Recap

In our last article, we identified Mr Zhao Jianfei as the MSS officer supporting Chinese hackers Li Xiaoyu and Dong Jiazhi. Mr Zhao works the Guangdong State Security Department, highlighting the direct support the Chinese government are providing criminal hackers in their illegal activities. We reached out to Mr Zhao for comment, and hear his side of the story, but we did not receive a response.

The bigger picture

It’s been a busy few months for the Chinese hacking community. Hafnium became a global threat almost overnight thanks to the zero-day exploit of the Microsoft Exchange Server compromise. Microsoft attributed Hafnium to the Chinese state. Their indiscriminate scattergun approach to deploying ransomware and infecting thousands of victims was wholly immoral and it is something we continue to monitor – get in touch if you can help.

MSS regional departments recruit Chinese criminals to conduct offensive cyber for the state. We now know this model is evolving, with regional bureaus outsourcing requirements to hackers not simply based in their region, but across the Chinese mainland – sharing expertise between provinces and seemingly working to one, broad model of a criminal, contracted service. Hafnium is a good example of this, with reports showing APTs 40 and 41 are just some of the many Chinese APTs taking advantage of the Exchange Server compromise.

The Chinese Communist Party are using APTs and hackers for hire to do their bidding, something we at Intrusion Truth have been asserting for some time. This was perhaps most noticeable during the COVID crisis, where state-backed Chinese hackers have been seen time and time again – across various regions and provinces, hacking into international companies known for researching and advancing the COVID vaccine – and doing so for malicious gains. Li Xiaoyu and Dong Jiazhi are a prime example of this. Stealing intellectual property and profiteering from the pandemic at a time of global crisis is a new low even for the MSS. 

Victims

The MSS’s choice of victims is interesting to note. It follows a now familiar pattern of Chinese contract hackers stealing IP for the CCP’s interests (COVID research, antiviral drugs, personal information on Chinese dissidents) whilst moonlighting for personal gain.

Mr Li in particular attempted a ransom operation in 2017 according to the indictment, demanding $15,000 in cryptocurrency in exchange for not leaking data. Is the Chinese state turning a blind eye to criminal activities within their borders? Are they supporting and actively tasking this criminal activity? Or is it evidence of the MSS not having as much control as they would like over the criminals they employ?

Denial

As we and many others have documented, China seems to give with one hand, and take with the other. Double standards spring to mind: 笑里藏刀 ‘a knife hidden behind a smile’

Public criticism of their actions does not seem to have an effect. The Chinese response is simply to deny and bite back harder. Yet we have shown the direct links between these criminal hacking groups and the MSS departments running and supporting them.

In China’s own words, cyberattacks should be ‘unequivocally condemned by all’. Perhaps a lesson out of their own book wouldn’t go a miss… 

An APT with no name

These actors and their links to the MSS challenged us. The indictment landed talking of a Chinese group working out of Chengdu. Yet we hadn’t come across them before, nor had we previously noted their connections to the GSSD. Are they part of a bigger, wider known APT (APT41 perhaps)? Are they simply ‘hackers’ for hire? Either way, it shows how difficult it is to simply partition and package Chinese hackers into APT groups – more so than previously thought.  

We wanted to take this moment and suggest a name for these actors. It seems a shame to write about a group such as this without them having an appropriate APT name… Some ideas we at Intrusion Truth came up with:

  1. HYPOCRITICAL DRAGON
  2. LAUGHING DAGGER 
  3. LONELY LANTERN 

Other creative ideas welcome – you know how to get in touch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s