Chinese APTs: Interlinked networks and side hustles

FeaturedChinese APTs: Interlinked networks and side hustles

As FireEye pointed out on their APT41 overview, there is a high degree of malware and certificate overlaps across Chinese APTs but two in particular stand out as almost identical in their use of malware code – 41 and 17. 

Remember Mr. Zeng Xiaoyong (aka envymask)? As readers will know, we named Zeng as a member of APT17 back in July of 2019. We evidenced his connections to the Chinese hacker group ph4nt0m, his birth place of Sichuan and his university of Nanjing Science and Engineering, where he met and later worked with MSS Officer of the Jinan SSD – Guo Lin. And it appears Zeng Xiaoyong has connections that go even further…

BlackCoffee

Mr. Zeng is credited with creating a specific exploit of the public vulnerability MS08-067. This is associated with the ZoxPRC which evolved into BLACKCOFFEE malware, a hallmark of APT17 and Zeng specifically. APT41 are using this same malware in their operations. This specific sharing of malware exploits talks to the increasing overlap and coordination of APT groups within China.

EnvyMask and Blackfox

Further digging has also revealed a history between Blackfox and Envymask on a number of hacker forums including CSDN and Github, where Blackfox promotes his ‘codz’ and expresses his gratitude to Envymask and another hacker known only as LuoLuo for their help. 

Blackfox and envymask’s relationship appears to be quite a deep one – they maintain direct contact and Blackfox credits envymask for his guidance and expertise in creating malware exploits. It additionally highlights the overlap between envymask (of APT17 fame), and Blackfox (of APT41 fame) which could go some way in explaining the overlap in malware tools being cited back to APT groups emanating from China and the trouble industry have of grouping APTs via their use of TTPs alone.

ShadowPad

This backdoor RAT, reported by Kaspersky in 2017, was used to facilitate a supply chain attack and is commonly attributed to China. It is considered to be an evolution of PlugX, both of which originated from China and are used by Chinese APTs (APT41 in particular).

PlugX and WHG

AlienVault Labs theorized that “WHG” was the developer of PlugX. And in 2012, Dunham and Melnick wrote about a connection between WHG and Tan Dailin. Tan (under Wicked Rose) credits WHG (aka “fig”) as one of the developers of the GinWui rootkit which links back to the Network Crack Program Hacker group (of which Tan founded).  

WHG is known to be the user of QQ 312016, which displays the username Zhao Jibin (赵纪斌). QQ 312016 belongs to another small QQ group (39771264) with just 14 members. A tight-knit circle of like-minded individuals? Of note are 3 other members: Jiang Lizhi, Zhang Hoaran and Tan Dailin.  

Remember when we mentioned Lu Jian’s membership in a group titled Chinese Communist Party Ministry of Finance (QQ 3391434)? We stated that the owner of this group was QQ 312016 – with the display handle ‘whg’. 

It further highlights the deep interconnectivity and social web these Chinese hackers maintain. But to what degree are the Chinese hacker’s interactions social, or are their skills and experience directed, coordinated and developed by higher echelons within the CCP?

Cyber Arrests

We did some digging into Zhao Jibin. Once again, he has links back to Sichuan, having attended Xihua university.  

We also discovered that there were a number of arrests during Xi’s crackdown of hackers within China in 2015. Notably, an office in Jinan associated with APT17 activity was raided by the local Public Security Bureau. A number of Chinese hackers were arrested. Amongst them was Withered Rose (aka Tan Dailin) Zhao Jibin (aka whg) and Liu Jian (aka Cowardly Sheep 懦⽺).

The hackers were getting too big for their boots. Were the arrests a smokescreen? Or were they used to co-opt them into working for the MSS? Either way, it didn’t stop them continuing to support APT17 and 41 operations.

Conclusion

Sichuan province is fast becoming a known hot spot for hacking. 

We believe that rather than APT41 being defined as a group or intrusion set, APT41 is perhaps better described as an interlinked network of Chinese cyber actors sharing malware, expertise and connections. The actors appear have a high degree of autonomy, which explains the degree of malware and certificate overlaps between APT groups emanating from China, and supports the concept of the contractor model. Autonomous cyber criminals ‘bid’ for state resource in exchange for top-level cover and a blind-eye is given to their criminal activities outside of the 9-6-6 structure, and if their targets are outside the Chinese mainland. Hustling on the side by using state-sponsored tools for their own profit makes us wonder whether the MSS truly have control over the contractors they work with.

According to Chengdu 404 in an interview, ‘They wanted to make a contribution to their home town’. Well, they have certainly done that. They have put Chengdu on the map, not least for China cyber watchers.

We started this article series with reference to a Times article focusing on Tan Dailin and his fellow hackers (formally known as the NCPH). The article ended with a quote from one of the hackers (known only as Fisherman): “Real hackers are not doing it for a name or money. The real hackers keep their heads down, find network loopholes, write killer programmes and live off social security”. An interesting moral high ground to take. We wonder where it all went wrong. 

The people behind Chengdu 404 

FeaturedThe people behind Chengdu 404 

In the previous articles, we touched upon Chengdu 404 as a front company. This article serves to focus on the individuals behind the company who have been named by the US as cyber criminals. The indicted trio are: Qian Chuan (钱川), Jiang Lizhi (蒋⽴志), and Fu Qiang (付强). 

Qian Chuan (钱川)

Qian Chuan, alumnus of Sichuan university, is the boss of Chengdu 404. His mugshot shows how much fun he has working at the CCP’s behest…

According to records, he held a 30% share in the company. He likes to come across as a fun boss – after all providing cake for an employee’s birthday is going above and beyond isn’t it.

Qian Chuan’s involvement with the Chinese government started before his managerial role in Chengdu 404. Since at least 2010 (according to the indictment) he has been creating software to wipe confidential information from digital media, and supporting efforts by the CCP to monitor and restrict information across Chinese social media platforms. 

Jiang Lizhi (蒋⽴志)

Jiang Lizhi has a lot of connections and an ineptness that comes with broadcasting sensitive projects. Boasting of his close relationship to the GA ‘Guoanbu’ (MSS), he is recorded on the indictment stating that this ‘provides him with protection’, even from the Ministry of Public Security (MPS). Is it us, or does this sound like a green light to hack for profit, with no repercussions? Hindsight will reveal that the MSS cannot and does not protect its criminal hackers.

Jiang Lizhi was active within the company, attending many of the engagements at local universities in his role as deputy general manager. According to holdings on the company, Jiang held a 20% share in 404.

Blackfox

As mentioned in previous articles in this series, the ‘black’ prefix appears to be a common thread for APT41 hackers. Jiang Lizhi’s handle of Blackfox confirms our assumptions. 

Delving into the internet archives, we found his historic Blackfox blog at fox.he100.com.

The website registrant evidences Jiang Lizhi as behind the website and based in Chengdu. Helpfully, he also provides his handle Blackfox as an additional PoC. 


