Chinese APTs: Interlinked networks and side hustles

FeaturedChinese APTs: Interlinked networks and side hustles

As FireEye pointed out on their APT41 overview, there is a high degree of malware and certificate overlaps across Chinese APTs but two in particular stand out as almost identical in their use of malware code – 41 and 17. 

Remember Mr. Zeng Xiaoyong (aka envymask)? As readers will know, we named Zeng as a member of APT17 back in July of 2019. We evidenced his connections to the Chinese hacker group ph4nt0m, his birth place of Sichuan and his university of Nanjing Science and Engineering, where he met and later worked with MSS Officer of the Jinan SSD – Guo Lin. And it appears Zeng Xiaoyong has connections that go even further…

BlackCoffee

Mr. Zeng is credited with creating a specific exploit of the public vulnerability MS08-067. This is associated with the ZoxPRC which evolved into BLACKCOFFEE malware, a hallmark of APT17 and Zeng specifically. APT41 are using this same malware in their operations. This specific sharing of malware exploits talks to the increasing overlap and coordination of APT groups within China.

EnvyMask and Blackfox

Further digging has also revealed a history between Blackfox and Envymask on a number of hacker forums including CSDN and Github, where Blackfox promotes his ‘codz’ and expresses his gratitude to Envymask and another hacker known only as LuoLuo for their help. 

Blackfox and envymask’s relationship appears to be quite a deep one – they maintain direct contact and Blackfox credits envymask for his guidance and expertise in creating malware exploits. It additionally highlights the overlap between envymask (of APT17 fame), and Blackfox (of APT41 fame) which could go some way in explaining the overlap in malware tools being cited back to APT groups emanating from China and the trouble industry have of grouping APTs via their use of TTPs alone.

ShadowPad

This backdoor RAT, reported by Kaspersky in 2017, was used to facilitate a supply chain attack and is commonly attributed to China. It is considered to be an evolution of PlugX, both of which originated from China and are used by Chinese APTs (APT41 in particular).

PlugX and WHG

AlienVault Labs theorized that “WHG” was the developer of PlugX. And in 2012, Dunham and Melnick wrote about a connection between WHG and Tan Dailin. Tan (under Wicked Rose) credits WHG (aka “fig”) as one of the developers of the GinWui rootkit which links back to the Network Crack Program Hacker group (of which Tan founded).  

WHG is known to be the user of QQ 312016, which displays the username Zhao Jibin (赵纪斌). QQ 312016 belongs to another small QQ group (39771264) with just 14 members. A tight-knit circle of like-minded individuals? Of note are 3 other members: Jiang Lizhi, Zhang Hoaran and Tan Dailin.  

Remember when we mentioned Lu Jian’s membership in a group titled Chinese Communist Party Ministry of Finance (QQ 3391434)? We stated that the owner of this group was QQ 312016 – with the display handle ‘whg’. 

It further highlights the deep interconnectivity and social web these Chinese hackers maintain. But to what degree are the Chinese hacker’s interactions social, or are their skills and experience directed, coordinated and developed by higher echelons within the CCP?

Cyber Arrests

We did some digging into Zhao Jibin. Once again, he has links back to Sichuan, having attended Xihua university.  

We also discovered that there were a number of arrests during Xi’s crackdown of hackers within China in 2015. Notably, an office in Jinan associated with APT17 activity was raided by the local Public Security Bureau. A number of Chinese hackers were arrested. Amongst them was Withered Rose (aka Tan Dailin) Zhao Jibin (aka whg) and Liu Jian (aka Cowardly Sheep 懦⽺).

The hackers were getting too big for their boots. Were the arrests a smokescreen? Or were they used to co-opt them into working for the MSS? Either way, it didn’t stop them continuing to support APT17 and 41 operations.

Conclusion

Sichuan province is fast becoming a known hot spot for hacking. 

We believe that rather than APT41 being defined as a group or intrusion set, APT41 is perhaps better described as an interlinked network of Chinese cyber actors sharing malware, expertise and connections. The actors appear have a high degree of autonomy, which explains the degree of malware and certificate overlaps between APT groups emanating from China, and supports the concept of the contractor model. Autonomous cyber criminals ‘bid’ for state resource in exchange for top-level cover and a blind-eye is given to their criminal activities outside of the 9-6-6 structure, and if their targets are outside the Chinese mainland. Hustling on the side by using state-sponsored tools for their own profit makes us wonder whether the MSS truly have control over the contractors they work with.

