MiSSing links 

FeaturedMiSSing links 

 We haven’t quite finished with Mr. Cheng yet. We have one final document to share from Cheng’s cloud. A photo of a handwritten note, a series of names, and differing currency values. 

Now, we can’t make out the name in the top left, but we are pretty sure that this is a cast list of Cheng’s colleagues. Some of these names are old hat by now: Huang Zhen, Li Yilong, and Huang Zhen #2, for example, take up the bottom three rows. We also have some others we named earlier: Hou Qiang, Wan Guangcan, Chang Zhen, and Zhang Chaofeng. 

Not entirely surprising; we have already established the fact that Cheng and these other individuals work for the same front company. But one name caught our eye, occupying the top line of the table:  崔总 or Chief Cui. 

This seems like an apt time (if you’ll pardon the pun) to return to our disgruntled whistle-blower at Wuhan Xiaoruizhi. Among the individuals they outed as being part of Wuhan-based hacking team operating out of Xiaoruizhi were two MSS officers: Chief Wen and Chief Cui. 

The eagle-eyed amongst you might also recognize Chief Wen from an image in the previous article, on the price list of routers, firewalls, and network cables that Cheng had. 

Now we had a really good dig into Chang Jiang AKA Chief Cui and Li Yue AKA Chief Wen. Unfortunately, we could not find anything conclusive, which is possibly indicative of the level of personal operational security one might expect of the mighty MSS. In the absence of anything more concrete, Chief Cui’s name in Cheng Feng’s possession with a number of Xiaoruizhi employees, and Chief Wen’s name on a document in Cheng Feng’s possession at least adds weight to our friend on Breachforums’ association that Cui and Wen maintain links to the company.

This got us thinking: we wonder who else works in and around Wuhan Xiaoruizhi who has MSS links? 

Zhou Yuan

Thankfully, our investigation into Cheng Feng gave up one more lead. Some of the databases we queried looking for Cheng’s credentials contained access logs for the services. We knew Cheng didn’t work in a vacuum, in fact, we already knew he was one of many employees at Xiaoruizhi.  So, we wondered if we could find any more of his colleagues based on his IP history.  Analysis of three Wuhan Chinanet IP address indicated that through much of 2015, Cheng Feng’s accounts were co-located with an account owned by one Zhou Yuan周源. 

Now we have been giving everyone the deep dive treatment, and our friend Zhou is no different. We couldn’t find much trace of him on social media, but thankfully the gods of breached data continued to smile on us. We again worked with a trusted contact who was able to gain access to one of Zhou’s Cloud hosting accounts. Here we have, from that Cloud account, two 2016 photos of our friend Zhou in glorious selfie style. 

The uniform he is wearing is one used by both the Chinese Ministry of Public Security and the MSS. The two are near identical, but for a couple of distinguishing factors. The first, characters on the arm badge, above the orange and beneath the word ‘POLICE’.

MPS  “公安” (Public Security) badge on left; MSS “国安” (State security) badge on right. 

In his left-hand selfie, these characters are not visible on Zhou’s uniform – we can’t be sure if he has pixelated them. If he has, what is he trying to hide?

The second distinguishing factor can be found on the pin on Zhou’s chest, which conveniently is visible. 

A closer look at Zhou’s pin: 

Zhou’s badge reads  “国安” or State Security; distinct from MPS badges which display the province name as below:

MPS badge for “广东” or Guangdong 

So, we are pretty confident that Zhou is wearing an MSS uniform. 

Zhou’s selfies also provided us with another gift. Metadata. In this case, geolocating Zhou to the headquarters of the Hubei State Security Department. 

Zhou looks so young and innocent that we almost feel guilty. But then, if you are going to take selfies in an MSS uniform…in an MSS building… As they say in China 凡动刀的,必死在刀下. Those who live by the sword, die by the sword. 

Demonstrating the longevity of Zhou’s affiliation with the MSS, we also found a 2018 photo again geolocated to what appears to be the secure car park of the same imposing building. 

Now, we can’t be sure of Zhou Yuan’s true employer. But we can say for sure that he is an employee of the Chinese government, and at very least was affiliated with the MSS over a period of several years. 

So, we have a possible MSS officer regularly connecting to personal accounts from the same IP addresses as Cheng Feng, an employee of a supposedly private Wuhan-based technological enterprise. Strange, certainly, but not a smoking gun which proves Wuhan Xiaoruizhi’s links to the MSS beyond reasonable doubt. After all, spies have friends just like normal people, and Cheng and Zhou could be just that. 

Now we found one more photo we found in Zhou’s possession which we think brings our story nicely full circle and will be where we leave you, for now at least. 

This, dear reader, is part of the official business registration certificate for Wuhan Xiaoruizhi Science and Technology. Why, you might ask, does a possible MSS officer hold the registration certificate for a private technological enterprise? Surely, someone holding such an important document has to have some kind of senior oversight or administrative role in the company itself?  At the very least, he is linked to the company. 

At team Intrusion Truth we are satisfied Zhou having a photo of this certificate and being regularly collocated with a Xiaoruizhi employee bears out our theory that Wuhan Xiaoruizhi is not a private enterprise, instead it is a front for an MSS-sponsored APT. Zhou Yuan probably has a role in running the APT, along with his probable MSS colleagues Chief Cui and Chief Wen. 

This has been a wild ride. How about we summarize how we got here. 

We have found a suspicious hacking school whose owner has links to the MPS and MSS, and whose graduates go on to mysterious destinations and private companies supporting the government. One such destination is what looks to be a fishy APT front company. Said front company has a disgruntled employee leaking sensitive documents online and alleging that the company is affiliated with an elite hacking team in Wuhan. An employee of the front company bears out its links to Kerui Cracking Academy, and has material in his possession which supports his affiliation with APT31. Said employee has more material in his possession indicating links to two MSS officers who have already been doxed on the darkweb as part of Xiaoruizhi. This employee is also regularly collocated with a possible third MSS officer, who in turn has, in his possession, Xiaoruizhi documents. 

One thing is for sure. All is not as it seems at Xiaoruizhi. 

And now a plea to you: what else can you find on these individuals? Can you help us tighten the Xiaoruizhi’s attribution to APT31? 

Goodbye for now, but we will be back. We still have more to share on Xiaoruizhi and friends – 等着瞧. 

Introducing Cheng Feng 

FeaturedIntroducing Cheng Feng 

You might be wondering why we have picked on Cheng Feng. Just a hard-working cyber security professional, right? Well, wrong, as it turns out. Cheng Feng helped us deduce what APT Wuhan Xiaoruizhi is a cover for. 

As regular readers will know, Intrusion Truth is nothing without its global network of supporters. We had to reach out for support investigating Cheng Feng using the start points from his insurance certificate, and one of our collaborators came through with the goods. A cache of emails, documents, and photos from a cloud storage account belonging to Cheng. 

Let’s start here:

On 14th June 2019, Mr. Cheng sent an email to an address he believed to belong to the Kerui Cracking Academy. He described himself as a security company in Wuhan who had heard that Kerui’s graduates were excellent, and asking when the next graduation date was. Well, well, well. It looks like our suspicions of Kerui were correct: not only have several Kerui graduates gone on to Wuhan Xiaoruizhi, we also now have Xiaoruizhi employees attempting to snap up their graduates. Looks like Kerui might be a pipeline into Xiaoruizhi after all. 

Let’s continue. 

A deeper dive into Cheng’s documents revealed the beginnings of overlap between his apparent research interests and those of APT 31. 

CISCO router exploitation:

He we have Cheng, presumably in the course of his work duties, accessing the configuration manual for Cisco broadband routers. 

Cheng Feng’s document cache contains a number of indications of him being in possession of, or purchasing, or testing configurations of possible router exploitation on, varying different models of routers, including small office/home office (SOHO) routers, including Huawei Echolife, Huawei AR151-S, Cisco 2911/K9, and Cisco 1721 routers.

Bottom image reads: sold by Chief Wen 2015.8.4

  • 1 Service Router: CISCO 2911/K9
  • 2 VPN Routers Huawei: AR151-5
  • 1 Firewall: Huawei USG2130
  • 1 Layer 3 Switch: Huawei 5700-28C-SI
  • 3 Layer 2 Switches: Huawei 1728GWR-4P
  • 4 Gigabit Network Switches: 8 Huasan (H3C) S1208
  • 1 Network Cable: AMP Cat 6 GB (305M)
  • 1 RJ Connector: Box (100 piece/box)
  • 5 Wireless NICs: TPLINK 300M Wireless
  • 1 Network Cable: Tester Wire Tracer
  • 1 Network Plier: Sanbao Brand
  • 15 IBM jumpers

APT31 is famous for router exploitation. APT31 hit the press in France over summer 2021, accused by the French cyber security agency of launching a major hack targeting French entities which utilized a network of more than 1000 compromised routers, including Pakedge, Sophos and Cisco routers. These routers were compromised and leveraged as anonymization relays, before APT31 carried out reconnaissance and attack activities. The listed devices in particular are SOHO routers, which APT31 have been exploiting since at least November 2019. 

So – here we have Cheng in possession of a manual for Cisco routers and in possession of a number of different SOHO router devices. Could have been his process to begin learning to exploit them? 

APT IoT

Next. In August 2017, Cheng created a task intriguingly labelled “做了什么 apt31 物联网”, or ‘what did APT31 IoT do’/’what did APT 31 do with regards to IoT’.

We know from our previous discussion that APT31 is known to exploit IoT devices, in particular SOHO routers, to form part of their operational infrastructure. And APT31 is clearly on Cheng’s mind. In addition, the timing of the task in August 2017 was prior to public exposure of APT31’s involvement in IoT/router exploitation, indicating that Cheng had insider knowledge of APT31’s TTPs. Perhaps because he is APT31?

Clibcom 

We’ll leave you with one more clue which we think rounds things out nicely. Mr. Cheng also had in his possession a 2015 photo of a computer screen showing usernames and passwords for 58.55.127.233. 

On investigating this domain, we discovered that it’s hosted in Wuhan. From March 2015, it hosted webmail.dnsapple.com, and later hosted Clibcom.com from 2017. An industry source told us that clibcom.com was previously attributed to APT31. Can anyone help us verify this? 

We are pretty confident that Cheng is affiliated with APT31. He has material indicating his interest in Cisco and SOHO router exploitation, known TTPs of APT31. Notes on his phone indicate he is thinking about APT31 and, presumably, their exploitation of IoT devices, and he has the log in credentials for an IP which a source has attributed to APT31. 

