In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.
The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.
From httb to biglit
DNS research on httb[.]net reveals a second IP address: 61.129.67[.]53. Three other interesting domains have previously resolved to it. They are vcersoft[.]com, uyre[.]net and inc-work[.]com.
Looking at the three newly identified domains, WHOIS information for all three includes a new e-mail address, biglit[at]gmail.com.
The biglit e-mail address appeared in registration information for a number of other domains, including microsoft-ie[.]com. Historic WHOIS information for this domain includes the e-mail address tianyu12[at]msn.com.
And back to biglit
In addition to the microsoft-ie[.]com domain, the tianyu12 e-mail address also appeared in registration data for unixfocus[.]net. But tianyu12 was not the only e-mail address that appears in historic registration data for the domain. A previous address was biglit[at]163.net, similar to the biglit g-mail address mentioned earlier.
Completing the chain, the new biglit address appeared in the WHOIS information for another new domain: shuyan[.]com. And the name that appeared in the shuyan registration record was … Dong Hao.
But who are Wu Yingzhuo and Dong Hao? We will reveal soon exactly where they work, and from whom they receive their orders. Read our next post for more truth behind this intrusion.
One thought on “Who is Mr Dong?”
Comments are closed.