According to Chengdu 404 in an interview, ‘They wanted to make a contribution to their home town’. Well, they have certainly done that. They have put Chengdu on the map, not least for China cyber watchers.

We started this article series with reference to a Times article focusing on Tan Dailin and his fellow hackers (formally known as the NCPH). The article ended with a quote from one of the hackers (known only as Fisherman): “Real hackers are not doing it for a name or money. The real hackers keep their heads down, find network loopholes, write killer programmes and live off social security”. An interesting moral high ground to take. We wonder where it all went wrong. 

The people behind Chengdu 404 

FeaturedThe people behind Chengdu 404 

In the previous articles, we touched upon Chengdu 404 as a front company. This article serves to focus on the individuals behind the company who have been named by the US as cyber criminals. The indicted trio are: Qian Chuan (钱川), Jiang Lizhi (蒋⽴志), and Fu Qiang (付强). 

Qian Chuan (钱川)

Qian Chuan, alumnus of Sichuan university, is the boss of Chengdu 404. His mugshot shows how much fun he has working at the CCP’s behest…

According to records, he held a 30% share in the company. He likes to come across as a fun boss – after all providing cake for an employee’s birthday is going above and beyond isn’t it.

Qian Chuan’s involvement with the Chinese government started before his managerial role in Chengdu 404. Since at least 2010 (according to the indictment) he has been creating software to wipe confidential information from digital media, and supporting efforts by the CCP to monitor and restrict information across Chinese social media platforms. 

Jiang Lizhi (蒋⽴志)

Jiang Lizhi has a lot of connections and an ineptness that comes with broadcasting sensitive projects. Boasting of his close relationship to the GA ‘Guoanbu’ (MSS), he is recorded on the indictment stating that this ‘provides him with protection’, even from the Ministry of Public Security (MPS). Is it us, or does this sound like a green light to hack for profit, with no repercussions? Hindsight will reveal that the MSS cannot and does not protect its criminal hackers.

Jiang Lizhi was active within the company, attending many of the engagements at local universities in his role as deputy general manager. According to holdings on the company, Jiang held a 20% share in 404.

Blackfox

As mentioned in previous articles in this series, the ‘black’ prefix appears to be a common thread for APT41 hackers. Jiang Lizhi’s handle of Blackfox confirms our assumptions. 

Delving into the internet archives, we found his historic Blackfox blog at fox.he100.com.

The website registrant evidences Jiang Lizhi as behind the website and based in Chengdu. Helpfully, he also provides his handle Blackfox as an additional PoC. 


The blog itself reads like an online diary of a depressed teenager; it is an ‘interesting’ read into the psyche and personality of a Chinese cyber hacker. An online diary of despair some might say. Blackfox talks of his anxiety and how irritable he can become, how lonely he is and how unhappy his actions make him.

An example is this translated post from 2006 where Blackfox talks of moving back to Chengdu and being unemployed.

QQ 6858849

In 2004, a post on CSDN titled ‘ISS_Manager’ detailed points of contact for Blackfox, including a QQ number (6858849) and domain fox.he100.com. As we know, this links back to Blackfox’s blog. The QQ account had the display name 蒋立志 (Jiang Lizhi) as well as Blackfox, and has been active in creating a number of other QQ groups. Most were used for staying in contact with classmates, whilst others refer to businesses Jiang was involved with, including the Chengdu-based online gaming company Blaze Loong Science and Technology (成都炎龙科技有限公司). A number of these QQ accounts are shared groups with other APT41 individuals including Tan Dailin, Qian Chuan and Fu Qiang.

Fu Qiang (付强)

The baby-faced Fu Qiang is the last of our trio. He is head of big data development at Chengdu 404. Just 2 months after the indictment in November 2020, we noted that standny (his alias) was active online, pushing Chengdu 404 recruitment. Despite less being known about Fu online, he maintains a heavy internet presence on Western social media sites. One such profile is Twitter which promoted a number of apps for the Apple app store (see our previous article on this and his relation to c0hlbrd). 

Blaze Loong Technology Company Ltd. (成都炎龙科技有限公司)

Remember when we mentioned the Blaze Loong QQ account Jiang LiZhi was involved with? It is a gaming company based in Chengdu, and is a wholly owned subsidiary of Zhejiang Huge Leaf Company (浙江翰叶股份有限公司). 

Blaze Loong uses its international marketing platform to import and export gaming products (useful for APT41’s hacking money-making campaign against gaming companies). Yet archived pages show a very different company: A Blaze Loong which used to be a penetration testing and network security management company, providing tailor-made solution to ‘major government agencies’. 

