In our last post, we stated that a source whose identity we had verified had named an MSS Officer in Jinan who was believed to be involved in Cyber operations. We are now in a position to reveal that the name provided to us is 郭林 (Guo Lin). Open source research conducted by analysts working for Intrusion Truth quickly revealed a potential candidate for Guo Lin.

Guo Lin, Masters Student

An IT security paper from 2007 called ‘基于多维角度的攻击分类方法‘ (Method of Classifying Attacks Based on Multi-dimension) was authored by a Guo Lin in which he described himself as a Masters student conducting research into network and information security and malicious code detection. Guo was a Computer Science student at Nanjing University (not Jinan), making it uncertain whether he is indeed the same individual in Jinan named in our tip.

There is nothing wrong with being a Masters student, of course. So let’s take a look at what else Guo has been up to.

glince[at]163.com

Our high confidence that we have the right person comes from the e-mail address used by Guo in the paper – glince[at]163.com. We will show how the e-mail address links Guo to Jinan.

Page 1
Guo Lin’s academic paper showing his e-mail address

 

antorsoft[.]com

Historical WHOIS data shows that the e-mail address glince[at]163.com was the original registrant of a number of domain names and was the admin contact for antorsoft[.]com.

2-antorsoft WHOIS
Antorsoft historical WHOIS

Jinan Quanxin Fangyuan Technology Co. Ltd.

Domain registration information for antorsoft[.]com names the registrant as Jinan Quanxin Fangyuan Technology Co. Ltd, which translates into Chinese as 济南全欣方沅科技有限公司. The address is listed as 238, Jing Shi Dong Lu, Jinan, 250000, Shandong, China. Importantly, this company is based in Jinan, just where our tip said Guo Lin was based.

Another Chinese website lists a different address for the same company at No. 12, Qilihe Road, Licheng District, Jinan, Shandong:

3-quanxin address
Second address for Jinan Quanxin Fangyuan

Jinan Anchuang Information Technology Co. Ltd.

However, the website for Antorsoft, which was still active at the time of writing, names the company as 济南安创信息科技有限公司, which in English is rendered Jinan Anchuang Information Technology Co. Ltd. It claims to be a ‘state-level high-tech enterprise that integrates development, productions, management and technical services with scientific research as the guide’. It claims to ‘strive to become an excellent supplier of global information security services and communications products’.

4-antorsoft website 1
Antorsoft website showing Jinan Anchuang as the company name

On a second page Antorsoft claims to look at Cyber Security issues from the perspective of those committing Cyber attacks. What an interesting perspective to have chosen…

4-antorsoft website 2
Antorsoft description of services offered

A healthcare company? With MSS links?

So far, so good. We’ve got a likely MSS Officer running and Information Technology company, or two, on the side. Why, then, in this brochure (left) – which we were passed by a friend – does Jinan Anchuang claim to be a healthcare company focusing on child health development? It is definitely the same company – you’ll see that the brochure is signed by 郭林 (Guo Lin) using both his name and his ‘Glince’ nickname.

All becomes clear in a second version of the same document (right). No headed paper, no signature, but the same company name and founding date.

Antorsoft brochure.png

But. The description is different. Now it’s an IT company. And at the bottom is a list of clients, including 四川省国家安全厅, the Sichuan State Security Department. For those not experts in Chinese national security departments, the SSSD is the provincial department of the Ministry of State Security in Sichuan.

Oops.

Sichuan isn’t Shandong, where Jinan is located, but perhaps we will find more links later.

Use of alias names?

This is one of our favourite discoveries. Using (previously hacked and released) data from Chinese messaging service QQ, we were able to find Guo Lin’s QQ account, which is 21213804. At the time that the data was released, 21213804 was a member of a number of QQ groups. In many of these, the name he used was 郭林, which is transliterated ‘Guo Lin’. So far so good.

But the QQ data shows that he was also a member of an ‘Antorsoft’ group (QQ number 7043291) created in 2004. In that group he used the name 林子 (Lin Zi), Lin being his first (or ‘given’) name and Zi, in this instance, being used to extend a single syllable name into a nicer sounding two syllable word (Zi roughly translates to ‘thing’). For the purposes of our analysis we will translate ‘Zi’ as ‘Mr’ – think Reservoir Dogs and you’ll see why.

Looking at the other members of the Antorsoft group in the QQ data, a pattern begins to emerge. Each of them was a single name – some connected to their real name, some apparently random – with ‘Zi’ appended. In many cases, it seems to form a sort of nickname or ‘codeword’ – 林子, for example, means ‘Mr Forest’. Here is the complete list:

  • QQ 21213804 uses ‘Mr Forest’ 林子 (Linzi) in the Antorsoft group but normally uses the name 郭林 (Guo Lin)
  • QQ 10832991 uses ‘Mr Ocean’ 海子 (Haizi) in the Antorsoft group but normally uses the names 龙海 (Long Hai) ‘Dragon Ocean’ and Fei Long (飞龙) ‘Flying Dragon’
  • QQ 23793808 uses ‘Mr Bamboo’ 竹子 (Zhuzi) in the Antorsoft group but also the name ‘Zhuyuzi’
  • QQ 87414156 uses ‘Mr Monkey’ 猴子 (Houzi) in the Antorsoft group
  • QQ 369782831 uses ‘Mr Pine’ 松子 (Songzi) in the Antorsoft group
  • QQ 1137938323 uses 亮子 (Liangzi) in the Antorsoft group
  • QQ 26250040 uses ‘Mr Chen’ 陈子 (Chenzi) in the Antorsoft group but also the name 雨巷 (Yuxiang) or ‘Rain Alley’

Interestingly, Yuxiang  was also in a QQ group called 江苏公务员考试交流 (Jiangsu Civil Service Examination Exchange), created in 2009. The group description is the 南京大学公务员考试群 (Nanjing University Civil Service Examination Group), giving us another link to Nanjing.

In summary, we discovered two IT Security Companies based in Jinan, affiliated with a Chinese individual who studied Information Security to Masters level. Our source claims that individual is an active MSS Officer involved in Cyber operations. One of the companies appears to have some sort of healthcare company front, whilst simultaneously claiming to be an SSSD InfoSec contractor. And employees  use alias names on QQ when dealing with Antorsoft.

What we still don’t know is: who else works in these companies and do they have any connections to APT attacks?

#guoknowswherethisleads