In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.

Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?

Boyusec

Well, the answers to those questions are reasonably easy to find. Wu Yingzhuo (吴颖卓) and Dong Hao (董浩) are both shareholders in the same company.

This listing is for a Chinese cyber security firm called 博御信息 (or Boyusec – the Guangzhou Boyu Information Technology Company, Ltd) that was licensed in December 2013 and is based in Guangdong. It lists both 吴颖卓 and 董浩 as major shareholders.

boysec-company
Company listing showing 吴颖桌 and 董浩 as shareholders of Boyusec

The Ministry of State Security

On the 29th of November 2016, freebeacon.com reported that Pentagon intelligence officials had identified Boyusec as being a contractor for the Chinese Ministry of State Security (MSS). The MSS is one of China’s Intelligence Services and is an active player in their Cyber programme.

freebeacon-boyusec

The conclusion?

Either a Chinese InfoSec company called Boyusec, known to be involved with Chinese Intelligence Cyber operations, has two shareholders with the same names as two apparant APT3 actors, or Boyusec is APT3.

Advertisements