According to the Qichacha company overview, the founder and CEO of Blaze Loong is a Lu Jian (鲁剑). Lu Jian was also the director and vice chairman of Zhejiang Huge Leaf Company.

Chengdu YanLong Technology Company Ltd (成都炎龙科技有限公司)

YanLong is a subsidiary of Blaze Loong Technology Company, bought out in 2009. 

Chengdu YanLong Technology Company was established in 2007, purporting to be a game development and publishing service based in Shanghai, despite being geo-tagged as Chengdu. 

WHOIS information for this domain (bltech.cn) is registered to blackfox@qq.com, which we know is Jiang Lizhi – explaining the QQ groups he set up. 

Records show a Lu Jian (鲁剑) as the legal representative of the company, as well as the executive director, general manager and shareholder.

Lu Jian (鲁剑) and QQ 5238342

We know Lu Jian is heavily involved in a number of companies based in Chengdu, which are linked to APT41 actors. He shares membership with Jiang Lizhi and Tan Dailin in a QQ group created by Lizhi. What is more, Lu Jian’s QQ account (QQ 5238342) is assigned the group’s admin. 

According to Baidu, Lu Jian was born in 1979 and has been involved in a number of technology companies as a shareholder, legal representative, CEO and founder.

QQ 5238342 (Lu Jian) is also a member of QQ group 3391434, titled the ‘Chinese Communist Party Ministry of Finance’  The owner of this group is QQ 312016 using the alias ‘whg’. You might recognise this alias. We will return to this later. Another alias commonly used with QQ 5238342 adds further support for Lu Jian’s role in APT41’s activity; the use of a black prefix alias ‘BlackJack’. The QQ account even used the logo for the Blaze Loong company as the display profile.

There were a number of other usernames associated with this QQ account, including “Blaze Loong Science and Technology – Director Long” (炎龙科技-龙总) and “Long Shaoyang” (龙少杨). Could this be another name for Lu Jian?

A Sino Weibo account of Long Shaoyang identifies that he is a male, located in Chengdu, Sichuan. Social media further highlights similarities between Long Shaoyang and Lu Jian. They share the same handle (BlackJack), are associated with the same QQ account (5238342), and show the same Blaze Loong display on their social media.

On the 27th July 2013, a Long Shaoyang (龙少杨) attended a gaming and technology conference alongside the Chairman of the Molin Gaming group (mokylin.com). Details from this event reveal that Long is the CEO of Blaze Loong Technology, whilst other press releases refer to Long Shaoyang as the founder of Blaze Loong.

So, we have two names for what appears to be the same person. One is used in business records and another used for public-facing roles. Interesting. Get in touch if you know more.

Liu Jian (刘建)

As mentioned previously, Jiang Lizhi created a number of QQ groups linked to other APT actors. One in particular is named ‘unknow’ (QQ 10930057). Given the small membership of this QQ group and the number of individuals we have found with APT41 links, it would stand that the rest of the members also have links into APT41. 

We followed this through with QQ member 14149038. The username translates to ‘Cowardly Sheep’ but the information shows he is a male engineer living in Chengdu. Note the display picture. This is the logo of Chengdu Anvei – the antivirus software that Tan Dailin created and which served to provide him with media attention in 2012. Referring back to Anvei, registration details highlight that Liu Jian owned more than 10% of the company’s stock. 

Liu is also involved in another company based in Chengdu – the Chengdu Daigen Science and Technology Company (成都戴亘科技公司) where Tan is listed as CEO and Liu as Director. Both of these companies have now ceased operating.

Conclusion

All individuals and companies with links to APT41 have roots back to Chengdu, Sichuan province.

The APT41 actors, along with others we have named in this article series, evidences how wide the reach of the Chinese hacker community goes – using their connections within the hacker community to progress and share techniques to conduct both activity for the state and their own personal gain. But what degree of overlap has this provided Chinese APTs? Is the model of grouping malware and personas into categories and APT groups still sustainable for InfoSec researchers, law enforcement officials and those trying to make sense of the APT threat? 

The old school hackers behind APT41

FeaturedThe old school hackers behind APT41

In an FBI indictment released in 2020, it reported five hackers with substantiated links to APT41: all criminal hackers based in Chengdu, Sichuan province. Seems Chengdu is getting somewhat of a hacker reputation. 

Let’s start with arguably the most notorious and well known of these five hackers: Tan Dailin. 

