An interesting turn of events occurred whilst releasing our article series on Lonely Lantern (the Chinese APT previously with no name, working to the Guangdong SSD).
As most of our readers will have been aware, a brand new Twitter account was created to reply to our tweet in advance of the second article where we exposed Guangdong MSS officer 1 as Zhao Jianfei, working with Li and Dong to support and direct their intrusion activity from Chengdu.
At the time, we noted this post and found it interesting (not least for the gif choice) but put it on the back burner given other investigations and leads we were following up on. However, what piqued our interest further was the fact this account and its comment was later deleted.
Why would Mr. Ren reach out to us on this public forum and tweet that he is the MSS officer we were looking for? Does he have something he wants to get off his chest? The Twitter bio translates to ‘roaming the streets of Guangzhou’. Seems to fit with the brief of the GSSD.
We decided to investigate (initially as a bit of fun on a rainy day) but as you will see, it is clear that Ren Yuntao is entwined with Lonely Lantern.
Here’s what we know.
Ren Yuntao (任云韬)
The Twitter profile is in the name of Ren Yuntao. However, the profile itself is quite sparse, having being created the same month as posting. And it appears he only engaged with us. A keen watcher of our work? A super fan perhaps.
So, apart from being a Lionel Ritchie fan, what else could we find on Mr Ren? His Twitter profile didn’t give us much so we decided to start at the beginning and where we know hackers from Lonely Lantern reside: Chengdu.
Mr. Ren it seems went to the same school as Li Xiaoyu and Dong Jiazhi (the indicted hackers we mentioned in Article 1). Ren studied a Masters program at the University of Electronic Science and Technology of China (UESTC), in Chengdu.
His studies led to him gaining experience in the development of software, defense and forensic analysis of information systems.
Ren’s Master’s thesis, submitted in December of 2006 is titled “Malicious Code Anti-Detection Technology Research Based on Dynamic Binary Modification” (基于二进制多态变形的恶意代码反检测技术研究). His supervisor whilst completing his studies was Li Yichao (李毅超).
We set about delving into Ren’s thesis to see what we could find (it is quite dry in places and we wouldn’t recommend it as bedtime reading). Yet, there are some nteresting nuggets. An example is on page 71. Here, Ren provides his acknowledgement to ‘Pinkeyes’, a ‘famous network security figure within China’, referring to him as his ‘comrade in arms’. An interesting phrase to use.
Later, on page 74, Ren details his research projects and achievements throughout his graduate studies. Of specific note to us was his involvement in the ‘design and realisation of a Sichuan State Security Department (SSSD) programme’.
The last accomplishment Ren lists (point 6) is his participation as a “core technician in a “major” university project with designator XXX”. Suspicious – a project so sensitive it needs to be redacted but high profile enough to include in a thesis detailing your work achievements…
Following on from his success with sensitive projects and MSS programmes in Sichuan, Ren appears to have been quite busy, staying on at UESTC as a post-grad and publishing two papers. One of which was on the topic of detecting malware on registry Hive files.
Li Yichao (李毅超)
Cited in Ren’s papers and listed as Ren’s supervisor at the UESTC is Li Yichao (李毅超). It was Mr Ren himself who wrote that Li Yichao gave him the National Network Security programme opportunity. So, who is Li Yichao?
Well, here is his CV.
Given he is an academic, his openness is our advantage. He notes his many plaudits, including ‘winning second prize from a certain ministry of the country’ and states some of his many students have gone on to work for ‘public and national security departments’. Could Ren be one of these individuals?
Let’s recap: Ren has worked closely with a supervisor who openly talks of his links to government bodies and ministries within China. Ren himself has commented on his time working for the Sichuan State Security Department and other mysterious organisations that require redacted material whilst at UESTC. So what else can we find on Ren following his departure from academia?
Chengdu Jiuyan Technology Company Ltd. (成都九眼科技有限公司)
Also known as Chengdu Nine Eyes Technology Co Ltd., this company was established in July 2018 specialising in technology development, computer software and network engineering.
Two individuals are associated with the company. The first is the supervisor Xu Jiayou (徐嘉幼), holding just 1% of the company. The second is the executive director and general manager Ren Yuntao, with a registered stake of 99% in Chengdu Jiuyan.
The address is listed as Room 1, Floor 1, Building 1, 56 Changjiang East Second Street, Huayang Avenue, Tianfu New District, Chengdu.