The blog itself reads like an online diary of a depressed teenager; it is an ‘interesting’ read into the psyche and personality of a Chinese cyber hacker. An online diary of despair some might say. Blackfox talks of his anxiety and how irritable he can become, how lonely he is and how unhappy his actions make him.

An example is this translated post from 2006 where Blackfox talks of moving back to Chengdu and being unemployed.

QQ 6858849

In 2004, a post on CSDN titled ‘ISS_Manager’ detailed points of contact for Blackfox, including a QQ number (6858849) and domain fox.he100.com. As we know, this links back to Blackfox’s blog. The QQ account had the display name 蒋立志 (Jiang Lizhi) as well as Blackfox, and has been active in creating a number of other QQ groups. Most were used for staying in contact with classmates, whilst others refer to businesses Jiang was involved with, including the Chengdu-based online gaming company Blaze Loong Science and Technology (成都炎龙科技有限公司). A number of these QQ accounts are shared groups with other APT41 individuals including Tan Dailin, Qian Chuan and Fu Qiang.

Fu Qiang (付强)

The baby-faced Fu Qiang is the last of our trio. He is head of big data development at Chengdu 404. Just 2 months after the indictment in November 2020, we noted that standny (his alias) was active online, pushing Chengdu 404 recruitment. Despite less being known about Fu online, he maintains a heavy internet presence on Western social media sites. One such profile is Twitter which promoted a number of apps for the Apple app store (see our previous article on this and his relation to c0hlbrd). 

Blaze Loong Technology Company Ltd. (成都炎龙科技有限公司)

Remember when we mentioned the Blaze Loong QQ account Jiang LiZhi was involved with? It is a gaming company based in Chengdu, and is a wholly owned subsidiary of Zhejiang Huge Leaf Company (浙江翰叶股份有限公司). 

Blaze Loong uses its international marketing platform to import and export gaming products (useful for APT41’s hacking money-making campaign against gaming companies). Yet archived pages show a very different company: A Blaze Loong which used to be a penetration testing and network security management company, providing tailor-made solution to ‘major government agencies’. 

According to the Qichacha company overview, the founder and CEO of Blaze Loong is a Lu Jian (鲁剑). Lu Jian was also the director and vice chairman of Zhejiang Huge Leaf Company.

Chengdu YanLong Technology Company Ltd (成都炎龙科技有限公司)

YanLong is a subsidiary of Blaze Loong Technology Company, bought out in 2009. 

Chengdu YanLong Technology Company was established in 2007, purporting to be a game development and publishing service based in Shanghai, despite being geo-tagged as Chengdu. 

WHOIS information for this domain (bltech.cn) is registered to blackfox@qq.com, which we know is Jiang Lizhi – explaining the QQ groups he set up. 

Records show a Lu Jian (鲁剑) as the legal representative of the company, as well as the executive director, general manager and shareholder.

Lu Jian (鲁剑) and QQ 5238342

We know Lu Jian is heavily involved in a number of companies based in Chengdu, which are linked to APT41 actors. He shares membership with Jiang Lizhi and Tan Dailin in a QQ group created by Lizhi. What is more, Lu Jian’s QQ account (QQ 5238342) is assigned the group’s admin. 

According to Baidu, Lu Jian was born in 1979 and has been involved in a number of technology companies as a shareholder, legal representative, CEO and founder.

QQ 5238342 (Lu Jian) is also a member of QQ group 3391434, titled the ‘Chinese Communist Party Ministry of Finance’  The owner of this group is QQ 312016 using the alias ‘whg’. You might recognise this alias. We will return to this later. Another alias commonly used with QQ 5238342 adds further support for Lu Jian’s role in APT41’s activity; the use of a black prefix alias ‘BlackJack’. The QQ account even used the logo for the Blaze Loong company as the display profile.

There were a number of other usernames associated with this QQ account, including “Blaze Loong Science and Technology – Director Long” (炎龙科技-龙总) and “Long Shaoyang” (龙少杨). Could this be another name for Lu Jian?

A Sino Weibo account of Long Shaoyang identifies that he is a male, located in Chengdu, Sichuan. Social media further highlights similarities between Long Shaoyang and Lu Jian. They share the same handle (BlackJack), are associated with the same QQ account (5238342), and show the same Blaze Loong display on their social media.

On the 27th July 2013, a Long Shaoyang (龙少杨) attended a gaming and technology conference alongside the Chairman of the Molin Gaming group (mokylin.com). Details from this event reveal that Long is the CEO of Blaze Loong Technology, whilst other press releases refer to Long Shaoyang as the founder of Blaze Loong.

So, we have two names for what appears to be the same person. One is used in business records and another used for public-facing roles. Interesting. Get in touch if you know more.

Liu Jian (刘建)

As mentioned previously, Jiang Lizhi created a number of QQ groups linked to other APT actors. One in particular is named ‘unknow’ (QQ 10930057). Given the small membership of this QQ group and the number of individuals we have found with APT41 links, it would stand that the rest of the members also have links into APT41. 

We followed this through with QQ member 14149038. The username translates to ‘Cowardly Sheep’ but the information shows he is a male engineer living in Chengdu. Note the display picture. This is the logo of Chengdu Anvei – the antivirus software that Tan Dailin created and which served to provide him with media attention in 2012. Referring back to Anvei, registration details highlight that Liu Jian owned more than 10% of the company’s stock. 

Liu is also involved in another company based in Chengdu – the Chengdu Daigen Science and Technology Company (成都戴亘科技公司) where Tan is listed as CEO and Liu as Director. Both of these companies have now ceased operating.

Conclusion

All individuals and companies with links to APT41 have roots back to Chengdu, Sichuan province.

The APT41 actors, along with others we have named in this article series, evidences how wide the reach of the Chinese hacker community goes – using their connections within the hacker community to progress and share techniques to conduct both activity for the state and their own personal gain. But what degree of overlap has this provided Chinese APTs? Is the model of grouping malware and personas into categories and APT groups still sustainable for InfoSec researchers, law enforcement officials and those trying to make sense of the APT threat? 

Chengdu 404

FeaturedChengdu 404

In our last article, we highlighted the social links between APT41 actors, focusing on two of the five APT41 members: Tan Dailin and Zhang Haoran. Tan and Zhang, along with their other 3 conspirators (more on them tomorrow) worked for a company based in Chengdu’s high-tech zone called Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司). Established in 2014, it is better known colloquially as Chengdu 404. 

404 is, as we all know, an error code when a browser cannot connect to a server. The founders claim they wanted to remain hidden and let their work speak. Doesn’t appear to have worked out very well for them…

Umisen.net

Residing at the domain umisen.net (now ironically no longer available), Chengdu 404 is one of the first front companies we have come across to have a working, multi-functioning website. 404 held a corporate VPN, presumably to facilitate their international hacking and provide access across the firewall. We also found that Chengdu 404 hosted a log in portal sitting behind the open webpage, with a somewhat cryptic adage.

Their website was quite slick. The ‘About Us’ page stated the company was an emerging start-up comprising of white-hat hackers offering penetration testing to clients. A useful cover to facilitate company legitimacy and simultaneous access to other’s IP. 

