In the previous articles, we touched upon Chengdu 404 as a front company. This article serves to focus on the individuals behind the company who have been named by the US as cyber criminals. The indicted trio are: Qian Chuan (钱川), Jiang Lizhi (蒋⽴志), and Fu Qiang (付强).
Qian Chuan (钱川)
Qian Chuan, alumnus of Sichuan university, is the boss of Chengdu 404. His mugshot shows how much fun he has working at the CCP’s behest…
According to records, he held a 30% share in the company. He likes to come across as a fun boss – after all providing cake for an employee’s birthday is going above and beyond isn’t it.
Qian Chuan’s involvement with the Chinese government started before his managerial role in Chengdu 404. Since at least 2010 (according to the indictment) he has been creating software to wipe confidential information from digital media, and supporting efforts by the CCP to monitor and restrict information across Chinese social media platforms.
Jiang Lizhi (蒋⽴志)
Jiang Lizhi has a lot of connections and an ineptness that comes with broadcasting sensitive projects. Boasting of his close relationship to the GA ‘Guoanbu’ (MSS), he is recorded on the indictment stating that this ‘provides him with protection’, even from the Ministry of Public Security (MPS). Is it us, or does this sound like a green light to hack for profit, with no repercussions? Hindsight will reveal that the MSS cannot and does not protect its criminal hackers.
Jiang Lizhi was active within the company, attending many of the engagements at local universities in his role as deputy general manager. According to holdings on the company, Jiang held a 20% share in 404.
As mentioned in previous articles in this series, the ‘black’ prefix appears to be a common thread for APT41 hackers. Jiang Lizhi’s handle of Blackfox confirms our assumptions.
Delving into the internet archives, we found his historic Blackfox blog at fox.he100.com.
The website registrant evidences Jiang Lizhi as behind the website and based in Chengdu. Helpfully, he also provides his handle Blackfox as an additional PoC.
In 2004, a post on CSDN titled ‘ISS_Manager’ detailed points of contact for Blackfox, including a QQ number (6858849) and domain fox.he100.com. As we know, this links back to Blackfox’s blog. The QQ account had the display name 蒋立志 (Jiang Lizhi) as well as Blackfox, and has been active in creating a number of other QQ groups. Most were used for staying in contact with classmates, whilst others refer to businesses Jiang was involved with, including the Chengdu-based online gaming company Blaze Loong Science and Technology (成都炎龙科技有限公司). A number of these QQ accounts are shared groups with other APT41 individuals including Tan Dailin, Qian Chuan and Fu Qiang.
Fu Qiang (付强)
The baby-faced Fu Qiang is the last of our trio. He is head of big data development at Chengdu 404. Just 2 months after the indictment in November 2020, we noted that standny (his alias) was active online, pushing Chengdu 404 recruitment. Despite less being known about Fu online, he maintains a heavy internet presence on Western social media sites. One such profile is Twitter which promoted a number of apps for the Apple app store (see our previous article on this and his relation to c0hlbrd).
Blaze Loong Technology Company Ltd. (成都炎龙科技有限公司)
Remember when we mentioned the Blaze Loong QQ account Jiang LiZhi was involved with? It is a gaming company based in Chengdu, and is a wholly owned subsidiary of Zhejiang Huge Leaf Company (浙江翰叶股份有限公司).
Blaze Loong uses its international marketing platform to import and export gaming products (useful for APT41’s hacking money-making campaign against gaming companies). Yet archived pages show a very different company: A Blaze Loong which used to be a penetration testing and network security management company, providing tailor-made solution to ‘major government agencies’.
According to the Qichacha company overview, the founder and CEO of Blaze Loong is a Lu Jian (鲁剑). Lu Jian was also the director and vice chairman of Zhejiang Huge Leaf Company.
Chengdu YanLong Technology Company Ltd (成都炎龙科技有限公司)
YanLong is a subsidiary of Blaze Loong Technology Company, bought out in 2009.
Chengdu YanLong Technology Company was established in 2007, purporting to be a game development and publishing service based in Shanghai, despite being geo-tagged as Chengdu.
WHOIS information for this domain (bltech.cn) is registered to firstname.lastname@example.org, which we know is Jiang Lizhi – explaining the QQ groups he set up.
Records show a Lu Jian (鲁剑) as the legal representative of the company, as well as the executive director, general manager and shareholder.
Lu Jian (鲁剑) and QQ 5238342
We know Lu Jian is heavily involved in a number of companies based in Chengdu, which are linked to APT41 actors. He shares membership with Jiang Lizhi and Tan Dailin in a QQ group created by Lizhi. What is more, Lu Jian’s QQ account (QQ 5238342) is assigned the group’s admin.
According to Baidu, Lu Jian was born in 1979 and has been involved in a number of technology companies as a shareholder, legal representative, CEO and founder.
QQ 5238342 (Lu Jian) is also a member of QQ group 3391434, titled the ‘Chinese Communist Party Ministry of Finance’ The owner of this group is QQ 312016 using the alias ‘whg’. You might recognise this alias. We will return to this later. Another alias commonly used with QQ 5238342 adds further support for Lu Jian’s role in APT41’s activity; the use of a black prefix alias ‘BlackJack’. The QQ account even used the logo for the Blaze Loong company as the display profile.
There were a number of other usernames associated with this QQ account, including “Blaze Loong Science and Technology – Director Long” (炎龙科技-龙总) and “Long Shaoyang” (龙少杨). Could this be another name for Lu Jian?
A Sino Weibo account of Long Shaoyang identifies that he is a male, located in Chengdu, Sichuan. Social media further highlights similarities between Long Shaoyang and Lu Jian. They share the same handle (BlackJack), are associated with the same QQ account (5238342), and show the same Blaze Loong display on their social media.
On the 27th July 2013, a Long Shaoyang (龙少杨) attended a gaming and technology conference alongside the Chairman of the Molin Gaming group (mokylin.com). Details from this event reveal that Long is the CEO of Blaze Loong Technology, whilst other press releases refer to Long Shaoyang as the founder of Blaze Loong.
So, we have two names for what appears to be the same person. One is used in business records and another used for public-facing roles. Interesting. Get in touch if you know more.
Liu Jian (刘建)
As mentioned previously, Jiang Lizhi created a number of QQ groups linked to other APT actors. One in particular is named ‘unknow’ (QQ 10930057). Given the small membership of this QQ group and the number of individuals we have found with APT41 links, it would stand that the rest of the members also have links into APT41.
We followed this through with QQ member 14149038. The username translates to ‘Cowardly Sheep’ but the information shows he is a male engineer living in Chengdu. Note the display picture. This is the logo of Chengdu Anvei – the antivirus software that Tan Dailin created and which served to provide him with media attention in 2012. Referring back to Anvei, registration details highlight that Liu Jian owned more than 10% of the company’s stock.
Liu is also involved in another company based in Chengdu – the Chengdu Daigen Science and Technology Company (成都戴亘科技公司) where Tan is listed as CEO and Liu as Director. Both of these companies have now ceased operating.
All individuals and companies with links to APT41 have roots back to Chengdu, Sichuan province.
The APT41 actors, along with others we have named in this article series, evidences how wide the reach of the Chinese hacker community goes – using their connections within the hacker community to progress and share techniques to conduct both activity for the state and their own personal gain. But what degree of overlap has this provided Chinese APTs? Is the model of grouping malware and personas into categories and APT groups still sustainable for InfoSec researchers, law enforcement officials and those trying to make sense of the APT threat?