Who is Mr. Zhao?

In our last article, we identified a number of front companies used by two Chengdu-based indicted hackers Li Xiaoyu and Dong Jiazhi. 

What struck us when reading the US indictment was reference to the Guangdong State Security Department (GSSD). As eager readers of Intrusion Truth will note, we discussed the Guangdong SSD in our very first article series and their use of Boysec as a front company. However we didn’t manage to identify the MSS officers behind APT3. We feel there is unfinished business here and so we set to work to uncover MSS Officer 1.

We started with an address.

GSSD HQ

Why is the Guangdong Province International Affairs Research Centre (GPIARC) interesting? Well, its claim to fame most recently comes from the 2020 indictment, revealing it as a GSSD cover company. The address: Number 5, 6^th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou, Guangdong Province (越秀区农林上路六横道5号). 

We decided to reach out to our network of contributors, asking about the GPIARC and any previous reference to this company or their known address. We received an interesting response from a trusted source who wishes to remain anonymous. This source, with connections to the Bank of China, was able to provide a number of historic credit card statement sent to the cover address at Upper Nonglin Road. One bank statement in particular stood out.

Zhao Jianfei (赵剑飞)

On the top left corner on the image below, the corresponding address is Unit 5, 6^th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou. Furthermore, all the transactions appear in Guangzhou, Guangdong. 

We know this address is a cover for the GSSD. So, whoever is using this address works directly for the GSSD. So, who is this MSS officer?  

Underneath the address is a single name to which the statement is addressed to: Zhao Jianfei (赵剑飞). 

Interesting. So, we know Zhao was receiving correspondence about a credit card bill, using the GSSD cover company as the address. It stands to reason that Zhao Jianfei is an MSS officer, working for the Guangdong SSD. Could he be MSS Officer 1?

Asls1027

An FBI flash memo released on the 21^st July reveals further information pertaining to the email used by MSS Officer 1 to send Li and Dong zero-day exploits for use in their APT campaign. The memo has redacted the mail provider, but the handle is the bit we need: asls1027.

Remember when we said one statement in particular from the Bank of China was interesting to us?

Well, turns out that Bank of China sent the credit card statement to the personal email of Zhao Jianfei. 

The email address was asls1027@hotmail.com.

Zhao Jianfei is an MSS officer, working for the GSSD and receiving credit card statements to the address of a GSSD cover company. Furthermore, this correspondence was sent to his personal email; the same email account that sent cyber actors a zero-day exploit for use in their illegal activities.

Zhao Jianfei has been directing Li Xiaoyu and Dong Jiazhi by providing them with malware and supporting their APT campaign.

Asls1027’s social media

As we know, humans are biased and often rely on availability heuristics: we tend to choose the least cognitively demanding option. As such, we tend to reuse email handles, passwords and so on. And it appears our Mr. Zhao falls into this category, reusing his handle across multiple social media sites.

Asls1027 has an interest in cars, posting on the car forum autohome.com.cn.

He also maintains a relatively empty yet bizarre Twitter profile. 

However none of this provided us with any more information on Zhao Jianfei himself. We know he uses the asls handle and his name is Zhao Jianfei so we decided to get even more creative, and found an interesting profile on Facebook with the stub Asls Zh.

Given the unique of the handle ‘asls’, we strongly believe this profile belongs to our Mr. Zhao. The profile picture was updated in 2014, a similar timeframe to other asls social media posts, as well as Zhao’s credit card activity in Guangdong. Zh = Zhao.

It seems Zhao was born in Xi’an, Shaanxi Province. Also note Asls Zh’s current residence – Guangzhou, in Guangdong Province. The same location as the Zhao Jianfei’s credit statement. 

Asls Zh went to the PLA Information Engineering University to study Computer Science. It fits with what we know about MSS Officer 1, and his ability to deploy zero-day exploits to support criminal hackers.

Conclusion

Zhao Jianfei is MSS Officer 1. 

He grew up in Shanxi, and attended a PLA university studying computer science. He now resides in Guangdong and has been working for the GSSD from at least 2013. An email account linked to his GSSD activity was also used to send Li and Dong malware to advance their APT campaign. 

Contract hackers – check. 

Front companies – check.

MSS officer working to the Guangdong State Security Department – check.

