In our previous articles we identified thirteen companies that this blog knows are a front for APT activity in Hainan. Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!
This company summary for Hainan Xiandun also provides a contact number: 13907545649. Cross-referencing this partial phone number and Hainan, we identified Gu Jian (顾剑) is a Computer Science specialist at Hainan University. We found Gu’s name and phone number in this list of projects on the Hainan University website.
Here is Gu’s CV:
And here is his biography from his web page at Hainan University’s website showing his work history and interests, including as a former member of the People’s Liberation Army.
“[Gu Jian] worked as an educated youth, a PLA soldier, an officer of the Political Department of the Provincial Military Region, a senior engineer of a state-owned enterprise, and a Chinese employee (technical director) of the French representative office of the French company BULL.”
Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.
Hainan Xiandun Information Security Technology Competition
Mr Gu is closely involved with Hainan Xiandun. In September 2013, he posted on the Hainan University online forum about “The 2013 Hainan Network Information Security Technology Competition” saying that teams could enter and that there would be prizes. The posting indicated that more detail was available on xdaqjs[dot]com. This domain is an acronym from the Pinyin for Xiandun Security Competition Final (XianDun AnQuan JueSai – 仙盾安全决赛).
These links between Hainan Xiandun and Hainan University are seen again on the internal Hainan University discussion forum. A user name “xdaqjs” posted to encourage students from any specialism and in any year with an interest in cyber security to attend a session hosted by Hainan Xiandun in the auditorium of the information technology department on 9 September 2013.
The competition ran again in 2016, still using xdaqjs as a title.
Mr Gu was not just advertising this competition for a company that he was involved in, he registered the domain.
A link to the malicious activity of the front companies can be seen when reading discussion forums about xdaqjs. Individuals purporting to represent the site offered large sums of money to people with password cracking skills outside the ordinary range of dictionary attacks and brute force.
The opening post reveals that Mr Gu is seeking new ways of cracking passwords. The poster is aware of the common techniques, for example brute force or dictionary attacks, but is seeking new alternatives.
What makes this interaction increasingly strange though, is that a student posting on this thread said that Mr Gu is inexplicably wealthy and is offering a large amount of money to people able to provide new and inventive ways of cracking passwords. The original text is telling:
“Haha, I only want to know are these things actually crackable… From what I know about our teacher, he doesn’t waste his words. Our teacher says if no-one can crack it this time, then he’ll increase the money on offer, 200,000, 300,000, 500,000 RMB.
P.S. Believe it or not, our teacher has a lot of money…”
The Dean of Mr Gu’s faculty is CCP member Huang Mengxing (黄梦醒). The questions we should ask are: How well does Huang know Gu? Does he know about his department’s support for front companies for APT activity?
Most importantly, if he knew then should he have stopped it?
In summary, Gu Jian, a former member of the PLA is an academic specialising in Information Security at Hainan University. He is also listed as the contact person for Hainan Xiandun, one of a network of front companies for APT activity.