Japanese police linked hack group Tick with Chinese military

Japanese law enforcement officials believe that the Tick hack group, linked to the Chinese military, is behind a massive cyber-espionage campaign, in which more than 200 Japanese companies and organizations have been hacked since 2016.

Various news agencies in the country, including Yomiuri Shimbun, Nikkei, NHK and The Mainichi, said the suspects used fake IDs to register web servers between 2016 and 2017.

“Tokyo police contacted a 30-year-old Chinese citizen, a student who helped hackers in these attacks. It is also reported that the two suspects have already left Japan after interrogations, but officials plan to refer the case to the prosecutor’s office and seek their official arrest”, — the Japanese media write, citing their own sources.

The aforementioned servers were subsequently used by a Chinese hacker group known as Tick to attack Japanese companies and research institutions in the aviation and national defense fields.

At the same time, the only known victim that the Japanese investigators were able to identify is the Japan Aerospace Research Agency (JAXA).

Interestingly, this is the first time that someone has linked the Tick group to the Chinese military. Thus, the Japanese media write that the hackers followed the order 61419 of the People’s Liberation Army of China, operating from the Chinese city of Qingdao in Shandong province.

Recorded Future analysts point out that the information about the connection with a specific PLA unit is most likely based on old data about Chinese military intelligence collected in the mid-2010s, before the recent military reforms and restructuring that took place in the country.

But while attribution with a specific PLA squad may be incorrect, overall researchers say the Tick group has been suspected of “working” for the Chinese military for some time.

“The group has maintained a very tight regional focus on defense and military targets within the Korean peninsula and Japan, which aligns with the suspected operational tasking of Unit 61419 prior to the restructuring of the PLA”, — the Insikt Group confirms reports of the Japanese media.

As a reminder, we also wrote that Chinese hackers also took part in attacks on SolarWinds clients and that FireEye CEO Blames Chinese Hackers for Indiscriminate Cyberattacks on Microsoft Exchange.