We started by stating that Chinese APTs have a blueprint that us applied in multiple regions across China: contract hackers and specialists, front companies, and an intelligence officer. Applying this blueprint in Hainan, we surfaced inter-linked companies recruiting for people with hacking and specialist IT skills.
We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?
In our previous articles we identified a network of front companies for APT activity in Hainan, and showed that Gu Jian, an academic at Hainan University, is listed as a contact person for one of these companies – Hainan Xiandun. Additionally, Gu Jian appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so. The registered address for Hainan Xiandun is the Hainan University Library.
Our analysts and contributors were reassured to know that this blog is not alone in being suspicious of these Hainan front companies. Questions abound online about why these companies have such a thin presence on the Internet or, as below, whether the jobs they are promoting even exist.
This Chinese post is titled “Hainan Yili Technology Company: How can you find this company on the Internet, can I trust this job advert?” and asks other users of the site for their views.
In our previous articles we identified thirteen companies that this blog knows are a front for APT activity in Hainan. Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!
This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.
APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.
After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.
Readers of this blog will know that our investigations into APT3 and APT10 started with well-known intrusions and ended with the identities of the perpetrators and the identification of a front company connected to the Chinese Ministry of State Security (MSS).
As we pointed out on Twitter in December, there seems to be a pattern developing – a regional office of the MSS creates a company, hires a team of hackers and attacks Western targets. Why the MSS insists on using sloppy contracted hackers is beyond us here at Intrusion Truth, but the pattern is undeniable.
In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.
Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?
In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.
The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.
In our last post we introduced you to APT3 and promised to identify the individuals behind the intrusion. Today we will follow the trail left by APT3’s infrastructure procurers and will identify our first APT3 operator, Mr Wu.
APT3 – also known as Gothic Panda, Buckeye, UPS Team and TG-0110 – was first reported in 2010 by FireEye in their report Hupigon Joins The Party. It is blamed for using a Remote Access Trojan named Pirpi in attacks against the US and UK. The Trojan is usually delivered through malicious attachments or links in spear-phishing e-mails and the group have a history of innovating new browser-based zero-day exploits. FireEye claim that it is one of the most sophisticated threat groups tracked by their Threat Intelligence arm.
In the month that APT10 rocked the world, we believe it is finally time to get to the truth behind “Advanced Persistent Threats” – large-scale Cyber attacks stealing intellectual property from Western companies.
We are busy investigating the largest APTs and will soon reveal the truth behind some of these intrusions. Meanwhile, you can read about APT10’s recent activity in PwC’s report, and their historical tools and techniques in FireEye’s report.