Overall, things are heating up. We’ve linked the hacking school to the MSS via its owner. We’ve linked the hacking school to Xiaoruizhi via its employees and its poaching of graduates. And we have enough information to tentatively link Xiaoruizhi in turn to APT31. But, there’s one missing link. The MSS. 

Trouble in Paradise 

FeaturedTrouble in Paradise 

Our last article left you on a cliff edge. What did we find on the dark web which proved so illuminating? 

Well, it would seem things at Wuhan Xiaoruizhi are not all well.

In a post which was later redacted and then disappeared with the downfall of breachforums, we found a post from someone who claimed to be a representative of a disaffected hacker selling the identities of 100 of their colleagues from an ‘elite hacking team’ in Wuhan.

The poster goes on to claim that Wuhan Xiaoruizhi was a cover company for MSS hacking activity in Wuhan. The company had a few teams working for the MSS, but in 2020, teams started working under new companies.  

These are some astonishing claims, but at team Intrusion Truth we are nothing if not diligent and wanted to get to the bottom of this ourselves. Could we also link Wuhan Xiaoruizhi to the MSS? Could we link it to an APT? 

One thing was for sure, Wuhan Xiaoruizhi deserved more of our attention. We searched far and wide for months to gather more information on who works or has worked there. Inspired by our success with Xiong Wang’s insurance record, we decided to widen the net. After months of effort, we found the gem we had been waiting for: the social insurance records for Wuhan Xiaoruizhi. 

To spare the reader endless documents we have collated as many of the names we can find who have worked at Wuhan Xiaoruizhi as we can: 

ChinesePinyin
曹锦芳Cao Jinfang
常振Chang Zhen
程鼎Cheng Ding
程锋Cheng Feng 
顾成武Gu Chengwu
侯强Hou Qiang
胡嘉祥Hu Jiaxiang
黄增辉Huang Zenghui
黄震Huang Zhen
黄振Huang Zhen
李海青Li Haiqing
李家诚Li Jiacheng
李圣胜Li Shengsheng
李义龙Li Yilong
廖绪良LiaoXuliang
刘晨成Liu Chencheng
刘宏伟Liu Hongwei
马欢Ma Huan
唐星昭Tang Xingzhao
涂梦Tu Meng
万光灿Wan Guangcan
王意军Wang Yijun
魏耀斌Wei Yaobin
熊旺Xiong Wang
鄢文龙Yan Wenlong
杨鑫Yang Xin
苑红曦Yuan Hongxi
张超锋Zhang Chaofeng
张立业Zhang Liye
赵光宗Zhao Guangzong
周鑫Zhou Xin
左鹤群Zuo Hequn 

And here are some examples of the documents which form the basis of this list: 

Cheng Ding insurance record

Zhao Guangzong insurance record

Zhang Chaofeng insurance record

Xiong Wang insurance record 

You might recognize some of the names on the larger list: 黄振 AKA Huang Zhen, 黄震 AKA Huang Zhen, and 李义龙 Li Yilong were also satisfied customers from Kerui Cracking Academy from Article 2. Don’t you just love it when things come full circle? Could it be that the ‘undisclosed private company working supporting the government’ Li Yilong claimed to work at is none other than Wuhan Xiaoruizhi itself? Could Kerui be a pipeline into Xiaoruizhi? 

Beyond getting reacquainted with our old friends above, this list of employees provided a number of interesting leads. But one of the names cracked our case wide open. Meet Cheng Feng. 

All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company

FeaturedAll roads lead back to Wuhan… Xiaoruizhi Science and Technology Company

As our readers know from our investigation into Hainan Xiandun Technology Development Company, the Intrusion Truth team have become quite adept at spotting a fishy front company when we see one. 

Typically, these are ‘companies’ with a generic-sounding ‘technology’ name and a minimal online presence. They often post adverts on university websites looking for graduates with offensive cyber skills and, very importantly, foreign language expertise. The language of the adverts is vague, and often recycled from other, similar adverts posted online. The front companies provide contact details which just don’t seem to add up – such as numbers shared by other businesses. So, when we began investigating Wuhan Xiaoruizhi Science and Technology Company, it soon became clear that we were onto a winner. 

We started with a 2017 job advert posted by the School of Computer and Information Engineering, Hubei University. 

Looking for a number of software and system development engineers, Wuhan Xiaoruizhi describes itself as working in the ‘network security field’, and being vaguely located ‘near Wuhan Optics Valley’. Prospective applicants should be proficient in C and C++, scripting languages such as python, JavaScript and php, as well as IDA and OD. They should be familiar with automated testing processes, and web frameworks. Oh, and they must be au-fait with vulnerability mining. In fact, vulnerability mining is so important to Wuhan Xiaoruizhi, in this small university flyer, it is mentioned no less than three times. 

A further search of Wuhan Xiaoruizhi reveals another advert posted on a university jobs site – the College of Foreign Languages at Huazhong Agricultural University. This time, Xiaoruizhi is looking for English majors to become analysts who will be responsible for ‘information collection, processing and text editing’ in Chinese and English. 

Xiaoruizhi gives us an introduction to the company, which is committed to providing ‘information processing, industry research and big data analysis’ for customers, which include ‘relevant government departments’. We also get to know more about the company’s ‘ethical research and consulting team’, ‘win-win approach’ and its ‘concept of integrity-based innovation’. Only the company isn’t that innovative – nor does it have much integrity: such wording appears to be a word-for word copy of a description from another company’s job advert in Shenzhen. Shenzhen Prothinker Consulting. 

Shenzhen Prothinker

So what is it about Shenzhen Prothinker Consulting that got Wuhan Xiaoruizhi so inspired? Well, funnily enough, Shenzhen Prothinker was also on the lookout for English speakers with interests in politics, and graduates with computer-related majors. Hmm. Unfortunately, the website for Prothinker is now defunct. However, there is still some information out there on Baidu about the company. The legal representative of Shenzhen Prothinker was a Huang Ruohang, and the address for the company is listed as Room 2511, 25th Floor, Oriental Science and Technology Building, Science and Technology Park, Yuehai Street, Nanshan District, Shenzhen.

A search for “Huang Ruohang” (Chinese characters given below) showed that Huang Ruohang was also listed as the executive director for Shenzhen Zhongan Domain Technology Company. And as ‘coincidences’ would have it, Shenzhen Zhongan Domain Technology Company was also once located on the 25th Floor of the Oriental Science and Technology Building in Nanshan District Shenzhen. 

Shenzhen Zhongan Domain Technology Company appears to be also known, according to its branding, as ZIONSEC. ZIONSEC describes itself as providing ‘advanced solutions for national security issues such as national defense and intelligence’ to ‘help the dream of a powerful country’.

Sounds…suspicious. 

Let’s park the shenanigans in Shenzhen for now and return to Wuhan. Who actually works at the Xiaoruizhi Science and Technology Company and what do they do? Unfortunately, this technology company doesn’t have its own website, but we do have the name of the manager, Deng Zhiyong. 

Deng is an interesting character. Aside from holding official titles at no less than three (!) government-affiliated organizations, (Director of the Foreign Exchange Center, Ministry of Science and Technology China; Director of the Hubei Wuhan China/Russian Technologic Cooperation Center; Chief of Department of Steelworks Management Administration, Dongxi, Wuhan) our friend Deng also seems to have a thing for Russian lasers. 

We will return to this in a later article. It’s a wild ride. 

A phone number which seems to be linked to Mr. Deng also seems to be used by both a construction company and a ‘business information consulting company’. Quite the diverse business empire. 

So, to summarize, we have a sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts and linked to a phone number shared between many businesses. Lacking some imagination, the company decides to borrow language used by another sketchy-looking company in Shenzhen, which in turn appears to have some quite considerable overlap with an info-sec company dedicated to national defense and intelligence work. We also have government clients, a CEO with official PRC government titles, and a bonus link to a shifty hacking school. 

You know the drill by now. If it walks like a duck and quacks like a duck…. (should we get that printed on merch?).

Beyond this, Wuhan Xiaoruizhi hasn’t given us much to go on. So, it was time to take our search to the dark web. 

Bingo. 

The Illustrious Graduates of Wuhan Kerui   

FeaturedThe Illustrious Graduates of Wuhan Kerui   

Our last article introduced the mysterious graduates of Kerui Cracking Academy. As luck would have it, said mysterious graduates have left feedback, complete with graduate destinations and contact details on Kerui’s website. 

We won’t bore you by going through each individual piece of feedback – feel free to peruse at your leisure. Suffice it to say that Kerui graduates were pretty pleased with their student experience. But there were a few which we found interesting, and a couple which serve to flesh out Kerui’s links to the government. 

Let’s start here. 

Ouyang Jilei 欧阳继雷 

Ouyang attended the 24th iteration at Kerui and in their feedback provided advice for later generations of Kerui students. How generous. But it was their claim to now be employed by a state-owned enterprise in Wuhan that really caught our eye. Could this be it? Could we finally be on an APT’s trail in Wuhan? 

Moving on: Li Yilong 李义龙

Li attended the 13th class iteration at Kerui. Li was effusive about his time at Kerui, highlighting the sense of humor of his teachers, the laughter in his classes, and how he has harnessed the ‘Kerui spirit’ to overcome challenges since moving to the world of work. Li claims to be working for an ‘undisclosed private company supporting the government’. We did a fair bit of digging here to try and identify said company and managed to link him to one ‘Wuhan Shenzhou Human Resources Services Department.’ Doesn’t sound cyber-y, does it? But we will come back to Wuhan Shenzhou later.

Huang Zhen #1黃震: 

Huang Zhen #1 attended the 11th Kerui program. Huang’s feedback includes his personal experiences, praise for the faculty members and some study tips for future students, but did not disclose his onward employment. 

Huang Zhen #2 黄振

Huang Zhen #2 attended the same iteration as Li and happily found employment at an ‘undisclosed cyber security company’. Huang 2 thanks his friends for helping him through bumps in the road and credits his teachers with the ability to ‘write code at the speed of flowing water’. He also left his QQ number: 361920879. 

We know what you are thinking. Not much to go on here. But we will return to our friends Li, Huang and Huang in due course.

Xiong Wang 熊旺  

At first glance, Xiong’s feedback is rather non-descript.

He describes how the class helped him and provides some recommendations on study methods for future students. He leaves no contact details or information on graduate destination. But some in-depth digging into Xiong provided our first real lead: his social insurance record.

