinct missions.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.