As of 2016, 404’s pages are full of positive boasts. One news article talks of a new facial recognition software that Chengdu 404 created and subsequently demonstrated at the Aerospace Institute in Beijing. Curiously, there is no further mention of this technology or its success after this date. 

Facial recognition technology seems at odds with a company known for their work as ‘white hat’ hackers and experience in penetration and network security. 

What is coincidental is that a Japanese company (NEC) had received wide recognition for their technology being a world leader in facial recognition, with similar descriptions to what Chengdu 404 describe theirs to be – a year earlier.

In January 2020, NEC admitted that they had had their data breached. The timing of this intrusion breach? 2016. 

Ironic that the ethos of white hat hackers ‘set out to right the wrongs of black hat hackers and chase APTs is the polar opposite of their real activities: APT41 conducting ransomware attacks and stealing IP using front company infrastructure. 

C0hb1rd

When you search Chengdu 404 on Google, an interesting hit reveals an individual known as c0hl1rd. 

This leads to a profile held on GitHub. The GitHub page does not appear to be active but does contain interesting posts from 2016, specifically referencing umisen networks.

These include a collection of shell scripts automating command line tasks. These scripts allow c0hb1rd to access an internet-facing Linux server using a root account in the subdomain ‘root@tz.umisen.net’ and remotely download/copy files to his local device. 

Furthermore, another repository is uploaded on c0hb1rd’s profile referring to an APKMITM (man in the middle) tool. This targets the interception of Android phones with ARP spoofing, injecting an Android application (hence the APK annotation). The application does DNS redirecting to the umisen domain at port 8080. 

This could be legitimate activity (evidence of online hacking challenges) but our sense is this is more nefarious – the skull and crossbones being just one indicator… The direct association with Chengdu 404 and c0hb1rd’s tools redirecting traffic and developing remote log in access also adds to our suspicions. 

Hints to c0hb1rd’s identity suggest he is one of China’ prolific hackers (number 27 to be precise), appearing on China’s 50 best hackers list on WeChall.net.

A profile with the c0hb1rd handle also appears on the gaming platform ‘Steam’.  They say you can tell a lot about someone from the company they keep. Well c0hb1rd keeps some interesting, albeit sparse, company. Amongst his grand total of 7 friends is ‘standny’ – the hacker handle for Fu Qiang, an employee and founding member of Chengdu 404 and one of the five indicated by the US last year. 

When you click on Standny’s profile, it shows that he is based in China and his only friend is c0hb1rd. A highly personal, social connection, with a joint interest in gaming. Is c0hlbrd another APT41 member? Or could he be a junior associate, caught up in Chengdu 404 activity? This would at least explain c0hlbrd’s ease to which he uploaded script openly to GitHub, his preference to automate shell scripts and use of annotations on the open web.

A question to ponder: Could c0hb1rd’s MITM tool have been used in standny’s prolific creation of apps given their friendship? Many of standny’s apps have been removed from online download sites. However, a quick scroll of standny’s Twitter highlights just some of these apps being promoted. We would put good money on these apps being unreliable and facilitating third party access.

Local university links

Chengdu 404 has close links to both Sichuan University and Chengdu University of Information Technology by providing internships and teaching the next generation at these schools. A number of the indicated APT41 actors have attended Sichuan University (a university known to be linked to Chinese hacking campaigns as previously noted in 2012 through its links to the Lucky Cat campaign) and appear to have remained involved ever since, forming part of the alumni and donating under a Si Lingsi (404) scholarship. 

Chengdu 404 promotes these engagements on their website. Qian Chuan (left) and Jiang Lizhi (right) are pictured in numerous talks and award ceremonies at the universities yet most photos seek to blur their names from the pictures. Too important to document? Or are they wanting to hide due to guilty knowledge?

Having a foothold in local universities is a clever way to ensure young, bright and best talent for government clients. A university recruitment pipeline into the MSS. It begs the question whether these universities knew about Chengdu 404’s remit and the individuals they were engaging with, or whether this was a larger, more coordinated effort by seniors within the security and military sectors to lure in aspiring, unaware, and naïve graduates to support APT activity. As we documented on APT40, this is not a unique set up, with APT40 using Hainan University to support their activity.

Summary

Chengdu 404 is directly linked to APT41. Its website boasts of (read: APT41) achievements and work for military and government clientele. 

Chengdu 404’s foothold within local universities point to a larger drive by the MSS to recruit graduate students into its ranks using APT front companies – whether knowingly or unknowingly by the universities themselves. 

Tomorrow, we focus on the remaining 3 indicated APT41 members. What will be uncover?

The old school hackers behind APT41

FeaturedThe old school hackers behind APT41

In an FBI indictment released in 2020, it reported five hackers with substantiated links to APT41: all criminal hackers based in Chengdu, Sichuan province. Seems Chengdu is getting somewhat of a hacker reputation. 

Let’s start with arguably the most notorious and well known of these five hackers: Tan Dailin. 

Tan Dailin (谭戴林)

Quite a lot if information is already out there on Tan. We know he was talent spotted at Sichuan university for his hacking techniques and was subsequently trained by the People’s Liberation Army (PLA – 中国人民解放军). 

Tan was a founding member of the Network Crack Program Hacker Group (NCPH), going by the hacker name Wicked Rose. NCPH was a hacker group based out of Zigong, Sichuan with fellow members being current or former students of Sichuan University of Science and Engineering. The NCPH group gained notoriety by carrying out a number of attacks against the Department of Defence in 2006 using the GinWui rootkit, authored by Wicked Rose and another hacker – WHG. Wicked Rose announced in a blog post that the group were paid for their work, but the group’s sponsor was not. We can take an educated guess as to Wicked Rose’s sponsor … It begins with P and ends with A.

Given the plethora of information Tan has disclosed online, he is a hacker who seems to enjoy the limelight. In 2012, he was the subject of an article by KrebsOnSecurity which sought to understand why a Chinese hacker (Tan) was the founder of a Chinese antivirus software (Anvisoft) purporting to be based in Fremont, USA. A domain look-up revealed that Anvisoft was in fact registered to the high-tech zone of Chengdu using the email linked to Tan’s hacker handle wthrose(at)gmail.com and registered using the name tandailin. Five years later, a reporter for Times magazine conducted an interview with Tan noting he was ‘lauded in China for his triumphs in military-sponsored hacking competitions and was unlikely to have problems with local law enforcement’. A man with many connections it seems. Invincible and untouchable, or noisy and dispensable? A fine line to walk.

QQ 903063678

Delving into the many Chinese leaked databases, we came across another QQ: 903063678, which from 2011 held the display name 戴林 (Dailin) as well as the handle ‘BlackWolf’. 

However, the name Dailin linked to a QQ account isn’t much to go off, so we sought to validate our thinking. The identifier linked to this account was used to register a domain: ‘bat.mg’. 

