Japanese police say Tick APT is linked to Chinese military

Japanese law enforcement believes a group of hackers linked to the Chinese military are behind a broad cyber-espionage campaign that has breached more than 200 Japanese companies and organizations since at least 2016.

Citing unidentified sources in a police investigation, multiple local media outlets reported today that Tokyo police had identified a 30-year-old Chinese national and a Chinese student who have helped the hackers in their attacks.

News agencies such as the Yomiuri Shimbun, Nikkei, NHK, and The Mainichi said the suspects used fake IDs to register web servers between 2016 and 2017.

The servers were later used by a Chinese hacker group known as Tick to launch attacks against Japanese companies and research institutes active in the aviation and national defense sectors.

The only victim identified by Japanese investigators was the Japan Aerospace Exploration Agency (JAXA), which is Japan's NASA equivalent.

The two suspects have left Japan after being questioned by Tokyo police, but officials plan to refer the case to Tokyo prosecutors and seek their formal arrest.

Tick APT formally linked to Chinese military

The reports in Japanese media today are also the first time that anyone has linked the Tick advanced persistent threat (ATP) group to China's military.

Local media reported that the Tick APT was taking orders from Chinese People's Liberation Army (PLA) Unit 61419, operating from the eastern Chinese city of Qingdao, in the Shandong Province—an uncharacteristically precise attribution.

However, threat analysts for Recorded Future's Insikt Group told The Record that the attribution to a specific PLA unit was most likely based on older Chinese military intelligence collected before the recent military reforms and restructurings that have taken place across China in the mid-2010s.

Nonetheless, Insikt Group researchers said that while an exact attribution to a specific PLA unit might be tricky in the context of these reforms, the Tick group has been suspected of operating on behalf of the Chinese military for a while now.

"The group has maintained a very tight regional focus on defense and military targets within the Korean peninsula and Japan, which aligns with the suspected operational tasking of Unit 61419 prior to the restructuring of the PLA," the Insikt Group told The Record, confirming reports in Japanese media.

Tick now becomes the second Chinese APT group that has been linked to the Chinese Shandong province. A previous report linked the APT17 group to the Jinan bureau of the Chinese Ministry of State Security (MSS).