Social insurance contributions in China are effectively a social security program. They include mandatory insurance schemes, such as pension, medical insurance, and a housing fund. 

Luckily for us, they also list their employer.

As of 2016, Xiong Wang was employed by one Wuhan Xiaoruizhi Science and Technology Company.

What’s Cracking at the Kerui Cracking Academy?

FeaturedWhat’s Cracking at the Kerui Cracking Academy?

A brand-new investigation – we know you love it. 

We’re back once more to tell a familiar tale: how an MSS-sponsored APT group – known for its hacking operations around the world – has been caught red-handed. This time, in Wuhan.

It should come as no surprise that Wuhan was already a place of interest to us before the city reached global fame in 2020. Wuhan is home to some of China’s most impressive cyber talent. We knew there was bound to be some shady things going on in the city – all we needed was a lead. 

We got to thinking. We know that not all of China’s best hackers are self-trained – what if they learn together? This thought led us to the tip of our metaphorical iceberg: the Wuhan Kerui Cracking Academy. 

Wuhan Kerui Cracking Academy

When we think of a typical hacker up to no good, a certain image comes to mind. A dingy, dimly-lit bedroom home to a young twenty-something who probably has more computers than friends. But the Wuhan Cracking Academy turns that all on its head, with seemingly big classrooms, stuffed with bright cyber talent.

Established in 2007, the Kerui Cracking Academy prides itself on providing its students the best information security training in the industry, including the ‘most professional reverse security course’ as part of its curriculum. So confident is the school of its teaching abilities that it tells prospective students not to worry about finding a job – in fact ‘almost 100% of students get a job within one month.’ Impressive! 

The ‘Professor X’ of the Kerui Cracking Academy is none other than the international cyber superstar Qian Linsong. Aside from his role as founder of Wuhan Kerui Cracking Academy, Professor Qian Linsong acts as part-time teacher at the National Cyber Security College of Wuhan University, a tutor at the Huazhong University of Science and Technology and the Vice Chairman of Quanzhou Artificial Intelligence Society. 

He is perhaps best known however for his book on C++ disassembly and reverse analysis. Here’s a picture of him in his superstar coat and glasses signing a book for one of his fans:

And for those looking to understand what led Qian to set up Wuhan’s own School for the Gifted, you are in luck. The ever so modest Qian has documented his life in a blog, complete with pictures at Disney World. 

Following an increase in China-US hacking, a youthful Qian started downloading hacking software from websites to tinker with at home. In 2002, at the age of 23, Qian lands a job in the US analyzing products developed by an American company. It’s not long though – only 2 years – before Qian finds himself resigning and moving back to China, taking up a lecturer position at Tsinghua University. 

Reading through his blog you get a sense of Qian the man. An intelligent, dedicated teacher who likes wine and archery as much as he enjoys working in cyber. But it’s not long before you begin to see Qian’s – and Kerui’s – links to the Chinese state…

Alongside the Kerui Cracking Academy, Qian runs a side-hustle as the owner of the Kerui Reverse Technology Company, also founded in 2007. The homepage makes clear that the company has provided ‘technical services for many projects of the Ministry of Public Security and the Ministry of State Security’. So, it is safe to assume that Qian is no stranger to working with Chinese intelligence services. 

We couldn’t help but wonder whether Qian’s cooperation with the MSS runs a little deeper. Is Qian supplying the MSS with freshly trained hackers? Or even up-skilling hackers the MSS have found? Just to add to our suspicions, the Kerui Cracking Academy seems to have kept a close eye on the work destinations of its graduates – with some of them labelled as ‘Mystery Unit’ and ‘Keep Confidential’. 

This got team I-T thinking: this site must be a goldmine for names of people hacking for Chinese intelligence services. We began investigating and struck gold. Kerui Cracking’s ‘Testimonials’ page. 

Chinese APTs: Interlinked networks and side hustles

FeaturedChinese APTs: Interlinked networks and side hustles

As FireEye pointed out on their APT41 overview, there is a high degree of malware and certificate overlaps across Chinese APTs but two in particular stand out as almost identical in their use of malware code – 41 and 17. 

Remember Mr. Zeng Xiaoyong (aka envymask)? As readers will know, we named Zeng as a member of APT17 back in July of 2019. We evidenced his connections to the Chinese hacker group ph4nt0m, his birth place of Sichuan and his university of Nanjing Science and Engineering, where he met and later worked with MSS Officer of the Jinan SSD – Guo Lin. And it appears Zeng Xiaoyong has connections that go even further…

BlackCoffee

Mr. Zeng is credited with creating a specific exploit of the public vulnerability MS08-067. This is associated with the ZoxPRC which evolved into BLACKCOFFEE malware, a hallmark of APT17 and Zeng specifically. APT41 are using this same malware in their operations. This specific sharing of malware exploits talks to the increasing overlap and coordination of APT groups within China.

EnvyMask and Blackfox

Further digging has also revealed a history between Blackfox and Envymask on a number of hacker forums including CSDN and Github, where Blackfox promotes his ‘codz’ and expresses his gratitude to Envymask and another hacker known only as LuoLuo for their help. 

Blackfox and envymask’s relationship appears to be quite a deep one – they maintain direct contact and Blackfox credits envymask for his guidance and expertise in creating malware exploits. It additionally highlights the overlap between envymask (of APT17 fame), and Blackfox (of APT41 fame) which could go some way in explaining the overlap in malware tools being cited back to APT groups emanating from China and the trouble industry have of grouping APTs via their use of TTPs alone.

ShadowPad

This backdoor RAT, reported by Kaspersky in 2017, was used to facilitate a supply chain attack and is commonly attributed to China. It is considered to be an evolution of PlugX, both of which originated from China and are used by Chinese APTs (APT41 in particular).

PlugX and WHG

AlienVault Labs theorized that “WHG” was the developer of PlugX. And in 2012, Dunham and Melnick wrote about a connection between WHG and Tan Dailin. Tan (under Wicked Rose) credits WHG (aka “fig”) as one of the developers of the GinWui rootkit which links back to the Network Crack Program Hacker group (of which Tan founded).  

WHG is known to be the user of QQ 312016, which displays the username Zhao Jibin (赵纪斌). QQ 312016 belongs to another small QQ group (39771264) with just 14 members. A tight-knit circle of like-minded individuals? Of note are 3 other members: Jiang Lizhi, Zhang Hoaran and Tan Dailin.  

Remember when we mentioned Lu Jian’s membership in a group titled Chinese Communist Party Ministry of Finance (QQ 3391434)? We stated that the owner of this group was QQ 312016 – with the display handle ‘whg’. 

It further highlights the deep interconnectivity and social web these Chinese hackers maintain. But to what degree are the Chinese hacker’s interactions social, or are their skills and experience directed, coordinated and developed by higher echelons within the CCP?

Cyber Arrests

We did some digging into Zhao Jibin. Once again, he has links back to Sichuan, having attended Xihua university.  

We also discovered that there were a number of arrests during Xi’s crackdown of hackers within China in 2015. Notably, an office in Jinan associated with APT17 activity was raided by the local Public Security Bureau. A number of Chinese hackers were arrested. Amongst them was Withered Rose (aka Tan Dailin) Zhao Jibin (aka whg) and Liu Jian (aka Cowardly Sheep 懦⽺).

The hackers were getting too big for their boots. Were the arrests a smokescreen? Or were they used to co-opt them into working for the MSS? Either way, it didn’t stop them continuing to support APT17 and 41 operations.

Conclusion

Sichuan province is fast becoming a known hot spot for hacking. 

We believe that rather than APT41 being defined as a group or intrusion set, APT41 is perhaps better described as an interlinked network of Chinese cyber actors sharing malware, expertise and connections. The actors appear have a high degree of autonomy, which explains the degree of malware and certificate overlaps between APT groups emanating from China, and supports the concept of the contractor model. Autonomous cyber criminals ‘bid’ for state resource in exchange for top-level cover and a blind-eye is given to their criminal activities outside of the 9-6-6 structure, and if their targets are outside the Chinese mainland. Hustling on the side by using state-sponsored tools for their own profit makes us wonder whether the MSS truly have control over the contractors they work with.

According to Chengdu 404 in an interview, ‘They wanted to make a contribution to their home town’. Well, they have certainly done that. They have put Chengdu on the map, not least for China cyber watchers.

We started this article series with reference to a Times article focusing on Tan Dailin and his fellow hackers (formally known as the NCPH). The article ended with a quote from one of the hackers (known only as Fisherman): “Real hackers are not doing it for a name or money. The real hackers keep their heads down, find network loopholes, write killer programmes and live off social security”. An interesting moral high ground to take. We wonder where it all went wrong. 

The people behind Chengdu 404 

FeaturedThe people behind Chengdu 404 

In the previous articles, we touched upon Chengdu 404 as a front company. This article serves to focus on the individuals behind the company who have been named by the US as cyber criminals. The indicted trio are: Qian Chuan (钱川), Jiang Lizhi (蒋⽴志), and Fu Qiang (付强). 

Qian Chuan (钱川)

Qian Chuan, alumnus of Sichuan university, is the boss of Chengdu 404. His mugshot shows how much fun he has working at the CCP’s behest…

According to records, he held a 30% share in the company. He likes to come across as a fun boss – after all providing cake for an employee’s birthday is going above and beyond isn’t it.

Qian Chuan’s involvement with the Chinese government started before his managerial role in Chengdu 404. Since at least 2010 (according to the indictment) he has been creating software to wipe confidential information from digital media, and supporting efforts by the CCP to monitor and restrict information across Chinese social media platforms. 

Jiang Lizhi (蒋⽴志)

Jiang Lizhi has a lot of connections and an ineptness that comes with broadcasting sensitive projects. Boasting of his close relationship to the GA ‘Guoanbu’ (MSS), he is recorded on the indictment stating that this ‘provides him with protection’, even from the Ministry of Public Security (MPS). Is it us, or does this sound like a green light to hack for profit, with no repercussions? Hindsight will reveal that the MSS cannot and does not protect its criminal hackers.

Jiang Lizhi was active within the company, attending many of the engagements at local universities in his role as deputy general manager. According to holdings on the company, Jiang held a 20% share in 404.

Blackfox

As mentioned in previous articles in this series, the ‘black’ prefix appears to be a common thread for APT41 hackers. Jiang Lizhi’s handle of Blackfox confirms our assumptions. 

