In our last article we identified Jinan Quanxin Technology Co. Ltd. (济南全欣方沅科技有限公司) and the Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

Jinan Fanglang Information Technology Company

As disclosed previously by this blog, the antorsoft[.]com domain name listed the main address for Jinan Quanxin Fangyuan as 238, Jing Shi Dong Lu, Jinan, China.

5-antorsoft WHOIS cropped
Historical WHOIS data for Antorsoft

But Jinan Quanxin Fangyuan wasn’t the only IT company registered at this address. We know that 238, Jing Shi Dong Lu, Jinan was also the registered address of the Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司). Let’s take a look at how we can prove it… 

iamjx aka phoenix

Firstly, can we identify any staff who might work for Jinan Fanglang and tie them to hacking activity? The trail starts with a job that was advertised for Jinan Fanglang on pediy[.]com by an individual using the handles iamjx and phoenix.

6-iamjx
iamjx advertising a job for Jinan Fanglang

Although iamjx is a handle that is difficult to identify elsewhere in open source, our analysts were able to find a second job advert using the same QQ number, 8401900931. This second advert was on binvul[.]com. Unfortunately we can’t connect to binvul, but one of our analysts passed us a printout obtained from a location with better access.

7-w4ngqw
Printout of job advert for Jinan Security company

The precise name of the company isn’t clear – it says 济南安全公司招聘 (Jinan Security Company Recruitment) – and the poster doesn’t give their name. But their link to the hacking world is obvious from another posting in 2012 using the same w4ngqw account on binvul, this time commenting on the impressive nature of CVE-2012-1848.

8-cve-2012
w4ngqw discussing CVE-2012-1848

Wang Qingwei (王庆卫)

Analysing the handle w4ngqw, it seems clear that the family name is Wang. The given name uses the pinyin characters ‘qw’, restricting the number of candidate names in Chinese. Searching on these candidate names, analysts working with this blog have identified that the owner of w4ngqw is Jinan resident and Cyber security expert Wang Qingwei (王庆卫).

Company tax registration information obtained by this blog from the official website of Shandong Province lists the company 济南方朗信息科技有限公司 (Jinan Fanglang Information Technology Co. Ltd.) with a registration address of 238 Jing Shi Dong Lu, Jinan. Who was named as the company representative? 王庆卫

9-tax records
Tax registration information for Jinan Fanglang

Let’s challenge the hypothesis

It could be argued that Wang Qingwei – the representative of a company that merely shared an office with a second company whose domain name was registered by Guo Lin – had nothing to do with Mr Guo or the MSS. How strange then that a source with access to such information informed us that Guo Lin and Wang Qingwei flew together on a multi-stop trip in 2016. But they weren’t just on the same plane, they sat next to each other on every leg of the flight…

We admit to not being data scientists here at Intrusion Truth, but if the population of China is 1.4 billion, the chances of sitting next to the same Chinese person on at least three journeys must be 1/(1,400,000,000)^3, which is to say 1 in 2,744,000,000,000,000,000,000,000,000.

Or 2.7 octillion to 1.

Which is quite low.

In summary, Wang Qingwei, an IT security expert, advertised jobs at Jinan Fanglang using two online profiles and was also listed as the company’s official representative. He is directly linked to likely MSS Officer Guo Lin, travelling with him on multiple occasions.

#theyknowwherethisleads