Encore! APT17 hacked Chinese targets and offered the data for sale

Encore! APT17 hacked Chinese targets and offered the data for sale

We started this story with Guo Lin (郭林), identified to us as an MSS Officer. We showed that he had personal links to a number of companies and individuals involved in Cyber security, at least one of whom helped develop a key tool used by APT17. We have also shown direct links between Guo Lin’s company Antorsoft and the Chinese Ministry of State Security.

But what were APT17 really doing? We know from media coverage in our part of the world that APT17 hacked a number of targets in the West and did untold damage. What isn’t well known is that they were also hackers for hire, acquiring data and selling it for profit.

Continue reading “Encore! APT17 hacked Chinese targets and offered the data for sale”

APT17 is run by the Jinan bureau of the Chinese Ministry of State Security

APT17 is run by the Jinan bureau of the Chinese Ministry of State Security

In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

We also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang company and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.

Continue reading “APT17 is run by the Jinan bureau of the Chinese Ministry of State Security”

Who is Mr Zeng?

Who is Mr Zeng?

In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. (济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) and Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan. We also identified an IT Security expert from Jinan, Wang Qingwei (王庆卫), as the representative of the Jinan Fanglang company. Another, potentially separate, individual goes by the name ‘iamjx’.

The identification of further individual in Jinan requires us to follow the trail from what we believe to be a fourth front company.

Continue reading “Who is Mr Zeng?”

Who is Mr Wang?

Who is Mr Wang?

In our last article we identified Jinan Quanxin Technology Co. Ltd. (济南全欣方沅科技有限公司) and the Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

Jinan Fanglang Information Technology Company

As disclosed previously by this blog, the antorsoft[.]com domain name listed the main address for Jinan Quanxin Fangyuan as 238, Jing Shi Dong Lu, Jinan, China.

Continue reading “Who is Mr Wang?”

Who is Mr Guo?

Who is Mr Guo?

In our last post, we stated that a source whose identity we had verified had named an MSS Officer in Jinan who was believed to be involved in Cyber operations. We are now in a position to reveal that the name provided to us is 郭林 (Guo Lin). Open source research conducted by analysts working for Intrusion Truth quickly revealed a potential candidate for Guo Lin.

Guo Lin, Masters Student

An IT security paper from 2007 called ‘基于多维角度的攻击分类方法‘ (Method of Classifying Attacks Based on Multi-dimension) was authored by a Guo Lin in which he described himself as a Masters student conducting research into network and information security and malicious code detection. Guo was a Computer Science student at Nanjing University (not Jinan), making it uncertain whether he is indeed the same individual in Jinan named in our tip.

Continue reading “Who is Mr Guo?”

Is there a pattern?

Is there a pattern?

Readers of this blog will know that our investigations into APT3 and APT10 started with well-known intrusions and ended with the identities of the perpetrators and the identification of a front company connected to the Chinese Ministry of State Security (MSS).

As we pointed out on Twitter in December, there seems to be a pattern developing – a regional office of the MSS creates a company, hires a team of hackers and attacks Western targets. Why the MSS insists on using sloppy contracted hackers is beyond us here at Intrusion Truth, but the pattern is undeniable.

Continue reading “Is there a pattern?”

Who is Mr An, and was he working for APT10?

Who is Mr An, and was he working for APT10?

On August 15th 2018 this blog revealed a connection between APT10 and the Tianjin bureau of the Chinese Ministry of State Security (MSS). But the story doesn’t stop with that revelation; analysts working with this blog have continued to investigate every lead provided to us. One such lead has helped us to identify another individual in China connected to APT10. The trail starts with a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain.

Continue reading “Who is Mr An, and was he working for APT10?”