In the absence of more concrete proof, the 2017 Cloud Hopper report on APT10 relied on timing analysis to make the connection to China. Compile times of executable files and registration times of domains all pointed to work undertaken between 9am and 5pm Beijing time.
If Zheng Yanbin, Gao Qiang and Zhang Shilong were working between 9am and 5pm and managed to orchestrate one of the largest Cyber attacks on western infrastructure of all time, it follows that any company for whom they were working would probably have been involved in the operation.
Continue reading “More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?”
Gao Qiang and Zheng Yanbin weren’t working alone. In this article we identify another member of the group.
fisherxp to baobeilong
Inspection of @fisherxp’s Twitter account shows that he follows 259 people and has 16 followers. One particularly interesting account, @baobeilong, both follows @fisherxp and is followed by it.
Continue reading “Who is Mr Zhang?”
The menuPass Sample
Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.
Continue reading “Who is Mr Gao?”
Our story starts with a FireEye report: Poison Ivy – Assessing Damage and Extracting Intelligence. Although the report focuses on the Poison Ivy tool, which has been used by a number of groups, it specifically highlights a number of campaigns known to use it. One of those campaigns is the menuPass group, another name for APT10.
The report contains a number of e-mail addresses associated with domain names used by the APT10 actors. One of those e-mail addresses, firstname.lastname@example.org, contains a name – Zheng Yanbin.
Continue reading “Who is Mr Zheng?”
Twelve months have passed since this blog exposed Wu Yingzhuo, Dong Hao, their company ‘Boyusec’ and the Chinese Ministry of State Security (MSS) as being behind APT3. APT3 was, at the time, one of the most damaging APT attacks to hit Western companies. One year on, we take a look back at what happened after our publication.
Continue reading “The destruction of APT3”
In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.
Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?
Continue reading “APT3 is Boyusec, a Chinese Intelligence Contractor”