We started by stating that Chinese APTs have a blueprint that us applied in multiple regions across China: contract hackers and specialists, front companies, and an intelligence officer. Applying this blueprint in Hainan, we surfaced inter-linked companies recruiting for people with hacking and specialist IT skills.
We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?
Wang Tian, Manager Jiang, and Mr Chen
Job adverts for Hainan Tengyuan, Hainan Yili and Hainan Xiandun list Wang Tian (王天) and Manager Jiang (蒋经理) as contacts of the companies. We have been unable to identify much more about these individuals.
An advert on Sichuan University’s website for a Penetration Test Engineer position at Hainan Xiandun lists ‘Mr Chen’ (陈先生) using 2918588955[at]qq.com and telephone number 13198985613 as the contact person.
Mr Chen is seen on a number of job adverts for these Hainan front companies. While it’s unclear who Mr Chen is, the website registrant for one of the front companies which we identified, Hainan Yanwu, is listed as a Mr Chen Yanwu (陈彦武).
Are any of these contacts real people?
The number of contacts listed and the re-use of telephone numbers raised our suspicions. We started to think that perhaps some, or all, of these contact names were fictitious. We reached out to our trusted network of contributors and posed the question: who was the real owner of these telephone numbers and email addresses?
So, who is Mr Ding?
While researching the phone numbers from these companies, one of our contributors turned up this information linking phone number 15638338966 (you’ll remember that from an earlier job advert for Hainan Xiandun, in the name Mr Chen) with a new e-mail address: firstname.lastname@example.org.
Why is that e-mail address important? Because this information, from a frequent flyer account, shows that email@example.com and the phone number belong not to a Mr Wang, or a Mr Jiang, or a Mr Chen, but to a Mr Ding Xiaoyang (丁晓阳), who is very much a real person.
We are extremely grateful to our contributor for their diligent work in finding this information. Our thanks also go out to Mr Ding for not changing his password after it had been leaked online.
In summary: in some cases the contacts for these front companies in Hainan may be aliases. Other than Hainan University academic Gu Jian, the only individual that we have been able to link to the adverts is the true owner of one of the telephone numbers: Hainan resident Ding Xiaoyang.
Is Ding the person in charge of these front companies? Does Ding have connections to the Chinese State? We know the answer, he knows the answer, do you?