Tan Dailin (谭戴林)

Quite a lot if information is already out there on Tan. We know he was talent spotted at Sichuan university for his hacking techniques and was subsequently trained by the People’s Liberation Army (PLA – 中国人民解放军). 

Tan was a founding member of the Network Crack Program Hacker Group (NCPH), going by the hacker name Wicked Rose. NCPH was a hacker group based out of Zigong, Sichuan with fellow members being current or former students of Sichuan University of Science and Engineering. The NCPH group gained notoriety by carrying out a number of attacks against the Department of Defence in 2006 using the GinWui rootkit, authored by Wicked Rose and another hacker – WHG. Wicked Rose announced in a blog post that the group were paid for their work, but the group’s sponsor was not. We can take an educated guess as to Wicked Rose’s sponsor … It begins with P and ends with A.

Given the plethora of information Tan has disclosed online, he is a hacker who seems to enjoy the limelight. In 2012, he was the subject of an article by KrebsOnSecurity which sought to understand why a Chinese hacker (Tan) was the founder of a Chinese antivirus software (Anvisoft) purporting to be based in Fremont, USA. A domain look-up revealed that Anvisoft was in fact registered to the high-tech zone of Chengdu using the email linked to Tan’s hacker handle wthrose(at)gmail.com and registered using the name tandailin. Five years later, a reporter for Times magazine conducted an interview with Tan noting he was ‘lauded in China for his triumphs in military-sponsored hacking competitions and was unlikely to have problems with local law enforcement’. A man with many connections it seems. Invincible and untouchable, or noisy and dispensable? A fine line to walk.

QQ 903063678

Delving into the many Chinese leaked databases, we came across another QQ: 903063678, which from 2011 held the display name 戴林 (Dailin) as well as the handle ‘BlackWolf’. 

However, the name Dailin linked to a QQ account isn’t much to go off, so we sought to validate our thinking. The identifier linked to this account was used to register a domain: ‘bat.mg’. 

Registration information from this links to someone called ‘Daniel Tan’ in Chengdu, with the number 8613228166666. This number was also used to register ‘huianquan.net’, with details of the registration showing as ‘tandailin’ alongside an associated contact email: tandailin@163.com.

We are confident QQ 903063678 is Tan Dailin. It uses his alias (BlackWolf), and we have an associated number and email. We will see where this goes later on in the series.

Zhang Haoran (张浩然

Zhang (37 years old, using alias Evilc0de) was named alongside Tan Dailin in the indictment for APT41. He appears to keep a much lower profile than his APT41 colleague. Nevertheless, he is deeply involved in intrusion activity having jointly participated in the conspiracy to target the video gaming industry.

Chengdu Huidong Science and Technology Company (成都慧东科技有限公司)

A technology company based in Chengdu with little internet presence and links to an indicted Chinese hacker. Seems like a classic front company to us. In 2006, Chengdu Huidong Science and Technology Company (成都慧东科技有限公司) stated it had two stakeholders, each with a 50% stake. These were the CEO (Zhang Haoran) and a Supervisor (Zhang Chengwei). 

So who is Zhang Chengwei? Clearly he knows Zhang Haoran well enough to go into business with him, and close enough to work with Zhang to develop cover companies for APT work. 

Zhang Chengwei (张城玮)

There are a number of Zhang Chengwei’s using QQ. However, one in particular caught our eye. QQ account 878792. This account is also a member of several groups which overlap with other indicted APT41 actors, including Tan Dailin. Furthermore, the username associated with the account is ’b1ackn1ve’. 

Another ‘black’ prefix, aligning with Tan Dailin’s use of BlackWolf. Eager readers will note we commented on matching pseudonyms in our previous article series on APT40. Could ‘black’ be indicative of a systemic pattern for APT41 hackers?

Blackn1ve has also appeared on our radar before; in a TLP:White advisory released in September 2020. This noted the b1ackn1ve@gmail.com email as an indicator of compromise, having been used for a APT41 spearphishing campaign. 

So Zhang Chengwei is not only involved with APT41 activity by creating cover companies with Zhang Haoran but his hacker handle associated with his QQ account has been used in an APT41 spearphishing campaign against international victims. 

Summary

The typical model of a front company to hide APT activity is a tried and tested one which APT41 are continuing to prove. The prefix ‘Black’ as a hacker handle might link APT41 actors. Furthermore, shared QQ groups support the social interconnectivity of these criminal actors and they are not shy to ‘boast’ about their connections to the state to support their activity. All have links back to Sichuan. Our next article starts there – in a city we now know very well. Home to Lonely Lantern and APT41: Chengdu.