This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.
APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.
After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.
Continue reading “What is the Hainan Xiandun Technology Development Company?”
We started this story with Guo Lin (郭林), identified to us as an MSS Officer. We showed that he had personal links to a number of companies and individuals involved in Cyber security, at least one of whom helped develop a key tool used by APT17. We have also shown direct links between Guo Lin’s company Antorsoft and the Chinese Ministry of State Security.
But what were APT17 really doing? We know from media coverage in our part of the world that APT17 hacked a number of targets in the West and did untold damage. What isn’t well known is that they were also hackers for hire, acquiring data and selling it for profit.
Continue reading “Encore! APT17 hacked Chinese targets and offered the data for sale”
In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.
We also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang company and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.
Continue reading “APT17 is run by the Jinan bureau of the Chinese Ministry of State Security”
In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. (济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) and Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan. We also identified an IT Security expert from Jinan, Wang Qingwei (王庆卫), as the representative of the Jinan Fanglang company. Another, potentially separate, individual goes by the name ‘iamjx’.
The identification of further individual in Jinan requires us to follow the trail from what we believe to be a fourth front company.
Continue reading “Who is Mr Zeng?”
In our last article we identified Jinan Quanxin Technology Co. Ltd. (济南全欣方沅科技有限公司) and the Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.
Jinan Fanglang Information Technology Company
As disclosed previously by this blog, the antorsoft[.]com domain name listed the main address for Jinan Quanxin Fangyuan as 238, Jing Shi Dong Lu, Jinan, China.
Continue reading “Who is Mr Wang?”
In our last post, we stated that a source whose identity we had verified had named an MSS Officer in Jinan who was believed to be involved in Cyber operations. We are now in a position to reveal that the name provided to us is 郭林 (Guo Lin). Open source research conducted by analysts working for Intrusion Truth quickly revealed a potential candidate for Guo Lin.
Guo Lin, Masters Student
An IT security paper from 2007 called ‘基于多维角度的攻击分类方法‘ (Method of Classifying Attacks Based on Multi-dimension) was authored by a Guo Lin in which he described himself as a Masters student conducting research into network and information security and malicious code detection. Guo was a Computer Science student at Nanjing University (not Jinan), making it uncertain whether he is indeed the same individual in Jinan named in our tip.
Continue reading “Who is Mr Guo?”
Readers of this blog will know that our investigations into APT3 and APT10 started with well-known intrusions and ended with the identities of the perpetrators and the identification of a front company connected to the Chinese Ministry of State Security (MSS).
As we pointed out on Twitter in December, there seems to be a pattern developing – a regional office of the MSS creates a company, hires a team of hackers and attacks Western targets. Why the MSS insists on using sloppy contracted hackers is beyond us here at Intrusion Truth, but the pattern is undeniable.
Continue reading “Is there a pattern?”
On August 15th 2018 this blog revealed a connection between APT10 and the Tianjin bureau of the Chinese Ministry of State Security (MSS). But the story doesn’t stop with that revelation; analysts working with this blog have continued to investigate every lead provided to us. One such lead has helped us to identify another individual in China connected to APT10. The trail starts with a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain.
Continue reading “Who is Mr An, and was he working for APT10?”
In previous posts, Intrusion Truth showed that the Cloud Hopper / APT10 hackers that attacked thousands of global clients of Managed Service Providers (MSPs) in 2016 were based in Tianjin, China.
We identified Zheng Yanbin, Gao Qiang and Zhang Shilong as three actors responsible. We associated them with the Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司) and Laoying Baichen Instruments Equipment Co Ltd in Tianjin China. But we haven’t yet explained who was masterminding or controlling the attacks.
Continue reading “APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security”
In the absence of more concrete proof, the 2017 Cloud Hopper report on APT10 relied on timing analysis to make the connection to China. Compile times of executable files and registration times of domains all pointed to work undertaken between 9am and 5pm Beijing time.
If Zheng Yanbin, Gao Qiang and Zhang Shilong were working between 9am and 5pm and managed to orchestrate one of the largest Cyber attacks on western infrastructure of all time, it follows that any company for whom they were working would probably have been involved in the operation.
Continue reading “More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?”