Who is Mr Zeng?

In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. (济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) and Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan. We also identified an IT Security expert from Jinan, Wang Qingwei (王庆卫), as the representative of the Jinan Fanglang company. Another, potentially separate, individual goes by the name ‘iamjx’.

The identification of further individual in Jinan requires us to follow the trail from what we believe to be a fourth front company.

RealSOI Computer Network Technology Company

A different analyst providing information to this blog identified RealSOI Computer Network Technology Company (瑞索计算机网络科技有限公司) as a company closely related to Jinan Quanxin, Jinan Anchuang and Jinan Fanglang. Our team spent some time researching links between the companies and identifying staff linked to RealSOI who were associated with hacking activity.

Information in open source on RealSOI is limited, but Chinese recruitment websites indicate that RealSOI operates from 66, Shanda South Road, Lixia District, Jinan. Our analysts also identified a website (realsoi[.]com) archived on archive.org, showing the company claiming to offer research in areas such as Computer Criminal Forensics, High-Performance Computing and Social Operating Systems.

Archived copy of realsoi[.]com

envymask

Our open source investigation identified a single PGP key associated with the realsoi[.]com domain in the name ‘envymask’.

PGP key associated with envymask and RealSOI

envymask is a well-known member of Chinese hacking circles and is a member of the ph4nt0m group. In this post, using e-mail account 13[at]21cn.com, he promotes the 20cn[.]org security group for discussion of hacking topics in China. He appears to have a senior role within the group as joint author of the post with ‘PsKey’.

envymask and PsKey on CSDN

envymask had his own website back in 2002, a copy of which was captured by archive.org. He doesn’t give his name on the site, but he does give some of his biographical background, including a date of birth in 1980 in Sichuan province and details of studies at the Nanjing Science and Engineering University in 1999. Nanjing, of course, is where likely MSS Officer Guo Lin studied, and from where he published his IT Security paper, detailed in an earlier article.

envymask’s biography on his personal website

Zeng Xiaoyong (曾小勇)

As you’ve no doubt guessed, envymask has a real name. He is Zeng Xiaoyong (曾小勇). According to information provided to us by a source with access to information in China, Zeng Xiaoyong was born on 22 November 1980 and worked at RealSOI in the mid-2000s.

MS08-067

envymask isn’t just any mediocre Chinese hacker. In this online post, in which he also uses the name ‘EMM’, he claims to be the author of the MS08-067 exploit for Chinese operating systems. Presumably this means he ported it to the Chinese version of Windows. The generic version of MS08-067 is a well-known exploit used in multiple attacks including the Conficker worm.

envymask, EMM, as author of MS08-067

So, does Zeng Xiaoyong know Wang Qingwei?

The answer to that is yes. The images below are from a training plan associated with Jinan Fanglang. Those with a keen eye will spot that ‘EMM’, listed as responsible for the MS08-067 exploit, is one of the trainers. Who else is listed on the course as a trainer? ‘Phoenix’, which you will remember was a name used by Wang Qingwei when recruiting for Jinan Fanglang.

Jinan Fanglang training plan showing ‘EMM’ and ‘phoenix’ as trainers

The Phreaker (耗子)

The second trainer listed at the end of the training document, between EMM and Pheonix, is 耗子 (Haozi). 耗子 translates literally into English as ‘rat’ or ‘mouse’, but you will recognise the format of the name from the ‘reservoir dogs’ QQ names used in the Antorsoft group. 耗 is Chinese for ‘consumption’ and 耗子 is used as a shortened version of ‘电话耗子’ (telephone mouse). The English translation is ‘phreaker’, a form of hacker in the 1980s that found ways to use dial up connections for free, effectively stealing telephone company resources.

Explanation of ‘phreaker’ in Chinese telecommunications textbook

In summary, Zeng Xiaoyong, a well-known Chinese hacker using the handles ‘envymask’ and ‘EMM’ worked for RealSOI. RealSOI was closely associated with the MSS front companies identified in previous articles and Zeng knew Wang Qingwei, having worked as an InfoSec trainer with him. 

#youknowwherethisleads