Registration information from this links to someone called ‘Daniel Tan’ in Chengdu, with the number 8613228166666. This number was also used to register ‘huianquan.net’, with details of the registration showing as ‘tandailin’ alongside an associated contact email: tandailin@163.com.

We are confident QQ 903063678 is Tan Dailin. It uses his alias (BlackWolf), and we have an associated number and email. We will see where this goes later on in the series.

Zhang Haoran (张浩然

Zhang (37 years old, using alias Evilc0de) was named alongside Tan Dailin in the indictment for APT41. He appears to keep a much lower profile than his APT41 colleague. Nevertheless, he is deeply involved in intrusion activity having jointly participated in the conspiracy to target the video gaming industry.

Chengdu Huidong Science and Technology Company (成都慧东科技有限公司)

A technology company based in Chengdu with little internet presence and links to an indicted Chinese hacker. Seems like a classic front company to us. In 2006, Chengdu Huidong Science and Technology Company (成都慧东科技有限公司) stated it had two stakeholders, each with a 50% stake. These were the CEO (Zhang Haoran) and a Supervisor (Zhang Chengwei). 

So who is Zhang Chengwei? Clearly he knows Zhang Haoran well enough to go into business with him, and close enough to work with Zhang to develop cover companies for APT work. 

Zhang Chengwei (张城玮)

There are a number of Zhang Chengwei’s using QQ. However, one in particular caught our eye. QQ account 878792. This account is also a member of several groups which overlap with other indicted APT41 actors, including Tan Dailin. Furthermore, the username associated with the account is ’b1ackn1ve’. 

Another ‘black’ prefix, aligning with Tan Dailin’s use of BlackWolf. Eager readers will note we commented on matching pseudonyms in our previous article series on APT40. Could ‘black’ be indicative of a systemic pattern for APT41 hackers?

Blackn1ve has also appeared on our radar before; in a TLP:White advisory released in September 2020. This noted the b1ackn1ve@gmail.com email as an indicator of compromise, having been used for a APT41 spearphishing campaign. 

So Zhang Chengwei is not only involved with APT41 activity by creating cover companies with Zhang Haoran but his hacker handle associated with his QQ account has been used in an APT41 spearphishing campaign against international victims. 

Summary

The typical model of a front company to hide APT activity is a tried and tested one which APT41 are continuing to prove. The prefix ‘Black’ as a hacker handle might link APT41 actors. Furthermore, shared QQ groups support the social interconnectivity of these criminal actors and they are not shy to ‘boast’ about their connections to the state to support their activity. All have links back to Sichuan. Our next article starts there – in a city we now know very well. Home to Lonely Lantern and APT41: Chengdu.

APT41: A Case Sudy

FeaturedAPT41: A Case Sudy

As you know, we have been dedicated for some time now to revealing the truth behind state-sponsored, managed or directed intrusion sets. We have learnt more about the way in which the Chinese state conduct their criminal cyber activity and how it has evolved over the years.

Chinese APT groups are aggressive, persistent, and garner a large network of criminal hackers. The Chinese state uses this model to promote their agenda and provide protection to the common cybercriminal. This model is fallible which allows us to promote the truth behind these intrusion sets. 

Nevertheless, the CCP continue to outwardly lie to protect their international and domestic reputation. They do this whilst simultaneously supporting cybercrime and allowing huge networks to profit from its illegal activities. The Chinese state is asserting do what I say, not what I do.

APT41: What we know

APT41 is a difficult group to pin down/classify/group. It is a group with many names: WICKED PANDA/DOUBLE DRAGON/WICKED SPIDER/WINNTI GROUP, the list appears to go on. 

Early intrusions by APT41 traditionally focussed on the international gaming sector, reusing stolen code-signing certificates for malware distribution. Indicted APT41 actors registered gaming domains which later went on to serve as a means to fraudulently obtain gaming currency (through the Malaysian company SEA Gamer) and establish backdoors into international gaming companies to facilitate the spread of Chinese intrusions.

Their focus on the gaming industry became a tangible lead against the group, with a heavy focus in countries such as Malaysia, Indonesia and Thailand. Timing as always is crucial. This early APT41 activity focused on the gaming industry at a time when the Chinese state was mandating growth in the gaming sector.

Over the past few years, APT41 has evolved. No longer is the focus purely on the gaming industry. Rather we have seen evidence of APT41 creating front companies in the computer and technology sector, claiming to employ pen testers and software developers which all supports the MSS model we have come to know well. It serves their aim of continuing to use highly aggressive techniques to support China’s ambitious development targets alongside State Security Departments. 

As FireEye neatly evidence, APT41 juggle their commitments to the Chinese state in the day (using the 9-9-6 model [9am-9pm, 6 days a week]) whilst hacking for financial gain in the evening. In some cases, using state-level malware across both activity streams. 

APT41 stands out due to its prolific use of non-public malware outside of working hours. They also share this malware with other cyber hackers in China, who work to various regional State Security Departments.

China’s state priorities and subsequent APT41 victims 

The culmination of APT41’s targets point to clear tasking from the Chinese state rather than a criminal entity. It serves to highlight the state’s backing of groups such as APT41 and the degree of coordination behind the scenes. 

For example, APT41’s exfiltration of intelligence from vaccine development and healthcare institutes in order to advance the CCP’s knowledge and gain an illegal, competitive edge. APT41 have taken advantage of the Coronavirus pandemic by hacking COVID-19 research and stealing IP in order to fast-track the Chinese-state’s somewhat questionable vaccine supply. 

Some readers will have noted APT41’s vast victims in the indictment. One of interest to us was NGO16: A non-profit organisation dedicated to alleviating worldwide poverty. APT41 compromised this organisation and put the livelihood of fellow humans at risk. It is increasingly clear the morals of the criminals behind this group are non-existent.

Chinese APTs don’t simply target international companies. They also target their own citizens using malware from big data capture to allow direct oversight of text message logs of high-profile Chinese targets. APT41 have systematically targeted hotels prior to senior officials staying in order to retrieve personal and identifiable information. This sort of direct, timely and specific targeting adds to the body of evidence that the Chinese state outsource at least part of their intrusive surveillance program to criminals within its borders. 

It appears US indictments are not having the same effect as they used to. Back in February, Mandiant reported on APT41 re-comprising US government victims, and using niche animal healthcare apps such as USAHERDS to gain access to intelligence to serve the CCP data machine.

Despite five of the actors being doxed by the US in 2020, APT41 TTPs have continued to be pop up on our radar. Their interest recently? Universities.

Recent Targeting

And not just any universities. Universities in locations the CCP are concerned about: Taiwan and Hong Kong.

As already noted in the OSINT community, RouterGod is a known, custom malware tool used by Wicked Panda (APT41). We have observed sustained connections to RouterGod command-and-control servers from multiple IP addresses associated with Hong Kong universities, including the Hong Kong University of Science and Technology and Education Universities

As recently as March 2022, APT41 were using a VPS at Romania-registered IP address 91.238.50.114 to host “watson.misecure.com”. We have seen evidence that they used this domain to compromise National Taiwan University databases using the “xp_cmdshell” (T1059.003) tool (to execute commands for netstat, process list, and network configuration) and successfully exfiltrated personally identifiable data on staff, students, and alumni of the university. 

It appears nothing is off limits to this group. Any and all data is up for grabs.

Summary

We know the CCP uses criminal hackers to do their dirty work. Due to their lack of skill at evading detection, we also have the names of five individuals linked to Chinese intrusion set APT41. 

The contractor model is no longer a neatly packaged, self-contained concept. The continuation of APTs engaging in dual hatting despite this now being public knowledge speaks to the Chinese state turning a blind eye. Repeated for-profit hacking makes it highly unlikely that APT41 is operating without the state’s awareness. And despite being named and shamed in public indictments, this still does not deter the group’s continued hacking of CCP’s targets – most recently we have reported on this occurring in the Education sector, with students, staff and alumni falling victim and their sensitive data stolen to feed the CCP data machine.

APT groups appeal because they are aggressive, dispensable and ‘distanced’ from the state-run organisations that sit behind them. We will continue to shed light on these cracks within the system; it is only a matter of time before this model becomes untenable. There is a lot of good work going on in this field (e.g, the Hearing on China’s Cyber Capabilities in the US) but we need to do more and keep applying the pressure. This is not just a US problem.

The rest of this series will look into who the APT41 indicted actors are. How are they connected and how does this fit into the complex web that is APT41? Stay tuned…

XI JINPING’S DATA HOOVERING

FeaturedXI JINPING’S DATA HOOVERING

Athletes beware: the 2022 Winter Olympics provide Xi Jinping with a golden opportunity to test his new data hoovering tools. 

Let’s take a look at China’s digital currency, the e-CNY, and how athletes could be tricked into helping the Chinese state fine-tune its latest surveillance weapon.

With Beijing on the world stage, China sees the Winter Olympics as the perfect opportunity to showcase its new digital currency. Issued by the People’s Bank of China (PBoC), the e-CNY is the CCP’s fight-back against Chinese tech giants – and the burgeoning crypto scene – for control of digital payments in China and beyond.

It’s no surprise the PBoC wants a slice of the pie. Since 2019, both WeChat Pay and AliPay – China’s two biggest mobile payment platforms – have had over 1bn active users, accounting for the vast majority of transactions within China. With increasing signs of China’s tech behemoths locking horns with the CCP, it’s clear to see how a mass roll-out of the e-CNY will ramp up the stakes. 

Athletes and their teams from all over the globe will have the opportunity, assuming they are allowed out of their rooms, to splash their virtual cash at a number of shops and restaurants, including athlete favourites such as Nike and…McDonalds. Athletes simply need to register for and open a digital e-CNY wallet on their mobile phone, and top up their wallet using their international bank account.

But what does Xi Jinping set to gain from the e-CNY? Aside from his desire to take over the digital currency world, the roll-out of the e-CNY marks the birth of perhaps China’s most potent tool for spying, coercion and social control. 

What will happen to my e-CNY data?

As the central regulator, the PBoC will be the entity collecting all your transaction data. This includes details of your mobile device, your account details, location, what you are purchasing and when you are purchasing it. The bank will use the data to improve its “services” to consumers, fine-tuning the digital wallet and hoping to expand the number of vendors which accept the payment system. But the data processing doesn’t stop there…

Once collected, data controlled by the PBoC can then be passed onto Chinese intelligence agencies without warning and without credible justification. While Chinese tech giants have also had to comply with the regulations, handing your data to the PBoC brings it even closer to Chinese state control. It is no secret in China just how closely the PBoC, Ministry of State Security (MSS) and Ministry of Public Security (MPS) work together to maintain the surveillance state. And we’re talking cooperation which stretches a lot further than some anti-money laundering checks…

An e-wallet display at the e-CNY pilot exhibition for the Beijing Winter Olympics (Costfoto/ Barcroft Media via Getty Images)

We know China’s intelligence services love data. They just cannot help themselves. It’s why Chinese state-backed hackers have been caught, named and shamed over and over again. Whether it’s hacking your travel data, your employment data, your academic data, your phone company’s data, or even your private health data, the Chinese state wants it all.

But it is what China’s intelligence services could do with the e-CNY data haul which is truly terrifying. This includes training algorithms to spot “unfavourable” activity, the definition of which appears broad and vague. For illustration, some past examples of unfavourable activity includes voting for a Chinese TV contestant too many times, talking about Korean pop music on Weibo, or playing computer games past your bed-time. The Australian think-tank, ASPI, released a piece last year detailing the potential for China to combine the e-CNY with its social credit system. Users of the e-CNY could then be punished for any purchases or financial activity which does not uphold Xi’s “socialist values”. If you fall foul of the e-CNY transaction police, you may one day find yourself on the same naughty step as the millions of Chinese deemed too socially disruptive to use public transport.

And you can be sure Mr Xi has global ambitions for the e-CNY, broadening its utility from a domestic surveillance capability to an international spy tool.

Key to fine-tuning Mr Xi’s latest tech surveillance tool is the collection and processing of masses of financial data. The more data there is to analyse, the quicker the algorithms will be trained to spot the activity it does not like. So if you are an athlete in Beijing, do yourselves – and Chinese shoppers – a favour: don’t feed Xi’s data beast and ditch the e-CNY wallet on your phone!    

An (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

FeaturedAn (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

Every so often, we like to take the opportunity to step back from our regular OSINT sleuthing and take stock about why we spend our time doing what we do.

So, we thought we would honour the 100-year anniversary of the Chinese Communist Party (CCP) by pulling together a brief history of how the Chinese cyber programme developed into what it is today and our musings on this trajectory.

Our take on the history of the Chinese Cyber Programme

The First World Hacker War

Cyber is entwined with the real-world. Not a particularly ground-breaking statement. But an important one to make. Real world tensions can spill into the cyber realm, and vice versa. Remember the 2001 China-US tension? To refresh your memory, a US EP-3 aircraft collided with the Chinese F-8 fighter jet and the Chinese pilot was killed. What followed was a sustained DDoS attack against US servers including defacement of the White House and military from Chinese hacktivists. US hacktivists retaliated and it became a cyber graffiti war of sorts. What we found interesting is that it wasn’t until the Chinese called out this behaviour as ‘web terrorism’ that the attacks stopped. 

China: No longer hiding its strength

Former leader Deng Xiaoping touted the mantra of ‘hide your strength and bide your time’ (韬光隐晦). Well, it seems that time has passed, and with Xi Jinping now at the helm, China is certainly showing its strength on the world stage. China is no longer hiding from the world. 

China has aggressively and consistently built its national cyber program, prioritising education in computer science and technology and creating a recruitment pipeline of graduates from within its universities. Its focus seemingly being on offensive capabilities rather than security or intelligence analysis.  

As evidenced in our bottom-heavy timeline (seen above), the CCP have increased their scope for hacking and stealing. What is obvious to any observer is that they hack indiscriminately – friends and enemies are fair game. China’s BRI initiative is even considered a driver of cyber activity, which this graphic from Security Affairs neatly highlights.

