Who is Mr An, and was he working for APT10?

Who is Mr An, and was he working for APT10?

On August 15th 2018 this blog revealed a connection between APT10 and the Tianjin bureau of the Chinese Ministry of State Security (MSS). But the story doesn’t stop with that revelation; analysts working with this blog have continued to investigate every lead provided to us. One such lead has helped us to identify another individual in China connected to APT10. The trail starts with a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain.

Continue reading “Who is Mr An, and was he working for APT10?”

APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security

APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security

In previous posts, Intrusion Truth showed that the Cloud Hopper / APT10 hackers that attacked thousands of global clients of Managed Service Providers (MSPs) in 2016 were based in Tianjin, China.

We identified Zheng Yanbin, Gao Qiang and Zhang Shilong as three actors responsible. We associated them with the Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司) and Laoying Baichen Instruments Equipment Co Ltd in Tianjin China. But we haven’t yet explained who was masterminding or controlling the attacks.

Continue reading “APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security”

More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?

More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?

In the absence of more concrete proof, the 2017 Cloud Hopper report on APT10 relied on timing analysis to make the connection to China. Compile times of executable files and registration times of domains all pointed to work undertaken between 9am and 5pm Beijing time.

If Zheng Yanbin, Gao Qiang and Zhang Shilong were working between 9am and 5pm and managed to orchestrate one of the largest Cyber attacks on western infrastructure of all time, it follows that any company for whom they were working would probably have been involved in the operation.

Continue reading “More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?”

Who is Mr Gao?

Who is Mr Gao?

The menuPass Sample

Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.

Continue reading “Who is Mr Gao?”

Who is Mr Zheng?

Who is Mr Zheng?

Our story starts with a FireEye report: Poison Ivy – Assessing Damage and Extracting Intelligence. Although the report focuses on the Poison Ivy tool, which has been used by a number of groups, it specifically highlights a number of campaigns known to use it. One of those campaigns is the menuPass group, another name for APT10.

Zheng Yanbin

The report contains a number of e-mail addresses associated with domain names used by the APT10 actors. One of those e-mail addresses, zhengyanbin8@gmail.com, contains a name – Zheng Yanbin.

Continue reading “Who is Mr Zheng?”

Who was behind this unprecedented Cyber attack on Western infrastructure?

Who was behind this unprecedented Cyber attack on Western infrastructure?

In late 2016, Cyber threat analysts in PwC and BAE Systems began assisting victims of a new global cyber espionage campaign. They named the campaign Operation Cloud Hopper.

Cloud Hopper turned out to be an attack of unprecedented scale that targeted companies known as “managed IT service providers”, or MSPs. Because MSPs manage the IT systems of hundreds of clients, the technique used by the Cloud Hopper attackers was highly effective – they gained access not only to the sensitive data of the MSPs themselves, but also to their clients globally.

Continue reading “Who was behind this unprecedented Cyber attack on Western infrastructure?”