An APT with no name

When the 7^th July indictment was released naming two Chinese hackers affiliated with the Guangdong State Security Department, it grabbed our interest. Hackers… in China…working with the MSS. Sounds right up our street. But who are Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志)? How do they conduct their activity? The indictment also mentions an unnamed MSS Officer 1. Who could this be? Let’s start with the named hackers…  

FBI wanted poster naming indicted hackers Li Xiaoyu (李啸宇) and Dong Jiazhi 董家志)

Former classmates, Li Xiaoyu and Dong Jiazhi studied Computer Application Technologies at the University of Electronic Science and Technology of China (UESTC) in Chengdu. Mr Dong and Mr Li are not individuals we have come across before in our investigations into Chinese APTs. However, we do love a challenge. So, we set about getting to work and decided to start in the city Li and Dong are based: Chengdu.

Our findings reveal a number of spurious science and technology companies linked to the indicted actors. A familiar pattern is once again emerging… 

Chengdu Shirun Technology Company Ltd (成都诗润科技有限公司)

Let’s start with Dong Jiazhi. There is very little to go on from the indictment. However, we know Chinese APTs follow a common blueprint: One of contract hackers and specialists, front companies and an intelligence officer. 

We know Mr Li and Mr Dong are the contract hackers. So we set about digging into their connections to front companies based in Chengdu. 

It turns out Dong has been investing in a company called Chengdu Shirun Technology Company Ltd. Specifically, 30,000RMB came from Dong, who invested in the company when it was registered. This roughly equates to $4,5000 or £3,500.

Registrant of Chengdu Shirun Technology Company Ltd: Dong Jiazhi

A deeper look into this company reveals its location is 16 Tongsheng Rd, Qingyang District, Chengdu. It also provides a contact number: 18828070461.

Interestingly, this is not the only company that is linked to this contact number. It seems a number of other companies in Chengdu also share this point of contact.

Chengdu Hanke Technology Company Ltd. (成都撼科科技有限公司)

This company shares the same contact number as Chengdu Shirun but lists this as an email contact (18828070461@139.com). Additional contact numbers (18980738906 and 18190696626) are also provided. 

Contact details for Chengdu Hanke Technology Company Ltd.

Even more interesting is the change record for the company. Prior to 2019, Dong Jiazhi was listed as the company contact.

Change record for Chengdu Hanke listing Dong Jiazhi on line 3

Chengdu Hanke doesn’t have much of a presence. The website domain 51409903.1024sj.com does not exist. However, we did come across a LinkedIn profile for someone who claims to be the project manager and lead programmer – a Kevin Lynx. Further digging did not reveal anything more on this person or the company. Kevin, if you are out there – feel free to get in touch…

Chengdu Xinglan Technology Company Ltd. (成都兴蓝科技有限公司)

It seems 18828070461 is a theme. The number from Shirun and the 139 email from Hanke was also used to register another Chengdu-based technology company: Chengdu Xinglan. 

So who is behind this company? Well, as we mentioned, it shares contact details with companies linked to Dong. And Mr Dong is mentioned as the company’s primary point of contact.

Company registration details listing Dong Jiazhi as a contact person for Chengdu Xinglan on line 2.

Furthermore, records show Li Xiaoyu as Chengdu Xinglan’s legal representative, CEO and Executive Director, having a 99% stake in the company. It seems the pair intertwined at University, and expanded together into their business ventures and criminal activity concealed by front companies based in Chengdu.  

Chengdu Xinglan, detailing the 18828070461 contact email and Li Xiaoyu as the company’s legal representative.  

Chengdulzy

Li and Dong haven’t learnt to mix things up – reusing the same email number for their multiple front companies. 

And once again, this number (18828070461) was used as the registrant contact number for a domain: ‘chengdulzy.com’.

The registrant of this domain? Dong Jiazhi. Unfortunately, we haven’t found out what this domain was used for, and it now appears to have been deleted. 

Chengdu’s many Science and Technology companies

We are finding a similar pattern to previous investigations. An overlap of numbers and emails linking to contract hackers (Dong and Li), and subsequently to a number of technology companies based in Chengdu. All with little to no online presence suggests – you guessed it – front companies. 

However, what about the individuals themselves? They clearly have been busy investing in, and creating multiple technology businesses within Chengdu to act as fronts for their hacking activity. But what else have they left on the internet for us to find? 