Tsinghua university IP traffic aligning with BRI initiatives

And their activity is at an industrial scale. This uptick reflects the CCP’s priorities targeting intellectual property (IP) that have coincided with China’s Five-Year Plans. It is now so common that barely a day goes by without another article reporting Chinese cyber theft. Provides us with lots of rich content though!

Disgruntled Hackers and ties to Academia

Back in 2013, a disgruntled hacker from the PLA (given the name Wang) wrote about his time in the PLA hacking for his country. “My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation,” he wrote on his blog. Few incentives and minimal benefits can lead some to defect and leave. Who knew. We wonder if conditions have changed in China since.

What hasn’t changed however are the links between Chinese hackers and academia. Wang himself co-authored two academic papers whilst at the PLA university. And interestingly, it was this same year that Cyb3rSleuth outed Zhang Changhe. His 9-5 job was as an assistant professor at the PLA Engineering University. Cyb3rSleuth was one of the first public uses of OSINT to attribute Chinese cyber-attacks to named individuals within the Chinese system (having named 10 Chinese hackers in total). Kudos – an inspiration to our platform.

Cyb3rSleuth identifying Zhang Changhe from Chinese social media as a PLA hacker

Further, it was a Tsinghua university (清华大学) IP (self-proclaimed state-owned technological institution) that engaged in network reconnaissance targeting a number of countries actively working with China on their Belt and Road Initiative (BRI) – see image above.

The PLA led the way with cyber hacking back in the 90’s and early 00’s. However, in 2015 there appeared to be a shift within the Chinese government, with the PLA transferring the bulk of cyber operations over to the MSS. After all, when the PLA hack – it’s very clear the direction of activity is coming from within the Party itself. This transfer (at least in the mind of the CCP) enabled plausible deniability following the public indictments of PLA unit 61398 a year earlier. After all, signing cyber agreements with a number for Western countries meant the Chinese military needed to ‘hide their strength’ and fade into the shadows.

Enter the MSS

As dedicated readers will know by now, it is the MSS that we at Intrusion Truth have focussed on for some time. And we do so given their continued support and engagement with criminal hackers. The MSS get something out of this relationship: deniability on the world stage (supposedly). But what do the criminal hackers get out of this? I’m sure some would say ‘security’. After all, the relationship between citizen and the state is deliberately murky. In recent years, there is evidence that China will not prosecute hackers within its borders unless they attack China. However, as indictments have shown, the Chinese state cannot, and do not, protect their own.

China is a vast surveillance state. They monitor everything and everyone. Thus, one could say that their continued denial of Chinese APTs, or cries of rouge actors… is laughable. Chinese APTs leave traces of their activity on the internet. Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.

State-sponsored theft

Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.

There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage.  And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.

Home-grown hēikè

The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.

The APT side hustle

An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.

A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.

The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.

So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?

We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.

Chain of command

As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?

We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.

So, who is leading the Chinese Cyber Programme?

Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.

One person giving the direction.

One person overseeing the Chinese cyber programme.

That person?

Chen Wenqing (陈文清).

Cyber karma

Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.

The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.

Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?

Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.

Conclusion

There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):

  1. Does Xi know what the MSS are doing in cyber space?
  2. Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
  3. Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?

Happy Birthday CCP

生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.

Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.

Hello Lionel Richie

Hello Lionel Richie

An interesting turn of events occurred whilst releasing our article series on Lonely Lantern (the Chinese APT previously with no name, working to the Guangdong SSD).

As most of our readers will have been aware, a brand new Twitter account was created to reply to our tweet in advance of the second article where we exposed Guangdong MSS officer 1 as Zhao Jianfei, working with Li and Dong to support and direct their intrusion activity from Chengdu.

At the time, we noted this post and found it interesting (not least for the gif choice) but put it on the back burner given other investigations and leads we were following up on. However, what piqued our interest further was the fact this account and its comment was later deleted. 

Why would Mr. Ren reach out to us on this public forum and tweet that he is the MSS officer we were looking for? Does he have something he wants to get off his chest? The Twitter bio translates to ‘roaming the streets of Guangzhou’. Seems to fit with the brief of the GSSD. 

We decided to investigate (initially as a bit of fun on a rainy day) but as you will see, it is clear that Ren Yuntao is entwined with Lonely Lantern. 

Here’s what we know.

Ren Yuntao (任云韬)

The Twitter profile is in the name of Ren Yuntao. However, the profile itself is quite sparse, having being created the same month as posting. And it appears he only engaged with us. A keen watcher of our work? A super fan perhaps.

So, apart from being a Lionel Ritchie fan, what else could we find on Mr Ren? His Twitter profile didn’t give us much so we decided to start at the beginning and where we know hackers from Lonely Lantern reside: Chengdu.

Mr. Ren it seems went to the same school as Li Xiaoyu and Dong Jiazhi (the indicted hackers we mentioned in Article 1). Ren studied a Masters program at the University of Electronic Science and Technology of China (UESTC), in Chengdu. 

His studies led to him gaining experience in the development of software, defense and forensic analysis of information systems.



Department of Computer Science and Engineering Master’s students at UESTC (124 in total). Ren Yuntao’s name appears 8th along in the third para.

Ren’s Master’s thesis, submitted in December of 2006 is titled “Malicious Code Anti-Detection Technology Research Based on Dynamic Binary Modification” (基于二进制多态变形的恶意代码反检测技术研究). His supervisor whilst completing his studies was Li Yichao (李毅超).

We set about delving into Ren’s thesis to see what we could find (it is quite dry in places and we wouldn’t recommend it as bedtime reading). Yet, there are some nteresting nuggets. An example is on page 71. Here, Ren provides his acknowledgement to ‘Pinkeyes’, a ‘famous network security figure within China’, referring to him as his ‘comrade in arms’. An interesting phrase to use.

Later, on page 74, Ren details his research projects and achievements throughout his graduate studies. Of specific note to us was his involvement in the ‘design and realisation of a Sichuan State Security Department (SSSD) programme’

Highlighted section: Mention of Sichuan SSD in Ren’s thesis

The last accomplishment Ren lists (point 6) is his participation as a “core technician in a “major” university project with designator XXX”. Suspicious – a project so sensitive it needs to be redacted but high profile enough to include in a thesis detailing your work achievements…

Following on from his success with sensitive projects and MSS programmes in Sichuan, Ren appears to have been quite busy, staying on at UESTC as a post-grad and publishing two papers. One of which was on the topic of detecting malware on registry Hive files.

Li Yichao (李毅超)

Cited in Ren’s papers and listed as Ren’s supervisor at the UESTC is Li Yichao (李毅超).  It was Mr Ren himself who wrote that Li Yichao gave him the National Network Security programme opportunity. So, who is Li Yichao?

Well, here is his CV.

Given he is an academic, his openness is our advantage. He notes his many plaudits, including ‘winning second prize from a certain ministry of the country’ and states some of his many students have gone on to work for ‘public and national security departments’. Could Ren be one of these individuals? 

