Intrusion Truth

APT40 is run by the Hainan department of the Chinese Ministry of State Security

In our previous articles we identified a network of front companies for APT activity in Hainan and showed their links to Hainan University academic Gu Jian. Although it was difficult to find people who work for these companies we identified a number of individuals and concluded that this network of companies was actually APT40. One of the individuals we identified, Ding Xiaoyang, is the owner of a phone number used on job adverts under the name Mr Chen.

Ding Xiaoyang’s role

When we started we weren’t sure what Ding Xiaoyang’s role was.

So we ran the numbers. How many Dings are there likely to be in Haikou, Hainan, and would it be possible to identify a specific Ding Xiaoyang among them?

5,687 Dings were too many to work through one by one. So we thought of a different way to find out which Ding was our Ding. Why not use a highly effective, international, and motivated network of contributors who could tell us exactly who he is and what he does…

As we saw previously, he is the owner of the telephone number being used on job adverts for the network of front companies for APT40.

Our contributors discovered that Ding Xiaoyang is also a Computer Science specialist who lives and works in Haikou.

We actually know quite a lot more about Ding Xiaoyang.

Our original blueprint for an APT in China requires: contract hackers and specialists, front companies, and an intelligence officer.

Front companies? Check. Specialists? Check. Intelligence officer? Ding Xiaoyang…

How did we do it?

Remember the (previously hacked and released) QQ information that be utilised to show APT17’s use of reservoir dogs style codenames? Well…

QQ account 348504569 uses the name Wan Huo Yan Wan (卍火焰卍). Interesting? Not until you look into other names used by the same account. One is Ding Da Xia (丁大侠). Another is Ding Xiaoyang (丁晓阳). Let’s hypothesise that this might be our Mr Ding and that he might be an intelligence officer in Hainan, China. Is there any evidence?

Let’s look at what QQ user 348504569 was up to. Amongst other things, he was a member of QQ Group 92688210 which was called “内部文化活动交流” or “Exchange of internal cultural activities”. The group was created on 18 September 2009 and had 25 members. It’s description, “仅供内部成员文体休闲娱乐交”, stated that it was for internal members only. But internal to what? A University perhaps? Or … a government institution?

One of our contributors examined all the members of this group to try to identify their affiliation. Imagine our surprise when we discovered an account that looked like it might belong to an intelligence officer!

Who is Mr Huang?

QQ account 249550138 was a member of the internal cultural exchange group. It variously used the name Huang Liangli (黄良利), Deng Dai (等待), Ge Li (哥利) and Lao Ban Liang Li (老班良利).

But somebody once said that a picture paints a thousand words. So here is a picture that we found online here and here.

Yes, that’s an MSS uniform. The significance of number 461079 on his chest? 46 = Hainan.

But that’s not it… 

We also found this RenRen profile for Ding Xiaoyang which contained a number of photos of the younger Mr Ding.

 

Ding Xiaoyang’s profile photos on Renren
Ding Xiaoyang’s Renren profile
Ding Xiaoyang’s profile photos on Renren

Up until 2009 Ding Xiaoyang posted regularly on Renren, but his posts suddenly stopped. Why? Because he obtained a sensitive job working for the Chinese State. How do we know? Well, he said so:

In 2009 in this post, Ding talked about his new job with the Ministry of Public Security (MPS) at the Hainan Provincial Department.

Ding: Work? Studying? Where?

Xu: Work, border inspection, how about you

Ding: Almost, MPS

Xu: Where is it?

Ding: In a distant and remote place, Hainan. . .

Xu: Hehe, okay. I’m close in Guangdong. Is it Haikou Public Security Bureau?

Ding: Hainan Provincial Department, also Haikou

We haven’t talked much about the Ministry of Public Security before. It is the Chinese national police force and it is commonly used as cover for … the MSS.

Hainan State Security Department

Our researchers are not the only team to find a link between APT40 and Chinese intelligence. Closely held commercial intelligence has also shown that APT40 is run by the Hainan department of the Chinese Ministry of State Security.

According this handy list of public toilets in Haikou, the Hainan State Security Department is based at No. 176 Nanhai Avenue, Xiuying District, Haikou, Hainan (海南省海口市秀英区南海大道176号).

 

It looks like this, note the hammer and sickle topiary, satellite dishes, and perimeter wall:

 

Hainan State Security Department on Nanhai Avenue in Haikou

Conclusion

Either a Hainan intelligence officer has a side-hustle running a business empire of at least 13 “fast-growing, high-tech information security companies”, and that business empire has a side-hustle recruiting people with knowledge of the languages spoken in APT40 target countries coincidentally in the months preceding APT40 attacks in those countries, and on the same island that we know APT40 runs its operations.

Or, APT40 is run by Ding Xiaoyang, an intelligence officer at the Hainan State Security Department.

If it walks like a duck and quacks like a duck…

At this point, we are starting to think that we might not need to go to such lengths to investigate which part of the state is directing an APT.

We caught a re-run of the great TV show Blankety Blank the other day. We could have just played that instead of writing this blog.

Easy.