Delving into the internet archives, we found his historic Blackfox blog at fox.he100.com.

The website registrant evidences Jiang Lizhi as behind the website and based in Chengdu. Helpfully, he also provides his handle Blackfox as an additional PoC. 


The blog itself reads like an online diary of a depressed teenager; it is an ‘interesting’ read into the psyche and personality of a Chinese cyber hacker. An online diary of despair some might say. Blackfox talks of his anxiety and how irritable he can become, how lonely he is and how unhappy his actions make him.

An example is this translated post from 2006 where Blackfox talks of moving back to Chengdu and being unemployed.

QQ 6858849

In 2004, a post on CSDN titled ‘ISS_Manager’ detailed points of contact for Blackfox, including a QQ number (6858849) and domain fox.he100.com. As we know, this links back to Blackfox’s blog. The QQ account had the display name 蒋立志 (Jiang Lizhi) as well as Blackfox, and has been active in creating a number of other QQ groups. Most were used for staying in contact with classmates, whilst others refer to businesses Jiang was involved with, including the Chengdu-based online gaming company Blaze Loong Science and Technology (成都炎龙科技有限公司). A number of these QQ accounts are shared groups with other APT41 individuals including Tan Dailin, Qian Chuan and Fu Qiang.

Fu Qiang (付强)

The baby-faced Fu Qiang is the last of our trio. He is head of big data development at Chengdu 404. Just 2 months after the indictment in November 2020, we noted that standny (his alias) was active online, pushing Chengdu 404 recruitment. Despite less being known about Fu online, he maintains a heavy internet presence on Western social media sites. One such profile is Twitter which promoted a number of apps for the Apple app store (see our previous article on this and his relation to c0hlbrd). 

Blaze Loong Technology Company Ltd. (成都炎龙科技有限公司)

Remember when we mentioned the Blaze Loong QQ account Jiang LiZhi was involved with? It is a gaming company based in Chengdu, and is a wholly owned subsidiary of Zhejiang Huge Leaf Company (浙江翰叶股份有限公司). 

Blaze Loong uses its international marketing platform to import and export gaming products (useful for APT41’s hacking money-making campaign against gaming companies). Yet archived pages show a very different company: A Blaze Loong which used to be a penetration testing and network security management company, providing tailor-made solution to ‘major government agencies’. 

According to the Qichacha company overview, the founder and CEO of Blaze Loong is a Lu Jian (鲁剑). Lu Jian was also the director and vice chairman of Zhejiang Huge Leaf Company.

Chengdu YanLong Technology Company Ltd (成都炎龙科技有限公司)

YanLong is a subsidiary of Blaze Loong Technology Company, bought out in 2009. 

Chengdu YanLong Technology Company was established in 2007, purporting to be a game development and publishing service based in Shanghai, despite being geo-tagged as Chengdu. 

WHOIS information for this domain (bltech.cn) is registered to blackfox@qq.com, which we know is Jiang Lizhi – explaining the QQ groups he set up. 

Records show a Lu Jian (鲁剑) as the legal representative of the company, as well as the executive director, general manager and shareholder.

Lu Jian (鲁剑) and QQ 5238342

We know Lu Jian is heavily involved in a number of companies based in Chengdu, which are linked to APT41 actors. He shares membership with Jiang Lizhi and Tan Dailin in a QQ group created by Lizhi. What is more, Lu Jian’s QQ account (QQ 5238342) is assigned the group’s admin. 

According to Baidu, Lu Jian was born in 1979 and has been involved in a number of technology companies as a shareholder, legal representative, CEO and founder.

QQ 5238342 (Lu Jian) is also a member of QQ group 3391434, titled the ‘Chinese Communist Party Ministry of Finance’  The owner of this group is QQ 312016 using the alias ‘whg’. You might recognise this alias. We will return to this later. Another alias commonly used with QQ 5238342 adds further support for Lu Jian’s role in APT41’s activity; the use of a black prefix alias ‘BlackJack’. The QQ account even used the logo for the Blaze Loong company as the display profile.

There were a number of other usernames associated with this QQ account, including “Blaze Loong Science and Technology – Director Long” (炎龙科技-龙总) and “Long Shaoyang” (龙少杨). Could this be another name for Lu Jian?

A Sino Weibo account of Long Shaoyang identifies that he is a male, located in Chengdu, Sichuan. Social media further highlights similarities between Long Shaoyang and Lu Jian. They share the same handle (BlackJack), are associated with the same QQ account (5238342), and show the same Blaze Loong display on their social media.

On the 27th July 2013, a Long Shaoyang (龙少杨) attended a gaming and technology conference alongside the Chairman of the Molin Gaming group (mokylin.com). Details from this event reveal that Long is the CEO of Blaze Loong Technology, whilst other press releases refer to Long Shaoyang as the founder of Blaze Loong.

So, we have two names for what appears to be the same person. One is used in business records and another used for public-facing roles. Interesting. Get in touch if you know more.

Liu Jian (刘建)

As mentioned previously, Jiang Lizhi created a number of QQ groups linked to other APT actors. One in particular is named ‘unknow’ (QQ 10930057). Given the small membership of this QQ group and the number of individuals we have found with APT41 links, it would stand that the rest of the members also have links into APT41. 

We followed this through with QQ member 14149038. The username translates to ‘Cowardly Sheep’ but the information shows he is a male engineer living in Chengdu. Note the display picture. This is the logo of Chengdu Anvei – the antivirus software that Tan Dailin created and which served to provide him with media attention in 2012. Referring back to Anvei, registration details highlight that Liu Jian owned more than 10% of the company’s stock. 

Liu is also involved in another company based in Chengdu – the Chengdu Daigen Science and Technology Company (成都戴亘科技公司) where Tan is listed as CEO and Liu as Director. Both of these companies have now ceased operating.

Conclusion

All individuals and companies with links to APT41 have roots back to Chengdu, Sichuan province.

The APT41 actors, along with others we have named in this article series, evidences how wide the reach of the Chinese hacker community goes – using their connections within the hacker community to progress and share techniques to conduct both activity for the state and their own personal gain. But what degree of overlap has this provided Chinese APTs? Is the model of grouping malware and personas into categories and APT groups still sustainable for InfoSec researchers, law enforcement officials and those trying to make sense of the APT threat? 

Chengdu 404

FeaturedChengdu 404

In our last article, we highlighted the social links between APT41 actors, focusing on two of the five APT41 members: Tan Dailin and Zhang Haoran. Tan and Zhang, along with their other 3 conspirators (more on them tomorrow) worked for a company based in Chengdu’s high-tech zone called Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司). Established in 2014, it is better known colloquially as Chengdu 404. 

404 is, as we all know, an error code when a browser cannot connect to a server. The founders claim they wanted to remain hidden and let their work speak. Doesn’t appear to have worked out very well for them…

Umisen.net

Residing at the domain umisen.net (now ironically no longer available), Chengdu 404 is one of the first front companies we have come across to have a working, multi-functioning website. 404 held a corporate VPN, presumably to facilitate their international hacking and provide access across the firewall. We also found that Chengdu 404 hosted a log in portal sitting behind the open webpage, with a somewhat cryptic adage.

Their website was quite slick. The ‘About Us’ page stated the company was an emerging start-up comprising of white-hat hackers offering penetration testing to clients. A useful cover to facilitate company legitimacy and simultaneous access to other’s IP. 

As of 2016, 404’s pages are full of positive boasts. One news article talks of a new facial recognition software that Chengdu 404 created and subsequently demonstrated at the Aerospace Institute in Beijing. Curiously, there is no further mention of this technology or its success after this date. 

Facial recognition technology seems at odds with a company known for their work as ‘white hat’ hackers and experience in penetration and network security. 

What is coincidental is that a Japanese company (NEC) had received wide recognition for their technology being a world leader in facial recognition, with similar descriptions to what Chengdu 404 describe theirs to be – a year earlier.

In January 2020, NEC admitted that they had had their data breached. The timing of this intrusion breach? 2016. 

Ironic that the ethos of white hat hackers ‘set out to right the wrongs of black hat hackers and chase APTs is the polar opposite of their real activities: APT41 conducting ransomware attacks and stealing IP using front company infrastructure. 

C0hb1rd

When you search Chengdu 404 on Google, an interesting hit reveals an individual known as c0hl1rd. 

This leads to a profile held on GitHub. The GitHub page does not appear to be active but does contain interesting posts from 2016, specifically referencing umisen networks.

These include a collection of shell scripts automating command line tasks. These scripts allow c0hb1rd to access an internet-facing Linux server using a root account in the subdomain ‘root@tz.umisen.net’ and remotely download/copy files to his local device. 

Furthermore, another repository is uploaded on c0hb1rd’s profile referring to an APKMITM (man in the middle) tool. This targets the interception of Android phones with ARP spoofing, injecting an Android application (hence the APK annotation). The application does DNS redirecting to the umisen domain at port 8080. 

This could be legitimate activity (evidence of online hacking challenges) but our sense is this is more nefarious – the skull and crossbones being just one indicator… The direct association with Chengdu 404 and c0hb1rd’s tools redirecting traffic and developing remote log in access also adds to our suspicions. 

Hints to c0hb1rd’s identity suggest he is one of China’ prolific hackers (number 27 to be precise), appearing on China’s 50 best hackers list on WeChall.net.

A profile with the c0hb1rd handle also appears on the gaming platform ‘Steam’.  They say you can tell a lot about someone from the company they keep. Well c0hb1rd keeps some interesting, albeit sparse, company. Amongst his grand total of 7 friends is ‘standny’ – the hacker handle for Fu Qiang, an employee and founding member of Chengdu 404 and one of the five indicated by the US last year. 

When you click on Standny’s profile, it shows that he is based in China and his only friend is c0hb1rd. A highly personal, social connection, with a joint interest in gaming. Is c0hlbrd another APT41 member? Or could he be a junior associate, caught up in Chengdu 404 activity? This would at least explain c0hlbrd’s ease to which he uploaded script openly to GitHub, his preference to automate shell scripts and use of annotations on the open web.

A question to ponder: Could c0hb1rd’s MITM tool have been used in standny’s prolific creation of apps given their friendship? Many of standny’s apps have been removed from online download sites. However, a quick scroll of standny’s Twitter highlights just some of these apps being promoted. We would put good money on these apps being unreliable and facilitating third party access.