Let’s recap: Ren has worked closely with a supervisor who openly talks of his links to government bodies and ministries within China. Ren himself has commented on his time working for the Sichuan State Security Department and other mysterious organisations that require redacted material whilst at UESTC. So what else can we find on Ren following his departure from academia?

Chengdu Jiuyan Technology Company Ltd. (成都九眼科技有限公司)

Also known as Chengdu Nine Eyes Technology Co Ltd., this company was established in July 2018 specialising in technology development, computer software and network engineering.

Two individuals are associated with the company. The first is the supervisor Xu Jiayou (徐嘉幼), holding just 1% of the company. The second is the executive director and general manager Ren Yuntao, with a registered stake of 99% in Chengdu Jiuyan.

The address is listed as Room 1, Floor 1, Building 1, 56 Changjiang East Second Street, Huayang Avenue, Tianfu New District, Chengdu.

Interestingly, there are a number of other companies who also claim to reside in Room 1, Floor 1, Building 1 of 56 Changjiang East Second Street in Chengdu including:

  • Chengdu Hashmai Block Technology Co. Ltd
  • Sichuan Shuanglin Jiayue Property Management Co. Ltd
  • Shuju Chengdu Technology Co. Ltd
  • Douxing Culture Communications Chengdu Co. Ltd
  • Chengdu Yinchi Culture Media Co. Ltd
  • Chengdu Vines Interactive Entertainment Technology Co. Ltd
  • Chengdu Tianfu Hualong Petroleum Co. Ltd
  • Chengdu Renhe Daoyuan Enterprise Management Consulting Co. Ltd
  • Chengdu Jingwei Zhidao Enterprise Management Consulting Co. Ltd
  • Chengdu Feihang Zhiyun Technology Co. Ltd
  • Chengdu Als Technology Co. Ltd
  • Chengdu Aiweili Trading Co. Ltd

That’s a lot of companies to be sharing 1 room.

Given it location, lack of internet presence and the individuals associated with it – a front company springs to mind.

Lingma Information Technology Company Limited (凌码信息技术上海有限公司)

Upon leaving academia, Ren appears to have obtained a job in the private sector as the Head of Information Security at Lingma Information Technology Co. Ltd. Once again, all roads lead back to Chengdu.

This is an extract of a book written by UESTC masters alumnus Xu Sheng from the Network Attack and Defense Lab, to which Ren Yuntao offers his review.


Ren Yuntao book review of 游戏外挂攻防艺术 (The Art of Game Plugin: Attack and Defense) by 徐胜 (Xu Sheng)

Head of Information Security sounds like a grand title. The company Ren worked for (Lingma) is a wholly-owned subsidiary of Singapore’s Nyber company. Nyber was established in 2010 under CEO Zhang Taiyong(张台涌). It is described as a company committed to research and development of high-end technology, with its business scope covering China and overseas regions and its products often being used in government fields. 

Lingma has a base in Chengdu. The address is given as Area C, Floor 10, Sector F of the 9th Building of High-Tech Incubation Park, Tianfu Avenue, Gaoxin District, Chengdu. 

Does this address seem familiar? It did to us. It is in the same high tech zone as Chengdu Hanke, the front company created by Dong Jiazhi and exposed in article 1 of our series on Lonely Lantern.


Company profile of Lingma

Just like déjà vu, our searching led us back to UESTC in Chengdu. In 2014, Lingma were advertising positions within its company on the UESTC webpage (www1.cduestc.cn), aiming to recruit system software engineers, interface software engineers, and information security evaluation managers. Could this be where Ren first came across Lingma and led to his career in ‘Information Security’?

Lingma scholarship at SWPU

Further searches around Lingma shows the company’s ties to other universities in Chengdu. For example, it provides a scholarship program with Southwest Petroleum University (https://www.swpu.edu.cn/info/1248/1113.html) at an investment of 3000 RMB per year.

Browsing the website for SWPU, there are a number of articles outlining Lingma’s involvement with the university under its scholarship scheme. 

One particular article caught our eye. It was posted on the 9th June 2016, and describes how the scholarship awarding ceremony for the Lingma Scholarship took place a day earlier at SWPU.

It states that the director of the institute, ZHAO Gang (学院院长赵刚), was present at the ceremony and gave a speech to the students. The Deputy Secretary of the institute’s party committee, YU Hui (学院党委副书记余辉) was also present alongside Secretary LIU Xiang from the institute’s group committee, who hosted the event (学院团委书记刘翔). The person representing the Chengdu R&D Centre of the Lingma Company is named as a Mr. Ren Weitao (凌码信息技术有限公司成都研发中心负责人任伟韬先生).

Is it a coincidence that another Mr. Ren also works for the same company as our Mr. Ren? We don’t believe in coincidences. Given that Lingma only has up to 50 staff, and our searches revealed nothing further on any other Ren’s working for Lingma during this time, it is safe to assume that Ren Weitao is Ren Yuntao. Was the change in name a deliberate attempt to fly under the radar? What was Ren trying to hide?

The last picture in the article is interesting and appears to depict Mr. Ren. The students are proudly displaying their awards. The caption of this group photo describes those in the picture, including the”scholarship-receiving representatives [students], the scholarship-awarding guests [Ren Weitao (任伟韬)] and the leader”.

Disclaimer: We have obfuscated the students in this image due to their lack of involvement in APT activity

Conclusion

So what do we know?

  1. An individual called Ren Yuntao tweeted his implication that he was the MSS officer associated with the APT group (Lonely Lantern) working out of Chengdu and for the Guangdong SSD.
  2. Ren Yuntao attended the same university as the indicted criminal hackers for Lonely Lantern and has worked with the Sichuan SSD whilst at university. His university professor also likes to talk of his close links to the MSS.
  3. Ren Yuntao sets up a front company in Chengdu High-Tech Incubation Park in Tianfu High Tech zone, suspiciously similar to Chengdu Hanke (linked to Dong Jiazhi from Article 1 in this series).
  4. Ren Yuntao works for Lingma and is directly involved with local universities in Chengdu, handing out scholarships to students and providing apprenticeships to support their ‘cyber security’ effort.

If it walks like a duck, and quacks like a duck…

Ren – I know you were keen to talk:

Epilogue

Epilogue

Recap

In our last article, we identified Mr Zhao Jianfei as the MSS officer supporting Chinese hackers Li Xiaoyu and Dong Jiazhi. Mr Zhao works the Guangdong State Security Department, highlighting the direct support the Chinese government are providing criminal hackers in their illegal activities. We reached out to Mr Zhao for comment, and hear his side of the story, but we did not receive a response.

The bigger picture

It’s been a busy few months for the Chinese hacking community. Hafnium became a global threat almost overnight thanks to the zero-day exploit of the Microsoft Exchange Server compromise. Microsoft attributed Hafnium to the Chinese state. Their indiscriminate scattergun approach to deploying ransomware and infecting thousands of victims was wholly immoral and it is something we continue to monitor – get in touch if you can help.