Interestingly, there are a number of other companies who also claim to reside in Room 1, Floor 1, Building 1 of 56 Changjiang East Second Street in Chengdu including:
- Chengdu Hashmai Block Technology Co. Ltd
- Sichuan Shuanglin Jiayue Property Management Co. Ltd
- Shuju Chengdu Technology Co. Ltd
- Douxing Culture Communications Chengdu Co. Ltd
- Chengdu Yinchi Culture Media Co. Ltd
- Chengdu Vines Interactive Entertainment Technology Co. Ltd
- Chengdu Tianfu Hualong Petroleum Co. Ltd
- Chengdu Renhe Daoyuan Enterprise Management Consulting Co. Ltd
- Chengdu Jingwei Zhidao Enterprise Management Consulting Co. Ltd
- Chengdu Feihang Zhiyun Technology Co. Ltd
- Chengdu Als Technology Co. Ltd
- Chengdu Aiweili Trading Co. Ltd
That’s a lot of companies to be sharing 1 room.
Given it location, lack of internet presence and the individuals associated with it – a front company springs to mind.
Lingma Information Technology Company Limited (凌码信息技术上海有限公司)
Upon leaving academia, Ren appears to have obtained a job in the private sector as the Head of Information Security at Lingma Information Technology Co. Ltd. Once again, all roads lead back to Chengdu.
This is an extract of a book written by UESTC masters alumnus Xu Sheng from the Network Attack and Defense Lab, to which Ren Yuntao offers his review.
Head of Information Security sounds like a grand title. The company Ren worked for (Lingma) is a wholly-owned subsidiary of Singapore’s Nyber company. Nyber was established in 2010 under CEO Zhang Taiyong（张台涌). It is described as a company committed to research and development of high-end technology, with its business scope covering China and overseas regions and its products often being used in government fields.
Lingma has a base in Chengdu. The address is given as Area C, Floor 10, Sector F of the 9th Building of High-Tech Incubation Park, Tianfu Avenue, Gaoxin District, Chengdu.
Does this address seem familiar? It did to us. It is in the same high tech zone as Chengdu Hanke, the front company created by Dong Jiazhi and exposed in article 1 of our series on Lonely Lantern.
Just like déjà vu, our searching led us back to UESTC in Chengdu. In 2014, Lingma were advertising positions within its company on the UESTC webpage (www1.cduestc.cn), aiming to recruit system software engineers, interface software engineers, and information security evaluation managers. Could this be where Ren first came across Lingma and led to his career in ‘Information Security’?
Lingma scholarship at SWPU
Further searches around Lingma shows the company’s ties to other universities in Chengdu. For example, it provides a scholarship program with Southwest Petroleum University (https://www.swpu.edu.cn/info/1248/1113.html) at an investment of 3000 RMB per year.
Browsing the website for SWPU, there are a number of articles outlining Lingma’s involvement with the university under its scholarship scheme.
One particular article caught our eye. It was posted on the 9th June 2016, and describes how the scholarship awarding ceremony for the Lingma Scholarship took place a day earlier at SWPU.
It states that the director of the institute, ZHAO Gang (学院院长赵刚), was present at the ceremony and gave a speech to the students. The Deputy Secretary of the institute’s party committee, YU Hui (学院党委副书记余辉) was also present alongside Secretary LIU Xiang from the institute’s group committee, who hosted the event (学院团委书记刘翔). The person representing the Chengdu R&D Centre of the Lingma Company is named as a Mr. Ren Weitao (凌码信息技术有限公司成都研发中心负责人任伟韬先生).
Is it a coincidence that another Mr. Ren also works for the same company as our Mr. Ren? We don’t believe in coincidences. Given that Lingma only has up to 50 staff, and our searches revealed nothing further on any other Ren’s working for Lingma during this time, it is safe to assume that Ren Weitao is Ren Yuntao. Was the change in name a deliberate attempt to fly under the radar? What was Ren trying to hide?
The last picture in the article is interesting and appears to depict Mr. Ren. The students are proudly displaying their awards. The caption of this group photo describes those in the picture, including the”scholarship-receiving representatives [students], the scholarship-awarding guests [Ren Weitao (任伟韬)] and the leader”.
So what do we know?
- An individual called Ren Yuntao tweeted his implication that he was the MSS officer associated with the APT group (Lonely Lantern) working out of Chengdu and for the Guangdong SSD.
- Ren Yuntao attended the same university as the indicted criminal hackers for Lonely Lantern and has worked with the Sichuan SSD whilst at university. His university professor also likes to talk of his close links to the MSS.
- Ren Yuntao sets up a front company in Chengdu High-Tech Incubation Park in Tianfu High Tech zone, suspiciously similar to Chengdu Hanke (linked to Dong Jiazhi from Article 1 in this series).
- Ren Yuntao works for Lingma and is directly involved with local universities in Chengdu, handing out scholarships to students and providing apprenticeships to support their ‘cyber security’ effort.
If it walks like a duck, and quacks like a duck…
Ren – I know you were keen to talk: