This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.
APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.
After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.
Our previous research showed that science and technology companies Boyusec, Huaying Haitai, Antorsoft, and others were fronts for Chinese MSS-sponsored APT activity. If you take the blueprint above and search for it elsewhere, an interesting and increasingly bizarre series of links begin to emerge.
Northern China has received much, presumably unwelcome, attention from this blog already. For our next example, let’s look South, as far South as we can while remaining in China. Hainan – a semi-tropical island paradise conveniently located for Chinese tourists, known for its production of rubber and iron ore, its rocket launches, and its views over the South China Sea. What it is not internationally famous for, is global technology companies.
Hainan Xiandun Technology Development Company
Search for science and technology companies in Hainan who have also posted job adverts for penetration testers and you will quickly find 海南仙盾科技开发有限公司, the Hainan Xiandun Technology Development Company. A job advert for a penetration tester position at Hainan Xiandun posted on the the Sichuan University Faculty of Computer Science website on 5 January 2018 describes Hainan Xiandun as a “fast-growing high-tech information security company”.
Here is a second advert for the same company from the College of Foreign Languages at Hainan University advertising for female English translators, ideally party members:
However, multiple other technology companies based in Hainan use identical company descriptions and job adverts.
Hainan Yili Technology Company
Hainan Yili – 海南毅立科技有限公司 – describes itself as a fast growing, high-tech information security company which is committed to becoming a leading manufacturer of information security products and services in China.
Hainan Tengyuan Technology Company
Hainan Tengyuan – 海南腾远科技有限公司 – also describes itself as a fast growing, high-tech information security company which is committed to becoming a leading manufacturer of information security products and services in China.
Hainan Kehua Information Technology Company
And that’s not all. Hainan Kehua – 海南科华信息科技有限公司 – also describes itself as a fast growing, high-tech information security company which is committed to becoming a leading manufacturer of information security products and services in China.
Hainan Yanwu Technology Development Company
A little more research uncovers Hainan Yanwu – 海南彦武科技开发有限公司 – a company which also describes itself as a fast growing, high-tech information security company which has become a leading provider of information security services in China.
Of course, this could all be a coincidence. Perhaps this company description is the first result on Baidu for “how should I describe my new technology company”. But it isn’t.
More links emerge
More links are evident in these job adverts. A Hainan Xiandun advert for an English translator lists 3414477607[at]qq.com as the contact email.
This is the same email address that was seen on the advert for a Network Security Development Engineer for Hainan Yili above:
There are more links; the contact person Wang Tian (王天) from the job advert above can also be seen on this advert for Hainan Tengyuan:
Eight other linked technology companies in Hainan
Five companies with overlapping contact details, job and company profiles, and named individuals. This is a little suspicious, but there might remain a chance that it is all completely explainable. Thirteen companies though starts to move beyond even the broadest realms of credulity and positive thinking. Taking the registration details for Hainan Tengyuan we can then find a further eight linked technology companies in Hainan.
- Company 6: Hainan Dingwei Digital Technology Company shares a telephone number and address with Hainan Tengyuan – 19808984669 and No. 10 Haixiu Road
- Company 7: Haikou Fengshang Digital Technology Company shares a telephone number and address with Hainan Tengyuan and Hainan Dingwei.
- Company 8: Hainan Hualian Anshi Intelligence Engineering Company shares a telephone number and address with Hainan Tengyuan, Hainan Dingwei, Haikou Fengshang.
- Company 9: Hainan Jiaxi Technology Company shares a telephone number and address with Hainan Tengyuan, Hainan Dingwei, Haikou Fengshang, and Hainan Hualian Anshi.
- Company 10: Hainan Xinhuaheng Technology Company shares a telephone number (19808984***) with Hainan Tengyuan, Hainan Dingwei, Haikou Fengshang, Hainan Hualian Anshi, and Hainan Jiaxi and and is co-located in the same building.
- Company 11: Haikou Jianhui Li Network Technology Company shares a shareholder with Hainan Xiandun (Fu Chuanli – 符传礼).
- Company 12: Hainan Xin Yousheng Digital Technology Company shares a legal representative and shareholder with Hainan Dingwei (Fu Zhidao – 符致道 and Wu Chunai – 吴春爱), shares a telephone number with Hainan Tengyuan, and is also located at No. 10 Haixiu Road.
- Company 13: Haikou Xindahai Computer Technology Company shares a shareholder with Hainan Hualian Anshi and Hainan Jiaxi (Fu Deqing – 符德清 and Wu Li – 吴丽）and is also located at No. 10 Haixiu Road.
Hainan cover companies recruiting for offensive cyber skills
Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum. While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks.
It could be argued that SQL injection and other penetration skills could be used for defensive purposes, to stress test defences for example. But this job advert posted by Hainan Tengyuan is also looking for someone with a track record of sharing hacking exploits as well as specific experience with Windows Trojan shellcode development and PE encryption. The question we should be asking is: who develops their own encrypted executable files?
In summary, we have multiple companies with identical descriptions and job adverts, overlapping contact details and office locations, but different names, recruiting for offensive hacking skills. Like Boyusec, Huaying Haitai, Antorsoft, and others, these companies have very little presence on the Internet outside of these adverts.
We know that these companies are a front for APT activity.
You all know where this story is going, and in the next articles we will show you some of we got there…