MSS regional departments recruit Chinese criminals to conduct offensive cyber for the state. We now know this model is evolving, with regional bureaus outsourcing requirements to hackers not simply based in their region, but across the Chinese mainland – sharing expertise between provinces and seemingly working to one, broad model of a criminal, contracted service. Hafnium is a good example of this, with reports showing APTs 40 and 41 are just some of the many Chinese APTs taking advantage of the Exchange Server compromise.

The Chinese Communist Party are using APTs and hackers for hire to do their bidding, something we at Intrusion Truth have been asserting for some time. This was perhaps most noticeable during the COVID crisis, where state-backed Chinese hackers have been seen time and time again – across various regions and provinces, hacking into international companies known for researching and advancing the COVID vaccine – and doing so for malicious gains. Li Xiaoyu and Dong Jiazhi are a prime example of this. Stealing intellectual property and profiteering from the pandemic at a time of global crisis is a new low even for the MSS. 

Victims

The MSS’s choice of victims is interesting to note. It follows a now familiar pattern of Chinese contract hackers stealing IP for the CCP’s interests (COVID research, antiviral drugs, personal information on Chinese dissidents) whilst moonlighting for personal gain.

Mr Li in particular attempted a ransom operation in 2017 according to the indictment, demanding $15,000 in cryptocurrency in exchange for not leaking data. Is the Chinese state turning a blind eye to criminal activities within their borders? Are they supporting and actively tasking this criminal activity? Or is it evidence of the MSS not having as much control as they would like over the criminals they employ?

Denial

As we and many others have documented, China seems to give with one hand, and take with the other. Double standards spring to mind: 笑里藏刀 ‘a knife hidden behind a smile’

Public criticism of their actions does not seem to have an effect. The Chinese response is simply to deny and bite back harder. Yet we have shown the direct links between these criminal hacking groups and the MSS departments running and supporting them.

In China’s own words, cyberattacks should be ‘unequivocally condemned by all’. Perhaps a lesson out of their own book wouldn’t go a miss… 

An APT with no name

These actors and their links to the MSS challenged us. The indictment landed talking of a Chinese group working out of Chengdu. Yet we hadn’t come across them before, nor had we previously noted their connections to the GSSD. Are they part of a bigger, wider known APT (APT41 perhaps)? Are they simply ‘hackers’ for hire? Either way, it shows how difficult it is to simply partition and package Chinese hackers into APT groups – more so than previously thought.  

We wanted to take this moment and suggest a name for these actors. It seems a shame to write about a group such as this without them having an appropriate APT name… Some ideas we at Intrusion Truth came up with:

  1. HYPOCRITICAL DRAGON
  2. LAUGHING DAGGER 
  3. LONELY LANTERN 

Other creative ideas welcome – you know how to get in touch.

Who is Mr. Zhao?

Who is Mr. Zhao?

In our last article, we identified a number of front companies used by two Chengdu-based indicted hackers Li Xiaoyu and Dong Jiazhi. 

What struck us when reading the US indictment was reference to the Guangdong State Security Department (GSSD). As eager readers of Intrusion Truth will note, we discussed the Guangdong SSD in our very first article series and their use of Boysec as a front company. However we didn’t manage to identify the MSS officers behind APT3. We feel there is unfinished business here and so we set to work to uncover MSS Officer 1.

We started with an address.

GSSD HQ

Why is the Guangdong Province International Affairs Research Centre (GPIARC) interesting? Well, its claim to fame most recently comes from the 2020 indictment, revealing it as a GSSD cover company. The address: Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou, Guangdong Province (越秀区农林上路六横道5号). 

We decided to reach out to our network of contributors, asking about the GPIARC and any previous reference to this company or their known address. We received an interesting response from a trusted source who wishes to remain anonymous. This source, with connections to the Bank of China, was able to provide a number of historic credit card statement sent to the cover address at Upper Nonglin Road. One bank statement in particular stood out.

Zhao Jianfei (赵剑飞)

On the top left corner on the image below, the corresponding address is Unit 5, 6th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou. Furthermore, all the transactions appear in Guangzhou, Guangdong. 

We know this address is a cover for the GSSD. So, whoever is using this address works directly for the GSSD. So, who is this MSS officer?  

Underneath the address is a single name to which the statement is addressed to: Zhao Jianfei (赵剑飞). 

Interesting. So, we know Zhao was receiving correspondence about a credit card bill, using the GSSD cover company as the address. It stands to reason that Zhao Jianfei is an MSS officer, working for the Guangdong SSD. Could he be MSS Officer 1?

Asls1027

An FBI flash memo released on the 21st July reveals further information pertaining to the email used by MSS Officer 1 to send Li and Dong zero-day exploits for use in their APT campaign. The memo has redacted the mail provider, but the handle is the bit we need: asls1027.

Remember when we said one statement in particular from the Bank of China was interesting to us?

Well, turns out that Bank of China sent the credit card statement to the personal email of Zhao Jianfei. 

The email address was asls1027@hotmail.com.

Zhao Jianfei is an MSS officer, working for the GSSD and receiving credit card statements to the address of a GSSD cover company. Furthermore, this correspondence was sent to his personal email; the same email account that sent cyber actors a zero-day exploit for use in their illegal activities.

Zhao Jianfei has been directing Li Xiaoyu and Dong Jiazhi by providing them with malware and supporting their APT campaign.

Asls1027’s social media

As we know, humans are biased and often rely on availability heuristics: we tend to choose the least cognitively demanding option. As such, we tend to reuse email handles, passwords and so on. And it appears our Mr. Zhao falls into this category, reusing his handle across multiple social media sites.

Asls1027 has an interest in cars, posting on the car forum autohome.com.cn.

He also maintains a relatively empty yet bizarre Twitter profile. 

However none of this provided us with any more information on Zhao Jianfei himself. We know he uses the asls handle and his name is Zhao Jianfei so we decided to get even more creative, and found an interesting profile on Facebook with the stub Asls Zh.

Given the unique of the handle ‘asls’, we strongly believe this profile belongs to our Mr. Zhao. The profile picture was updated in 2014, a similar timeframe to other asls social media posts, as well as Zhao’s credit card activity in Guangdong. Zh = Zhao.

It seems Zhao was born in Xi’an, Shaanxi Province. Also note Asls Zh’s current residence – Guangzhou, in Guangdong Province. The same location as the Zhao Jianfei’s credit statement. 

Asls Zh went to the PLA Information Engineering University to study Computer Science. It fits with what we know about MSS Officer 1, and his ability to deploy zero-day exploits to support criminal hackers.

Conclusion

Zhao Jianfei is MSS Officer 1. 

He grew up in Shanxi, and attended a PLA university studying computer science. He now resides in Guangdong and has been working for the GSSD from at least 2013. An email account linked to his GSSD activity was also used to send Li and Dong malware to advance their APT campaign. 

Contract hackers – check. 

Front companies – check.

MSS officer working to the Guangdong State Security Department – check.