Author: intrusiontruth

APT40 is run by the Hainan department of the Chinese Ministry of State Security

APT40 is run by the Hainan department of the Chinese Ministry of State Security

In our previous articles we identified a network of front companies for APT activity in Hainan and showed their links to Hainan University academic Gu Jian. Although it was difficult to find people who work for these companies we identified a number of individuals and concluded that this network of companies was actually APT40. One of the individuals we identified, Ding Xiaoyang, is the owner of a phone number used on job adverts under the name Mr Chen.

Ding Xiaoyang’s role

When we started we weren’t sure what Ding Xiaoyang’s role was.

So we ran the numbers. How many Dings are there likely to be in Haikou, Hainan, and would it be possible to identify a specific Ding Xiaoyang among them?

Continue reading “APT40 is run by the Hainan department of the Chinese Ministry of State Security”

Hainan Xiandun Technology Company is APT40

Hainan Xiandun Technology Company is APT40

You knew where this was heading.

In our previous articles we identified a constellation of front companies for APT activity in Hainan and a computer science specialist at Hainan University who is linked to one of the companies. We named the individuals that we could identify as working for these companies, including one that we know to be Hainan resident Ding Xiaoyang who had used his telephone number on a job advert using the name ‘Mr Chen’.

Having identified a network of interlinked technology and information security companies in Hainan, looking at other job adverts posted by the companies is illuminating…

Continue reading “Hainan Xiandun Technology Company is APT40”

Who is Mr Ding?

Who is Mr Ding?

We started by stating that Chinese APTs have a blueprint that us applied in multiple regions across China: contract hackers and specialists, front companies, and an intelligence officer. Applying this blueprint in Hainan, we surfaced inter-linked companies recruiting for people with hacking and specialist IT skills.

We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?

Continue reading “Who is Mr Ding?”

Who else works for this cover company network?

Who else works for this cover company network?

In our previous articles we identified a network of front companies for APT activity in Hainan, and showed that Gu Jian, an academic at Hainan University, is listed as a contact person for one of these companies – Hainan Xiandun. Additionally, Gu Jian appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so. The registered address for Hainan Xiandun is the Hainan University Library.

Our analysts and contributors were reassured to know that this blog is not alone in being suspicious of these Hainan front companies. Questions abound online about why these companies have such a thin presence on the Internet or, as below, whether the jobs they are promoting even exist.

This Chinese post is titled “Hainan Yili Technology Company: How can you find this company on the Internet, can I trust this job advert?” and asks other users of the site for their views.

Continue reading “Who else works for this cover company network?”

Who is Mr Gu?

Who is Mr Gu?

In our previous articles we identified thirteen companies that this blog knows are a front for APT activity in Hainan. Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!

Continue reading “Who is Mr Gu?”

What is the Hainan Xiandun Technology Development Company?

What is the Hainan Xiandun Technology Development Company?

This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.

APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.

After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.

Continue reading “What is the Hainan Xiandun Technology Development Company?”

Encore! APT17 hacked Chinese targets and offered the data for sale

Encore! APT17 hacked Chinese targets and offered the data for sale

We started this story with Guo Lin (郭林), identified to us as an MSS Officer. We showed that he had personal links to a number of companies and individuals involved in Cyber security, at least one of whom helped develop a key tool used by APT17. We have also shown direct links between Guo Lin’s company Antorsoft and the Chinese Ministry of State Security.

But what were APT17 really doing? We know from media coverage in our part of the world that APT17 hacked a number of targets in the West and did untold damage. What isn’t well known is that they were also hackers for hire, acquiring data and selling it for profit.

Continue reading “Encore! APT17 hacked Chinese targets and offered the data for sale”

APT17 is run by the Jinan bureau of the Chinese Ministry of State Security

APT17 is run by the Jinan bureau of the Chinese Ministry of State Security

In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

We also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang company and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.

Continue reading “APT17 is run by the Jinan bureau of the Chinese Ministry of State Security”

Who is Mr Zeng?

Who is Mr Zeng?

In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. (济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) and Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan. We also identified an IT Security expert from Jinan, Wang Qingwei (王庆卫), as the representative of the Jinan Fanglang company. Another, potentially separate, individual goes by the name ‘iamjx’.

The identification of further individual in Jinan requires us to follow the trail from what we believe to be a fourth front company.

Continue reading “Who is Mr Zeng?”

Who is Mr Wang?

Who is Mr Wang?

In our last article we identified Jinan Quanxin Technology Co. Ltd. (济南全欣方沅科技有限公司) and the Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

Jinan Fanglang Information Technology Company

As disclosed previously by this blog, the antorsoft[.]com domain name listed the main address for Jinan Quanxin Fangyuan as 238, Jing Shi Dong Lu, Jinan, China.

Continue reading “Who is Mr Wang?”