Local university links

Chengdu 404 has close links to both Sichuan University and Chengdu University of Information Technology by providing internships and teaching the next generation at these schools. A number of the indicated APT41 actors have attended Sichuan University (a university known to be linked to Chinese hacking campaigns as previously noted in 2012 through its links to the Lucky Cat campaign) and appear to have remained involved ever since, forming part of the alumni and donating under a Si Lingsi (404) scholarship. 

Chengdu 404 promotes these engagements on their website. Qian Chuan (left) and Jiang Lizhi (right) are pictured in numerous talks and award ceremonies at the universities yet most photos seek to blur their names from the pictures. Too important to document? Or are they wanting to hide due to guilty knowledge?

Having a foothold in local universities is a clever way to ensure young, bright and best talent for government clients. A university recruitment pipeline into the MSS. It begs the question whether these universities knew about Chengdu 404’s remit and the individuals they were engaging with, or whether this was a larger, more coordinated effort by seniors within the security and military sectors to lure in aspiring, unaware, and naïve graduates to support APT activity. As we documented on APT40, this is not a unique set up, with APT40 using Hainan University to support their activity.

Summary

Chengdu 404 is directly linked to APT41. Its website boasts of (read: APT41) achievements and work for military and government clientele. 

Chengdu 404’s foothold within local universities point to a larger drive by the MSS to recruit graduate students into its ranks using APT front companies – whether knowingly or unknowingly by the universities themselves. 

Tomorrow, we focus on the remaining 3 indicated APT41 members. What will be uncover?

The old school hackers behind APT41

FeaturedThe old school hackers behind APT41

In an FBI indictment released in 2020, it reported five hackers with substantiated links to APT41: all criminal hackers based in Chengdu, Sichuan province. Seems Chengdu is getting somewhat of a hacker reputation. 

Let’s start with arguably the most notorious and well known of these five hackers: Tan Dailin. 

Tan Dailin (谭戴林)

Quite a lot if information is already out there on Tan. We know he was talent spotted at Sichuan university for his hacking techniques and was subsequently trained by the People’s Liberation Army (PLA – 中国人民解放军). 

Tan was a founding member of the Network Crack Program Hacker Group (NCPH), going by the hacker name Wicked Rose. NCPH was a hacker group based out of Zigong, Sichuan with fellow members being current or former students of Sichuan University of Science and Engineering. The NCPH group gained notoriety by carrying out a number of attacks against the Department of Defence in 2006 using the GinWui rootkit, authored by Wicked Rose and another hacker – WHG. Wicked Rose announced in a blog post that the group were paid for their work, but the group’s sponsor was not. We can take an educated guess as to Wicked Rose’s sponsor … It begins with P and ends with A.

Credit: Adam Kozy’s research

Given the plethora of information Tan has disclosed online, he is a hacker who seems to enjoy the limelight. In 2012, he was the subject of an article by KrebsOnSecurity which sought to understand why a Chinese hacker (Tan) was the founder of a Chinese antivirus software (Anvisoft) purporting to be based in Fremont, USA. A domain look-up revealed that Anvisoft was in fact registered to the high-tech zone of Chengdu using the email linked to Tan’s hacker handle wthrose(at)gmail.com and registered using the name tandailin. Five years later, a reporter for Times magazine conducted an interview with Tan noting he was ‘lauded in China for his triumphs in military-sponsored hacking competitions and was unlikely to have problems with local law enforcement’. A man with many connections it seems. Invincible and untouchable, or noisy and dispensable? A fine line to walk.

QQ 903063678

Delving into the many Chinese leaked databases, we came across another QQ: 903063678, which from 2011 held the display name 戴林 (Dailin) as well as the handle ‘BlackWolf’. 

However, the name Dailin linked to a QQ account isn’t much to go off, so we sought to validate our thinking. The identifier linked to this account was used to register a domain: ‘bat.mg’. 

Registration information from this links to someone called ‘Daniel Tan’ in Chengdu, with the number 8613228166666. This number was also used to register ‘huianquan.net’, with details of the registration showing as ‘tandailin’ alongside an associated contact email: tandailin@163.com.

We are confident QQ 903063678 is Tan Dailin. It uses his alias (BlackWolf), and we have an associated number and email. We will see where this goes later on in the series.

Zhang Haoran (张浩然

Zhang (37 years old, using alias Evilc0de) was named alongside Tan Dailin in the indictment for APT41. He appears to keep a much lower profile than his APT41 colleague. Nevertheless, he is deeply involved in intrusion activity having jointly participated in the conspiracy to target the video gaming industry.

Chengdu Huidong Science and Technology Company (成都慧东科技有限公司)

A technology company based in Chengdu with little internet presence and links to an indicted Chinese hacker. Seems like a classic front company to us. In 2006, Chengdu Huidong Science and Technology Company (成都慧东科技有限公司) stated it had two stakeholders, each with a 50% stake. These were the CEO (Zhang Haoran) and a Supervisor (Zhang Chengwei). 

So who is Zhang Chengwei? Clearly he knows Zhang Haoran well enough to go into business with him, and close enough to work with Zhang to develop cover companies for APT work. 

Zhang Chengwei (张城玮)

There are a number of Zhang Chengwei’s using QQ. However, one in particular caught our eye. QQ account 878792. This account is also a member of several groups which overlap with other indicted APT41 actors, including Tan Dailin. Furthermore, the username associated with the account is ’b1ackn1ve’. 

Another ‘black’ prefix, aligning with Tan Dailin’s use of BlackWolf. Eager readers will note we commented on matching pseudonyms in our previous article series on APT40. Could ‘black’ be indicative of a systemic pattern for APT41 hackers?

Blackn1ve has also appeared on our radar before; in a TLP:White advisory released in September 2020. This noted the b1ackn1ve@gmail.com email as an indicator of compromise, having been used for a APT41 spearphishing campaign. 

So Zhang Chengwei is not only involved with APT41 activity by creating cover companies with Zhang Haoran but his hacker handle associated with his QQ account has been used in an APT41 spearphishing campaign against international victims. 

Summary

The typical model of a front company to hide APT activity is a tried and tested one which APT41 are continuing to prove. The prefix ‘Black’ as a hacker handle might link APT41 actors. Furthermore, shared QQ groups support the social interconnectivity of these criminal actors and they are not shy to ‘boast’ about their connections to the state to support their activity. All have links back to Sichuan. Our next article starts there – in a city we now know very well. Home to Lonely Lantern and APT41: Chengdu.

APT41: A Case Sudy

FeaturedAPT41: A Case Sudy

As you know, we have been dedicated for some time now to revealing the truth behind state-sponsored, managed or directed intrusion sets. We have learnt more about the way in which the Chinese state conduct their criminal cyber activity and how it has evolved over the years.

Chinese APT groups are aggressive, persistent, and garner a large network of criminal hackers. The Chinese state uses this model to promote their agenda and provide protection to the common cybercriminal. This model is fallible which allows us to promote the truth behind these intrusion sets. 

Nevertheless, the CCP continue to outwardly lie to protect their international and domestic reputation. They do this whilst simultaneously supporting cybercrime and allowing huge networks to profit from its illegal activities. The Chinese state is asserting do what I say, not what I do.

APT41: What we know

APT41 is a difficult group to pin down/classify/group. It is a group with many names: WICKED PANDA/DOUBLE DRAGON/WICKED SPIDER/WINNTI GROUP, the list appears to go on. 

Early intrusions by APT41 traditionally focussed on the international gaming sector, reusing stolen code-signing certificates for malware distribution. Indicted APT41 actors registered gaming domains which later went on to serve as a means to fraudulently obtain gaming currency (through the Malaysian company SEA Gamer) and establish backdoors into international gaming companies to facilitate the spread of Chinese intrusions.

Their focus on the gaming industry became a tangible lead against the group, with a heavy focus in countries such as Malaysia, Indonesia and Thailand. Timing as always is crucial. This early APT41 activity focused on the gaming industry at a time when the Chinese state was mandating growth in the gaming sector.

Over the past few years, APT41 has evolved. No longer is the focus purely on the gaming industry. Rather we have seen evidence of APT41 creating front companies in the computer and technology sector, claiming to employ pen testers and software developers which all supports the MSS model we have come to know well. It serves their aim of continuing to use highly aggressive techniques to support China’s ambitious development targets alongside State Security Departments. 

As FireEye neatly evidence, APT41 juggle their commitments to the Chinese state in the day (using the 9-9-6 model [9am-9pm, 6 days a week]) whilst hacking for financial gain in the evening. In some cases, using state-level malware across both activity streams. 

APT41 stands out due to its prolific use of non-public malware outside of working hours. They also share this malware with other cyber hackers in China, who work to various regional State Security Departments.

China’s state priorities and subsequent APT41 victims 

The culmination of APT41’s targets point to clear tasking from the Chinese state rather than a criminal entity. It serves to highlight the state’s backing of groups such as APT41 and the degree of coordination behind the scenes. 

For example, APT41’s exfiltration of intelligence from vaccine development and healthcare institutes in order to advance the CCP’s knowledge and gain an illegal, competitive edge. APT41 have taken advantage of the Coronavirus pandemic by hacking COVID-19 research and stealing IP in order to fast-track the Chinese-state’s somewhat questionable vaccine supply. 

Some readers will have noted APT41’s vast victims in the indictment. One of interest to us was NGO16: A non-profit organisation dedicated to alleviating worldwide poverty. APT41 compromised this organisation and put the livelihood of fellow humans at risk. It is increasingly clear the morals of the criminals behind this group are non-existent.

Chinese APTs don’t simply target international companies. They also target their own citizens using malware from big data capture to allow direct oversight of text message logs of high-profile Chinese targets. APT41 have systematically targeted hotels prior to senior officials staying in order to retrieve personal and identifiable information. This sort of direct, timely and specific targeting adds to the body of evidence that the Chinese state outsource at least part of their intrusive surveillance program to criminals within its borders. 

It appears US indictments are not having the same effect as they used to. Back in February, Mandiant reported on APT41 re-comprising US government victims, and using niche animal healthcare apps such as USAHERDS to gain access to intelligence to serve the CCP data machine.

Despite five of the actors being doxed by the US in 2020, APT41 TTPs have continued to be pop up on our radar. Their interest recently? Universities.

Recent Targeting

And not just any universities. Universities in locations the CCP are concerned about: Taiwan and Hong Kong.

As already noted in the OSINT community, RouterGod is a known, custom malware tool used by Wicked Panda (APT41). We have observed sustained connections to RouterGod command-and-control servers from multiple IP addresses associated with Hong Kong universities, including the Hong Kong University of Science and Technology and Education Universities

As recently as March 2022, APT41 were using a VPS at Romania-registered IP address 91.238.50.114 to host “watson.misecure.com”. We have seen evidence that they used this domain to compromise National Taiwan University databases using the “xp_cmdshell” (T1059.003) tool (to execute commands for netstat, process list, and network configuration) and successfully exfiltrated personally identifiable data on staff, students, and alumni of the university. 

It appears nothing is off limits to this group. Any and all data is up for grabs.

Summary

We know the CCP uses criminal hackers to do their dirty work. Due to their lack of skill at evading detection, we also have the names of five individuals linked to Chinese intrusion set APT41. 

The contractor model is no longer a neatly packaged, self-contained concept. The continuation of APTs engaging in dual hatting despite this now being public knowledge speaks to the Chinese state turning a blind eye. Repeated for-profit hacking makes it highly unlikely that APT41 is operating without the state’s awareness. And despite being named and shamed in public indictments, this still does not deter the group’s continued hacking of CCP’s targets – most recently we have reported on this occurring in the Education sector, with students, staff and alumni falling victim and their sensitive data stolen to feed the CCP data machine.

APT groups appeal because they are aggressive, dispensable and ‘distanced’ from the state-run organisations that sit behind them. We will continue to shed light on these cracks within the system; it is only a matter of time before this model becomes untenable. There is a lot of good work going on in this field (e.g, the Hearing on China’s Cyber Capabilities in the US) but we need to do more and keep applying the pressure. This is not just a US problem.

The rest of this series will look into who the APT41 indicted actors are. How are they connected and how does this fit into the complex web that is APT41? Stay tuned…

XI JINPING’S DATA HOOVERING

FeaturedXI JINPING’S DATA HOOVERING

Athletes beware: the 2022 Winter Olympics provide Xi Jinping with a golden opportunity to test his new data hoovering tools. 

Let’s take a look at China’s digital currency, the e-CNY, and how athletes could be tricked into helping the Chinese state fine-tune its latest surveillance weapon.

With Beijing on the world stage, China sees the Winter Olympics as the perfect opportunity to showcase its new digital currency. Issued by the People’s Bank of China (PBoC), the e-CNY is the CCP’s fight-back against Chinese tech giants – and the burgeoning crypto scene – for control of digital payments in China and beyond.

It’s no surprise the PBoC wants a slice of the pie. Since 2019, both WeChat Pay and AliPay – China’s two biggest mobile payment platforms – have had over 1bn active users, accounting for the vast majority of transactions within China. With increasing signs of China’s tech behemoths locking horns with the CCP, it’s clear to see how a mass roll-out of the e-CNY will ramp up the stakes. 

Athletes and their teams from all over the globe will have the opportunity, assuming they are allowed out of their rooms, to splash their virtual cash at a number of shops and restaurants, including athlete favourites such as Nike and…McDonalds. Athletes simply need to register for and open a digital e-CNY wallet on their mobile phone, and top up their wallet using their international bank account.

But what does Xi Jinping set to gain from the e-CNY? Aside from his desire to take over the digital currency world, the roll-out of the e-CNY marks the birth of perhaps China’s most potent tool for spying, coercion and social control. 

What will happen to my e-CNY data?

As the central regulator, the PBoC will be the entity collecting all your transaction data. This includes details of your mobile device, your account details, location, what you are purchasing and when you are purchasing it. The bank will use the data to improve its “services” to consumers, fine-tuning the digital wallet and hoping to expand the number of vendors which accept the payment system. But the data processing doesn’t stop there…

Once collected, data controlled by the PBoC can then be passed onto Chinese intelligence agencies without warning and without credible justification. While Chinese tech giants have also had to comply with the regulations, handing your data to the PBoC brings it even closer to Chinese state control. It is no secret in China just how closely the PBoC, Ministry of State Security (MSS) and Ministry of Public Security (MPS) work together to maintain the surveillance state. And we’re talking cooperation which stretches a lot further than some anti-money laundering checks…

An e-wallet display at the e-CNY pilot exhibition for the Beijing Winter Olympics (Costfoto/ Barcroft Media via Getty Images)

We know China’s intelligence services love data. They just cannot help themselves. It’s why Chinese state-backed hackers have been caught, named and shamed over and over again. Whether it’s hacking your travel data, your employment data, your academic data, your phone company’s data, or even your private health data, the Chinese state wants it all.

But it is what China’s intelligence services could do with the e-CNY data haul which is truly terrifying. This includes training algorithms to spot “unfavourable” activity, the definition of which appears broad and vague. For illustration, some past examples of unfavourable activity includes voting for a Chinese TV contestant too many times, talking about Korean pop music on Weibo, or playing computer games past your bed-time. The Australian think-tank, ASPI, released a piece last year detailing the potential for China to combine the e-CNY with its social credit system. Users of the e-CNY could then be punished for any purchases or financial activity which does not uphold Xi’s “socialist values”. If you fall foul of the e-CNY transaction police, you may one day find yourself on the same naughty step as the millions of Chinese deemed too socially disruptive to use public transport.

And you can be sure Mr Xi has global ambitions for the e-CNY, broadening its utility from a domestic surveillance capability to an international spy tool.

Key to fine-tuning Mr Xi’s latest tech surveillance tool is the collection and processing of masses of financial data. The more data there is to analyse, the quicker the algorithms will be trained to spot the activity it does not like. So if you are an athlete in Beijing, do yourselves – and Chinese shoppers – a favour: don’t feed Xi’s data beast and ditch the e-CNY wallet on your phone!    

An (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

FeaturedAn (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

Every so often, we like to take the opportunity to step back from our regular OSINT sleuthing and take stock about why we spend our time doing what we do.

So, we thought we would honour the 100-year anniversary of the Chinese Communist Party (CCP) by pulling together a brief history of how the Chinese cyber programme developed into what it is today and our musings on this trajectory.

Our take on the history of the Chinese Cyber Programme

The First World Hacker War

Cyber is entwined with the real-world. Not a particularly ground-breaking statement. But an important one to make. Real world tensions can spill into the cyber realm, and vice versa. Remember the 2001 China-US tension? To refresh your memory, a US EP-3 aircraft collided with the Chinese F-8 fighter jet and the Chinese pilot was killed. What followed was a sustained DDoS attack against US servers including defacement of the White House and military from Chinese hacktivists. US hacktivists retaliated and it became a cyber graffiti war of sorts. What we found interesting is that it wasn’t until the Chinese called out this behaviour as ‘web terrorism’ that the attacks stopped. 

China: No longer hiding its strength

Former leader Deng Xiaoping touted the mantra of ‘hide your strength and bide your time’ (韬光隐晦). Well, it seems that time has passed, and with Xi Jinping now at the helm, China is certainly showing its strength on the world stage. China is no longer hiding from the world. 

China has aggressively and consistently built its national cyber program, prioritising education in computer science and technology and creating a recruitment pipeline of graduates from within its universities. Its focus seemingly being on offensive capabilities rather than security or intelligence analysis.  

As evidenced in our bottom-heavy timeline (seen above), the CCP have increased their scope for hacking and stealing. What is obvious to any observer is that they hack indiscriminately – friends and enemies are fair game. China’s BRI initiative is even considered a driver of cyber activity, which this graphic from Security Affairs neatly highlights.

Tsinghua university IP traffic aligning with BRI initiatives

And their activity is at an industrial scale. This uptick reflects the CCP’s priorities targeting intellectual property (IP) that have coincided with China’s Five-Year Plans. It is now so common that barely a day goes by without another article reporting Chinese cyber theft. Provides us with lots of rich content though!

Disgruntled Hackers and ties to Academia

Back in 2013, a disgruntled hacker from the PLA (given the name Wang) wrote about his time in the PLA hacking for his country. “My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation,” he wrote on his blog. Few incentives and minimal benefits can lead some to defect and leave. Who knew. We wonder if conditions have changed in China since.

What hasn’t changed however are the links between Chinese hackers and academia. Wang himself co-authored two academic papers whilst at the PLA university. And interestingly, it was this same year that Cyb3rSleuth outed Zhang Changhe. His 9-5 job was as an assistant professor at the PLA Engineering University. Cyb3rSleuth was one of the first public uses of OSINT to attribute Chinese cyber-attacks to named individuals within the Chinese system (having named 10 Chinese hackers in total). Kudos – an inspiration to our platform.

Cyb3rSleuth identifying Zhang Changhe from Chinese social media as a PLA hacker

Further, it was a Tsinghua university (清华大学) IP (self-proclaimed state-owned technological institution) that engaged in network reconnaissance targeting a number of countries actively working with China on their Belt and Road Initiative (BRI) – see image above.

The PLA led the way with cyber hacking back in the 90’s and early 00’s. However, in 2015 there appeared to be a shift within the Chinese government, with the PLA transferring the bulk of cyber operations over to the MSS. After all, when the PLA hack – it’s very clear the direction of activity is coming from within the Party itself. This transfer (at least in the mind of the CCP) enabled plausible deniability following the public indictments of PLA unit 61398 a year earlier. After all, signing cyber agreements with a number for Western countries meant the Chinese military needed to ‘hide their strength’ and fade into the shadows.

Enter the MSS

As dedicated readers will know by now, it is the MSS that we at Intrusion Truth have focussed on for some time. And we do so given their continued support and engagement with criminal hackers. The MSS get something out of this relationship: deniability on the world stage (supposedly). But what do the criminal hackers get out of this? I’m sure some would say ‘security’. After all, the relationship between citizen and the state is deliberately murky. In recent years, there is evidence that China will not prosecute hackers within its borders unless they attack China. However, as indictments have shown, the Chinese state cannot, and do not, protect their own.

China is a vast surveillance state. They monitor everything and everyone. Thus, one could say that their continued denial of Chinese APTs, or cries of rouge actors… is laughable. Chinese APTs leave traces of their activity on the internet. Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.

State-sponsored theft

Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.

There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage.  And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.

Home-grown hēikè

The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.

The APT side hustle

An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.

A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.

The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.

So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?

We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.

Chain of command

As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?

We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.

So, who is leading the Chinese Cyber Programme?

Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.

One person giving the direction.

One person overseeing the Chinese cyber programme.

That person?

Chen Wenqing (陈文清).

Cyber karma

Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.

The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.

Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?

Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.

Conclusion

There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):

  1. Does Xi know what the MSS are doing in cyber space?
  2. Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
  3. Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?

Happy Birthday CCP

生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.

Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.

One man and his lasers

One man and his lasers

Article 1 left some tantalizing breadcrumbs about the manager of our main character organization from this article series, Wuhan Xiaoruizhi. ‘What is he up to?’ We hear you cry. ‘And what is up with all the lasers?’

So, without further ado. Introducing: Deng Zhiyong.

Deng at surface glance is the manager and CEO of Wuhan Xiaoruizhi Science and Technology. As a reminder, this is a supposed information/network security company which recruits linguists and hackers for tasks including big data analysis, based in Wuhan Optics Valley.

A deeper dive reveals that Deng also serves or has served on the Board of Directors of a number of companies including Wuhan Laser Power Supply Technology LLC, and Wuhan Technology Innovation Facilitation Center. Furthermore, he holds official titles in three Chinese-government affiliated organizations: Director of the Foreign Exchange Center, Ministry of Science and Technology China; Director of the Hubei Wuhan China/Russian Technologic Cooperation Center, and Chief of the Department of Steelworks Management Administration, Dongxi, Wuhan. We have one busy man on our hands. 

As our research continued, a clearer picture of Deng began to emerge. In particular, his side hustle as one of Wuhan’s foremost laser-related experts. Most of the companies where he sits on the board and the government departments he serves have some kind of laser-flavor. Deng is also one of the official representatives of Optics Valley, a geographical area of Wuhan which specializes in ‘opto-electronics’.  Below is Deng at the 9th International Laser Summit of Optics Valley of China. 

Within his laser-related activities, Deng seems to be most at ease in his role as the director of the Hubei Wuhan China/Russian Technological Cooperation Center. Numerous articles and images show him hosting delegations from the Russian Laser association, visiting Russian laser companies, and patenting joint inventions of laser technology alongside Russian scientists.  

But this is not all. Fascinating open source trade data demonstrates that Wuhan Xiaoruizhi exported a number of shipments of laser technology to Russian laser production firms during 2016 and 2017.

At team I-T this information has generated quite a few questions. Props to Deng for his scientific achievements, but how on earth does he have time for all this extra-curricular activity? What do lasers have to do with ‘network security’ and hacking? With registered capital of only RMB250,000 (USD 36,000) Xiaoruizhi can hardly claim to be big enough to be doing both. If Xiaoruizhi is a front company, why is it buying and selling real lasers with real money? 

We let our imaginations run riot pondering these questions. Could it be that Deng, as the boss of a front company, doesn’t have a real job, and so is free to pursue his laser-related dreams using Xiaoruizhi funds? Could Deng have been co-opted by the MSS while running an initially legitimate laser company and forced to turn it into an APT shell? Or could it be that Wuhan Xiaoruizhi and Deng himself serve as the front for a separate strand of Chinese government activity…cozying up to Russian laser experts for the purposes of Chinese S&T advantage.

The latter point reminds us of something we read recently……..

Now, of course, we have no proof here. But given Xiaoruizhi’s links to a number of MSS officers and the government links of its employees and Deng himself this is not beyond the realms of possibility.

Regardless of whether or not Deng is really spying on Russia, surely his position as effectively Wuhan’s laser envoy to Russia is somewhat undermined by the reported activity of APT31, which sat under his command (on paper at least) at Xiaoruizhi: 

Perhaps it is a case of Deng and APT31 keeping their friends close but their enemies closer. Or perhaps Deng’s influence was the only thing stopping APT31 spying on Russia previously and since breaking free to new front companies the group has had free rein. And perhaps we will never know. One thing is for sure though, there are sure to be more secrets hiding under the metaphorical rock of Wuhan Xiaoruizhi Science and Technology than we have been able to tackle in this series. If you have anything to add to this or any part of our investigation, or to kick off a new one, please do get in touch. Our doors (inboxes) are always open to tips. 

For now, though, friends of I-T, this is where we will leave you, until our next big investigation at least. It’s been a blast. Until next time.

Wuhan Xiaoruizhi Class of ‘19

Wuhan Xiaoruizhi Class of ‘19

Welcome back Intrusion Truth readers, it’s been a little while. We hope you’ve spent the time reflecting on our findings from our previous set of articles on suspicious happenings in and around Wuhan. We don’t know about you, but even after six articles we felt we had some unfinished business with Wuhan Xiaoruizhi and friends. So, we put together the remaining information we had to give you a few more interesting snippets on APT31’s operational infrastructure. 

For our first annex, we will tackle a lead that was buried in the information leaked by our disaffected Xiaoruizhi insider, of articles 4 and 5. That employees of Xiaoruizhi (AKA APT31 actors) had moved to new companies in 2020. 

We set out to investigate these claims and see if we could identify some, or all, of the follow-on destinations of Xiaoruizhi’s class of 2019. And, we are pleased to report, we had a pretty good run. 

Let’s begin with the link that was most straightforward to piece together. A company we named, briefly, in an earlier article. 

A touch of in-depth Googling on some of the known Xiaoruizhi actors brought up the below spreadsheet, which proved to be a goldmine. A spreadsheet of Wuhan City-based individuals in receipt of employment/training subsidies, which, luckily for us, includes the companies they are employed by. Poring through this enormous document, we hit the jackpot. Wuhan Shenzhou Human Resources Development Services.

As of October 2020, no less than 12 Xiaoruizhi actors who we named previously were now on the books of Wuhan Shenzhou Human Resources Development Service. 

We again see some familiar characters – graduates of Wuhan Kerui Cracking Academy who left feedback. Xiong Wang, Li Yilong, Hu Jiaxing (who we did not name but can be found on Kerui’s website) and Huang Zhen. Moving onto a human resources department can’t have been part of their plan following their elite hacker training, right? 

Wuhan Shenzhou Human Resources appears to be legitimate, at least in the sense that it’s probably a real company. It’s got its own website, which is a start, on which it claims to have 500 square meters of office space and a labor force of 4,000 people. Impressive. 

WSHRS claims to specialize in labor dispatch, labor outsourcing, subcontracting, and headhunting, among a number of other noble pursuits. But this provides a clue. The practice of labor dispatch in China is a process by which employees are hired through an employment services agency and contracted out to an end user, as opposed to the traditional practice of direct employment. The workers sign contracts with the employment services agency, rather than the end user of their services. It’s our best guess here at team I-T that Wuhan Shenzhou Human Resources now acts as labor dispatch for these 12 APT31 employees, and dispatches them out to – well – APT31 or as others may know it; the MSS’ Hubei State Security Department’s cyberespionage program.

Hubei Chuangxin 

Our next front company came to us via the gift that has given generously throughout this investigation. Social insurance. Specifically, the social insurance records for Liao Xuliang and Zhou Yin.

For our purposes, the most interesting rows of these documents are at the very bottom right. For both Liao and Zhou the entry marked 201912, i.e. the insurance contribution for December 2019, was registered to Wuhan Xiaoruizhi. But from 202001, January 2020, onwards, insurance contributions are registered to Hubei Chuangxin Human Resources Department. 

Readers, if you’re anything like us, the span of your interest in Chinese Human Resources Service providers will be limited, so we will spare you too much detail here. But it certainly looks, per the screenshots below, like Hubei Chuangxin provides labor dispatch services in exactly the same way as Wuhan Shenzhou, that is, most probably contracting Liao and Zhou back to the MSS (APT, oops – sorry; typo…..) 

Wuhan Juge/Hubei Win Future 

Moving on. A contributor speaking on condition of anonymity provided us with information that a further 12 former employees of Wuhan Xiaoruizhi Science and Technology were now in receipt of subsidies under a separate company, Wuhan Juge Enterprise Management:

  • Chang Zhen 常振
  • Zhang Chaofeng 张超锋
  • Wang Guangcan 万光灿
  • Tu Meng 涂梦
  • Yan Wenlong鄢文龙
  • Gu Chengwu 顾成武
  • Liu Chencheng 刘晨成
  • Huang Jin 黄金
  • Zuo Hequn 左鹤群
  • Li Haiqing 李海青
  • Yuan Hongxi 苑红曦
  • Hou Qiang 侯强

Wuhan Juge appears to have a number of branches across Wuhan City, and has a wildly diverse business portfolio, which includes (deep breath): Enterprise management, marketing planning, human resource services, loading and unloading, general cargo warehousing services, storage (excluding dangerous goods!), communication engineering construction and maintenance, and, most randomly, sales of automobiles. Seriously impressive range for a company staffed in large part by APT31.

Digging into the shareholders and management of Wuhan Juge we found something interesting. The main shareholders are as follows: 

  • 武汉云栖传媒有限公司 Wuhan Yunqi Media Co. Ltd. – main shareholder. 
  • 腾飞 Teng Fei
  • 王道强 Wang Daoqiang  

All three are also shareholders of another company called Hubei Win Future Enterprise Management AKA Hubei Win Future Technology.  Similarly, the legal representative, GAN Chunyan, is the same for both companies, as is the registered phone number, 18995647475: 

So, there is considerable overlap in personnel/management between Juge and Win Future. Hubei Win Future, according to a congratulatory article about a semi-recent recruitment drive, is a human outsourcing company of China Telecom. It focusses on the recruitment of technical personnel and providing technical talent services for China Telecom’s business. 

According to the article, prospective employees can expect to enjoy all of China’s most significant holidays as leave. Lucky them. 

We had a source do some digging into Hubei Win Future to see if the overlap with Juge held any significance for us. And what do you know? We found another Xiaoruizhi employee. Cheng Feng. Looks like Wuhan Yunqi Media, Teng Fei and Wang Daoqiang own an APT front company empire!

Sensing we were on to something, we continued to look at Hubei Win Future and found a new link. A phone number registered to Hubei Win Future, 18995647475 was also registered to one Hubei Junxinda. 

Furthermore, historic ownership data demonstrated that Hubei Junxinda was once a 25% shareholder of Hubei Win Future; and Hubei Win Future has been, according to internal reports, Hubei Junxinda’s principle supplier (although of what, we don’t know – perhaps personnel?): 

Hubei Junxinda looks like a real company; various websites list numerous employees and a number of the projects that Junxinda has won and in-depth reports such as the one above pore over its finances. It also has its own website:

A friend of I-T investigated their premises on our behalf, and found a secure facility at Hubei Junxinda’s address. Here is some imagery of their entrance hall: 

Here, we have to admit, our curiosity was piqued, but we ran out of road. We didn’t find any additional APT31/Xiaoruizhi employees and were not able to uncover any more on the goings on behind closed doors at Wuhan Juge, Hubei Win Future, and Hubei Junxinda. Any tips, give us a shout. 

So, referring back to our original list of Xiaoruizhi employees, we’ve collated as many of their follow-on destinations as we can. 

ChinesePinyinDestination after Xiaoruizhi
曹锦芳Cao Jinfang ?
常振Chang ZhenWuhan Juge Enterprise Management 
程鼎Cheng Ding?
程锋Cheng Feng Hubei Win Future 
顾成武Gu ChengwuWuhan Juge Enterprise management 
侯强Hou QiangWuhan Juge Enterprise Management 
胡嘉祥Hu JiaxiangWuhan Shenzhou Human Resources
黄增辉Huang ZenghuiWuhan Shenzhou Human Resources
黄震Huang ZhenWuhan Shenzhou Human Resources
黄振Huang Zhen ?
李海青Li HaiqingWuhan Juge Enterprise Management 
李家诚Li JiachengWuhan Shenzhou Human Resources
李圣胜Li ShengshengWuhan Shenzhou Human Resources
李义龙Li YilongWuhan Shenzhou Human Resources
廖绪良LiaoXuliangHubei Chuangxin Human Resources
刘晨成Liu ChenchengWuhan Juge Enterprise Management 
刘宏伟Liu Hongwei Wuhan Shenzhou Human Resources
马欢Ma HuanWuhan Shenzhou Human Resources
唐星昭Tang XingzhaoWuhan Shenzhou Human Resources
涂梦Tu MengWuhan Juge Enterprise Management
万光灿Wan GuangcanWuhan Juge Enterprise Management 
王意军Wang YijunWuhan Shenzhou Human Resources
魏耀斌Wei YaobinWuhan Shenzhou Human Resources
熊旺Xiong WangWuhan Shenzhou Human Resources
鄢文龙Yan WenlongWuhan Juge Enterprise Management 
杨鑫Yang XinWuhan Shenzhou Human Resources
苑红曦Yuan HongxiWuhan Juge Enterprise Management 
张超锋Zhang ChaofengWuhan Juge Enterprise Management 
张立业Zhang LiyeWuhan Shenzhou Human Resources
赵光宗Zhao Guangzong ?
周鑫Zhou XinHubei Chuangxin Human Resources
左鹤群Zuo Hequn Wuhan Juge Enterprise Management 

We still have few gaps, but we are pretty pleased that we have been able to piece together as much as we have. 

Now, we may never know what happened at Xiaoruizhi at the end of 2019 that caused APT31 to pursue a mass career change.  Perhaps Xiaoruizhi had simply served its time as an APT front and the powers that be needed to move APT31 into different administrative structures. 

Any light that our readers can shed would, as always, be gratefully received.

No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia

No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia
#2023lifegoals

As we near the end of 2022 we wanted to finish with our opinion related to the Chinese hacker paradise. Not the beaches on Hainan island, but the networks of Ukraine and Russia…

This is something we have taken an interest in since we Tweeted on 15 March 2022 so wanted to pull together some fantastic work that is out there for our community as a little ‘night cap’ before we get back to shining a light on the Chinese cyber machine, exposing their villainous activity and to enable them to ditch their state sponsored computer and escape to Hainan island in 2023.

So pull up a chair, grab a drink and snack of your choice and let’s dive in together.

Russian invasion of Ukraine

For a while we have been researching and reporting on Chinese state cyber activity around the globe. Their malcontent for the rules-based order is evident as is their disregard for intellectual property with all the hard work that goes into this.

24 February 2022 is a date that will forever be etched in the minds of the Ukrainian people and the world as the day the Russians decided to invade Ukraine. The images of the atrocities carried out in Bucha by the Russian army is just one example of the horror show being conducted by the Russian military. The world in unison condemned this activity, but the Chinese Community Party (CCP) was somewhat absent coming just weeks after President Vladimir Putin and President Xi Jinping declared their “no-limits” partnership. Which makes us question: Did the CCP know? Actions speak louder than words.

The Chinese state’s reaction was initially one of neutrality before rolling back as the relationship became an embarrassment to China. Most evident of all was President Xi Jinping signing the final declaration at the G20 summit in Bali, condemning the Russian invasion of Ukraine. Was the partnership ever anything more than a ruse by the CCP?

Now, as we have all seen through the year, it’s not going well. So is the public image of the “no-limits” relationship the full story?

“wait, you are going to invade where?”

Chinese state hackers get involved

In March 2022 the Ukrainian ‘computer emergency response team (CERT-UA)’ issued a warning about cyberattacks on the countries police agencies. The activity was via phishing emails with HeaderTip malware included inside weaponized documents. The message when translated stated “on the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which also included an executable with the same name. All of this could easily point back to Russian state hackers. They are invading Ukraine and as such would want to know what is going on in the country. However, an investigation by SentinelOne identified the link between the HeaderTip malware and “scarab” which has links to the Chinese government. This is a fantastic bit of work by SentinelOne exposing a clear link to the Chinese state. This activity is reported within a couple of weeks of the Russian invasion of Ukraine, with Check Point Research (CPR) also flagging that the “frequency of cyberattacks from Chinese IP addresses around the world jumped 72% in the week from March 14 to March 20, compared with the seven-day period before the Russian invasion of Ukraine began”. Why such an interest from Chinese state hackers in Ukraine? Our next stop is to what was happening before the Russian invasion.

On Friday April 1st, 2022, The Times UK released an exclusive outlining the Chinese state’s hacking activity. According to this article, this activity had occurred during the Beijing winter Olympics up to 23 February 2022 (the day before the Russian invasion of Ukraine). What is interesting is that the source stated the hack was widespread, across “600 websites belonging to the Ukrainian defense ministry” but also “Ukrainian government, medical and education networks”.

Chinese state relationship with Russia

So, are we seeing the “no-limits” relationship at work behind the scenes? Having reviewed other avenues there is a mixed picture. Where we see hacking in Ukraine by Chinese state hackers, we also see reporting of Chinese state hackers targeting Russia itself. Of note, SentinelOne state that the Chinese hacker group Scarab mentioned above has previously targeted Russia in a quest to hack, interpreting the “no-limits” relationship tagline in a different way to the Xi Jinping of early February 2022…

As outlined in the National Interest, the CCP is vying to become a “cyber superpower”. It has the numbers, not necessarily the talent, but is a highly capable thief (just ask all the companies who have lost intellectual property over the years). Is this just the Chinese state stealing all the data for themselves? As Tim Starks and AJ Vincens wrote in July 2022 “the Ukraine war could provide a cyberwarfare manual for Chinese generals eying Taiwan” but you could argue it is more than that. China is surpassing its Russian ‘comrade’ and will take advantage of any opportunity to acquire all the information it can get.

@remonwangxt

Not so much a relationship….

On this note, we move to the Chinese state’s targeting of Russia. We start with a piece by CPR in May 2022. Another phishing attempt, another set of emails, another Chinese state cyber hack but this time the target was Russian military research and development institutes (with Belarus thrown in for good measure). What is that saying, ‘all is fair in love and war’? Well, we have love between Xi and Putin, but when Putin’s eyes are on Ukraine, Xi is stabbing his comrade in the back. CPR also flagged that this targeting had overlaps with Stone Panda and Mustang Panda. This seems like a homerun to us.

In a friendship of equals some are more equal than others…and the Russians seemed to know the Chinese state are hacking them to their hearts content. Kaspersky identified Chinese state sponsored hacking activity as early as January 2022. Reported in August by Spiceworks, “Kaspersky blamed Chinese state sponsored hacking group TA428 for a number of phishing attacks targeting industrial plants, research institutes, government agencies and ministries across Russia, Belarus, Ukraine and Afghanistan”. The use of a 17-year-old memory corruption (CVE-2017-11882) was ‘in’ before utilising TTP’s distinct to TA428 with sensitive searches being conducted. Now I don’t know about you but does the above look like an ally you want in a “no-limits” relationship? What were these Chinese state hackers looking for? If you ask us, the Russians clearly are aware of the Chinese state’s hacking campaign against them. They aren’t exactly covering their tracks. The Russian government is desperate, along and weaker than ever.

Dragonbridge and fighting back

Yet all hope is not lost. We are aware we are swimming against the tide here; it appears the CCP is relentless and cannot be stopped. But during a Wikipedia edit war which the hacktivist collective Anonymous state is part of a Chinese influence operation to remove information from Wikipedia, Anonymous hacked the Chinese Ministry of Emergency Management among other websites. It highlights that China’s ‘Great Firewall’ is prone to attacks and exploitation.

The message was on a number of Chinese sites, including on government sites

And on something we haven’t commented on but wanted to wind up with. It would be rude not to mention the botnet menace from Dragonbridge. First flagged by Mandiant in September 2021, not only are the Chinese state hackers stealing intellectual property but they are shifting to the influence game. We see Dragonbridge target events in the US and clearly, we are hitting them where it hurts as they turned their attention to us recently in an attempt to shadowban our content. Now – don’t get us wrong. It is nice to be noticed by the Chinese state hackers. I means we are getting under their skin. But it’s a global redline when they are targeting the Ukrainians with disinformation. Now Dragonbridge hasn’t really been that effective. In our case, having the community identify and flag these accounts has ensured it didn’t really make much of a splash. Thank you to everyone who contributed to spotting Brandi, Monique and the rest of the botnet bandits!

Now both examples demonstrate that although the CCP want to be seen as a “cyber superpower”; they really aren’t. As a community we can continue to expose Chinese state hacking activity, the actors behind the keys and the hypocrisy of the Chinese state. All it takes is that continued vision from the community to flag this hostile activity, keep running down those leads and continue to help us in our quest for the truth.

And finally…..

So alas, the Chinese state hackers are not sunning themselves on a beach, enjoying some time away from the keys and considering a more productive and fulfilling life away from their CCP puppet masters. Instead, they continue to look for any opportunity to target people, companies or countries. Even when those countries are simply fighting for their independent survival….

We hope that these Chinese state hackers walk away from their keyboards in 2023. However, our New Year’s prediction is that they will continue and as such this community needs to stay the course in exposing malign cyber activity: for our loved ones, for our brothers and sisters in Ukraine and for the hard-working people across the globe whom the CCP steal and hack at will.

As always, you know how to get in touch.

Wherever you may be, we wish all our readers a happy holiday. We will be back in 2023. See you for the fireworks.