Crowdstrike's PLA 61486 Report - Using Photoshopped Pictures? No. (Updated 6/16/14 6:45pm)

This post has been updated from the original thanks to some criticism that I received on Twitter for suggesting that Chen's photos were either photoshopped by Chen or taken from somewhere other than the PLA base. That criticism helped me resolve problems that I and others had with Chen's pictures. Here's my update. The original post is below.

UPDATE (6/16/14): Here are Google Earth images which show just how close the Pearl Tower and the Jin Mao tower are (the two illuminated buildings in the background. The World Financial Center is slightly left and behind the Jin Mao tower).

The red line in the above picture originated from the PLA base as seen below.

And here's the full site path from Google Earth.

Based upon this site line, the Jin Bao tower and the World Financial Center should appear slightly to the right of the Pearl tower which is in line with Chen's photo. Therefore my suspicion and those who also felt that Chen had taken the photos from a different location or had doctored them, were wrong.

However that doesn't change any of the problems that Crowdstrike has in proving its allegation that the person they identified as Chen Ping is responsible for any hacking attacks. As I wrote in my post of June 10th, they failed to prove that Chen Ping or whatever his real name is has breached the network of a foreign company while under orders of the PLA. Those failings and Crowdstrike's failure to even acknowledge them, doesn't inspire confidence. And while no one likes to have their findings criticized, there aren't nearly enough critical reviewers when it comes to cyber intelligence reports generated by for-profit companies.


(Original post with some edits) There's something wrong with those dramatic pictures of military satellite dishes contained in the Crowdstrike report on Chen Ping and PLA 61486. This is especially troubling since they play such a big role in Crowdstrike's attribution theory.

First, here's the picture from the Crowdstrike report on page 19:
Click to enlarge
Now here's the original photo from CPYY's online photo album with some labeling provided by one of Taia Global's Hong Kong-based consultants:

Click to enlarge
Notice that in the original photo you can see the Pearl Tower and the World Financial Center (labeling added). That part of the photo was cropped out of the Crowdstrike version. The distance from the PLA base to the Oriental Pearl Tower is 6.4 km but in the photo they seem to be half that distance.

Furthermore, to have taken this picture from the base, CPYY-Chen would have to be looking West. From that angle, the World Financial Center should be to the right of the Pearl Tower rather than to its left as it is in this photo.

On page 20 of the report, Crowdstrike features another satellite dish photo which shows the Pearl Tower in the background.
Click to enlarge
As before, the World Financial Center is on the wrong side of the Pearl Tower; which clearly cannot be the case unless this photo was doctored. And if you look at this image at its full size, it really doesn't take a trained eye to see that something isn't quite right. It's almost as if the satellite dish was layered on top of a different picture.


"Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't"


  1. FWIW, is cpyy a male or female? The profile says male, but these blog entries seem to indicate the writer is female (note pics taken on campus of East China University of Political Science and Law, which is linked to police):

    Here's an entry with pics of cpyy's home, presumably in Kunming/Yuxi:

  2. Come on Jeff, not always a fan of Clownstrike, but there is nothing wrong with the photos, the clock tower is part of an international school (上海市大宁国际小学) and clearly marked in the report. The angles are correct and the Blue Clock tower is there. Driven by it many times, there is a good place for 热干面 and 白酒 right down the street.


Post a Comment