On August 15th 2018 this blog revealed a connection between APT10 and the Tianjin bureau of the Chinese Ministry of State Security (MSS). But the story doesn’t stop with that revelation; analysts working with this blog have continued to investigate every lead provided to us. One such lead has helped us to identify another individual in China connected to APT10. The trail starts with a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain.
In previous posts, Intrusion Truth showed that the Cloud Hopper / APT10 hackers that attacked thousands of global clients of Managed Service Providers (MSPs) in 2016 were based in Tianjin, China.
We identified Zheng Yanbin, Gao Qiang and Zhang Shilong as three actors responsible. We associated them with the Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司) and Laoying Baichen Instruments Equipment Co Ltd in Tianjin China. But we haven’t yet explained who was masterminding or controlling the attacks.
In the absence of more concrete proof, the 2017 Cloud Hopper report on APT10 relied on timing analysis to make the connection to China. Compile times of executable files and registration times of domains all pointed to work undertaken between 9am and 5pm Beijing time.
If Zheng Yanbin, Gao Qiang and Zhang Shilong were working between 9am and 5pm and managed to orchestrate one of the largest Cyber attacks on western infrastructure of all time, it follows that any company for whom they were working would probably have been involved in the operation.
Gao Qiang and Zheng Yanbin weren’t working alone. In this article we identify another member of the group.
fisherxp to baobeilong
The menuPass Sample
Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.
Our story starts with a FireEye report: Poison Ivy – Assessing Damage and Extracting Intelligence. Although the report focuses on the Poison Ivy tool, which has been used by a number of groups, it specifically highlights a number of campaigns known to use it. One of those campaigns is the menuPass group, another name for APT10.
The report contains a number of e-mail addresses associated with domain names used by the APT10 actors. One of those e-mail addresses, firstname.lastname@example.org, contains a name – Zheng Yanbin.
Cloud Hopper turned out to be an attack of unprecedented scale that targeted companies known as “managed IT service providers”, or MSPs. Because MSPs manage the IT systems of hundreds of clients, the technique used by the Cloud Hopper attackers was highly effective – they gained access not only to the sensitive data of the MSPs themselves, but also to their clients globally.