On August 15th 2018 this blog revealed a connection between APT10 and the Tianjin bureau of the Chinese Ministry of State Security (MSS). But the story doesn’t stop with that revelation; analysts working with this blog have continued to investigate every lead provided to us. One such lead has helped us to identify another individual in China connected to APT10. The trail starts with a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain.
The domain chromeenter[.]com appears in the FireEye report as a domain associated with the MenuPass malware.
The domain and subdomains also appeared in early versions of Annex A (Indicators of Compromise) of the PwC Operation Cloud Hopper report and it is listed on Alien Vault as a sink-holed domain.
Tianjin Tiaoyiye Technology Co Ltd
Domain registration information for chromeenter[.]com shows that it was registered in April 2010 to Hogate Technology Co Limited. Although much of the registration information remained the same when the domain was updated in April 2012, the registrant company was changed to Tianjin Tiaoyiye Technology Co Limited and the registration e-mail address was updated to gbaike[at]gmail.com. The domain became WHOIS protected in late June 2013 just prior to being repossessed by GoDaddy and named in the FireEye report.
The registration e-mail address used from 2012 leads to a number of other domains, many of which are connected to Tianjin, China, the home of APT10. Domains registered by gbaike[at]gmail.com include:
The domain jiaxiaotuangou[.]com was registered to an individual named An Zhiqiang and was also associated with the Tianjin Tiaoyiye Technology Development Co Ltd (天津天骄易业科技发展有限公司) in registration data. Chinese characters for the company were identified at hhlyny.com and give a slightly different name of Tianjin Tianjiaoyiye Technology Development Co Ltd.
The company entry on Zhaopin (a Chinese online recruitment services website) provides additional data related to the company including a link to the company website at tjwangdian[.]com.
The Zhaopin entry also provides a summary of the business activities of the company that translates roughly as:
Tianjiao Network is an e-commerce website construction company with rich experience, professional technology and excellent team. The company focuses on e-commerce website development and network operations, including: e-commerce website construction, B2C website construction, independent online shop construction, mall website construction, industry website construction, portal construction, brand website construction and post-maintenance. From pre-market research, website positioning, website construction and implementation, network promotion, website operation, and even later online customer service and customer relationship management, we have experienced planning team, professional website design team and dedicated customers. The service team consistently adheres to the spirit of “no best, only better!” to create a real profit platform for the company, strengthen the competitiveness of the company, and obtain greater success value!
Finally the entry for Tianjin Tiaoyiye on Liepin (China’s largest recruitment website) provides Chinese characters for An Zhiqiang (安志强).
Armed with a name (安志强), a handle (gbaike), a location (Tianjin) and a company (天津天骄易业科技发展有限公司) a number of new sources of material on the individual can be discovered, including Twitter account @gbaike. The account is in the name 安志强, bears the handle @gbaike and has its location set as Tianjin. The account also refers to marketing in its profile image – this matches the description of the company from Zhaopin.
web1680[.]com and tjmeta[.]com
The final link to a specific individual in Tianjin comes from the domain web1680[.]com which was identified above as registered by gbaike[at]gmail.com. The website’s contact us page contains the phone number 15102292183.
This same phone number is listed on a different website, tjmeta[.]com that lists An Zhiqiang (安志强) as an instructor in internet marketing with a specialism in WeChat marketing.
The bullet points on the right hand side of the screenshot from tjmeta[.]com match those used in @gbaike’s Twitter cover image above.
The photo appears to be that of a well known web marketing expert from Tianjin, China.
In summary, An Zhiqiang (安志强) and company Tianjin Tianjiaoyiye Technology Co Ltd (天津天骄易业科技发展有限公司) are both connected to APT10 activity through domains used for APT10 / MenuPass activity prior to FireEye’s 2013 Poison Ivy report.