Oro0lxy

The handle used by Li, and named in the indictment provides a helpful starting point. A quick scan of the internet shows various accounts with this handle, most now defunct or empty but the majority pertaining to hacking forums, such as the Chinese Software Developers Network (CSDN).

It seems oro0lxy has had a long standing interest in ColdFusion, using this knowledge (according to the indictment) to develop vulnerabilities in support of his APT activity.

oro0lxy posts question on CSDN ColdFusion sub forum

In keeping with his interest in this vulnerability, Li was appointed moderator of a website for ColdFusion developers, CFwindow.com, in 2012. 

However, oro0lxy was later flagged for posting scams on CSDN.

QQ account links

Looking into Li and Dong’s QQ accounts, we attempted to identify their actions and any overlaps that were interesting or of note. According to leaked databases, QQ 3120988 was associated with the display name Li Xiaoyu, whilst QQ 191956463 had historically used the username Dong Jiazhi.

We also pulled out a number of QQ groups that crossed the two hackers profiles. Specifically their QQ accounts linking to university groups such as ‘Class of 2005, Class 5’ (2005 级5 班),‘Information Security Lab’ (信息安全实验室) and ‘Computer Applications Technology Class 2’ (计算机应用技术 2 班). 

These are historic but provide useful context for what we know about the pair. Get in touch with us if you have any further information or leads pertaining to these accounts.

So… we know that Li and Dong have been indicted as hackers working to the MSS. Contract hackers – check. 

We know that they set up a number of front companies based in Chengdu to shield their APT activity. Front companies – check.

And we know they have been working together for a number of years, having met at university and remained active on Chinese hacker forums. But who specifically is behind their activity with the Guangdong State Security Department? Who is MSS Officer 1?

Tune in next week to find out… 

#youknowwherethisleads

Who is Mr Ding?

We started by stating that Chinese APTs have a blueprint that us applied in multiple regions across China: contract hackers and specialists, front companies, and an intelligence officer. Applying this blueprint in Hainan, we surfaced inter-linked companies recruiting for people with hacking and specialist IT skills.

We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?

Continue reading “Who is Mr Ding?” →

Who else works for this cover company network?

In our previous articles we identified a network of front companies for APT activity in Hainan, and showed that Gu Jian, an academic at Hainan University, is listed as a contact person for one of these companies – Hainan Xiandun. Additionally, Gu Jian appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so. The registered address for Hainan Xiandun is the Hainan University Library.

Our analysts and contributors were reassured to know that this blog is not alone in being suspicious of these Hainan front companies. Questions abound online about why these companies have such a thin presence on the Internet or, as below, whether the jobs they are promoting even exist.

This Chinese post is titled “Hainan Yili Technology Company: How can you find this company on the Internet, can I trust this job advert?” and asks other users of the site for their views.

Continue reading “Who else works for this cover company network?” →

Who is Mr Gu?

In our previous articles we identified thirteen companies that this blog knows are a front for APT activity in Hainan. Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!

Continue reading “Who is Mr Gu?” →

What is the Hainan Xiandun Technology Development Company?

This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.

APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.

After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.

Continue reading “What is the Hainan Xiandun Technology Development Company?” →

Is there a pattern?

Readers of this blog will know that our investigations into APT3 and APT10 started with well-known intrusions and ended with the identities of the perpetrators and the identification of a front company connected to the Chinese Ministry of State Security (MSS).

As we pointed out on Twitter in December, there seems to be a pattern developing – a regional office of the MSS creates a company, hires a team of hackers and attacks Western targets. Why the MSS insists on using sloppy contracted hackers is beyond us here at Intrusion Truth, but the pattern is undeniable.

Continue reading “Is there a pattern?” →

APT3 is Boyusec, a Chinese Intelligence Contractor

In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.

Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?

Continue reading “APT3 is Boyusec, a Chinese Intelligence Contractor” →

Who is Mr Dong?

In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.

The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.

Continue reading “Who is Mr Dong?” →

Who is Mr Wu?

In our last post we introduced you to APT3 and promised to identify the individuals behind the intrusion. Today we will follow the trail left by APT3’s infrastructure procurers and will identify our first APT3 operator, Mr Wu.

Continue reading “Who is Mr Wu?” →