Hello Lionel Richie

An interesting turn of events occurred whilst releasing our article series on Lonely Lantern (the Chinese APT previously with no name, working to the Guangdong SSD).

As most of our readers will have been aware, a brand new Twitter account was created to reply to our tweet in advance of the second article where we exposed Guangdong MSS officer 1 as Zhao Jianfei, working with Li and Dong to support and direct their intrusion activity from Chengdu.

At the time, we noted this post and found it interesting (not least for the gif choice) but put it on the back burner given other investigations and leads we were following up on. However, what piqued our interest further was the fact this account and its comment was later deleted. 

Why would Mr. Ren reach out to us on this public forum and tweet that he is the MSS officer we were looking for? Does he have something he wants to get off his chest? The Twitter bio translates to ‘roaming the streets of Guangzhou’. Seems to fit with the brief of the GSSD. 

We decided to investigate (initially as a bit of fun on a rainy day) but as you will see, it is clear that Ren Yuntao is entwined with Lonely Lantern. 

Here’s what we know.

Ren Yuntao (任云韬)

The Twitter profile is in the name of Ren Yuntao. However, the profile itself is quite sparse, having being created the same month as posting. And it appears he only engaged with us. A keen watcher of our work? A super fan perhaps.

So, apart from being a Lionel Ritchie fan, what else could we find on Mr Ren? His Twitter profile didn’t give us much so we decided to start at the beginning and where we know hackers from Lonely Lantern reside: Chengdu.

Mr. Ren it seems went to the same school as Li Xiaoyu and Dong Jiazhi (the indicted hackers we mentioned in Article 1). Ren studied a Masters program at the University of Electronic Science and Technology of China (UESTC), in Chengdu. 

His studies led to him gaining experience in the development of software, defense and forensic analysis of information systems.

Department of Computer Science and Engineering Master’s students at UESTC (124 in total). Ren Yuntao’s name appears 8^th along in the third para.

Ren’s Master’s thesis, submitted in December of 2006 is titled “Malicious Code Anti-Detection Technology Research Based on Dynamic Binary Modification” (基于二进制多态变形的恶意代码反检测技术研究). His supervisor whilst completing his studies was Li Yichao (李毅超).

We set about delving into Ren’s thesis to see what we could find (it is quite dry in places and we wouldn’t recommend it as bedtime reading). Yet, there are some nteresting nuggets. An example is on page 71. Here, Ren provides his acknowledgement to ‘Pinkeyes’, a ‘famous network security figure within China’, referring to him as his ‘comrade in arms’. An interesting phrase to use.

Later, on page 74, Ren details his research projects and achievements throughout his graduate studies. Of specific note to us was his involvement in the ‘design and realisation of a Sichuan State Security Department (SSSD) programme’. 

Highlighted section: Mention of Sichuan SSD in Ren’s thesis

The last accomplishment Ren lists (point 6) is his participation as a “core technician in a “major” university project with designator XXX”. Suspicious – a project so sensitive it needs to be redacted but high profile enough to include in a thesis detailing your work achievements…

Following on from his success with sensitive projects and MSS programmes in Sichuan, Ren appears to have been quite busy, staying on at UESTC as a post-grad and publishing two papers. One of which was on the topic of detecting malware on registry Hive files.

Li Yichao (李毅超)

Cited in Ren’s papers and listed as Ren’s supervisor at the UESTC is Li Yichao (李毅超).  It was Mr Ren himself who wrote that Li Yichao gave him the National Network Security programme opportunity. So, who is Li Yichao?

Well, here is his CV.

Given he is an academic, his openness is our advantage. He notes his many plaudits, including ‘winning second prize from a certain ministry of the country’ and states some of his many students have gone on to work for ‘public and national security departments’. Could Ren be one of these individuals? 

Let’s recap: Ren has worked closely with a supervisor who openly talks of his links to government bodies and ministries within China. Ren himself has commented on his time working for the Sichuan State Security Department and other mysterious organisations that require redacted material whilst at UESTC. So what else can we find on Ren following his departure from academia?

Chengdu Jiuyan Technology Company Ltd. (成都九眼科技有限公司)

Also known as Chengdu Nine Eyes Technology Co Ltd., this company was established in July 2018 specialising in technology development, computer software and network engineering.

Two individuals are associated with the company. The first is the supervisor Xu Jiayou (徐嘉幼), holding just 1% of the company. The second is the executive director and general manager Ren Yuntao, with a registered stake of 99% in Chengdu Jiuyan.

The address is listed as Room 1, Floor 1, Building 1, 56 Changjiang East Second Street, Huayang Avenue, Tianfu New District, Chengdu.

Interestingly, there are a number of other companies who also claim to reside in Room 1, Floor 1, Building 1 of 56 Changjiang East Second Street in Chengdu including:

• Chengdu Hashmai Block Technology Co. Ltd
• Sichuan Shuanglin Jiayue Property Management Co. Ltd
• Shuju Chengdu Technology Co. Ltd
• Douxing Culture Communications Chengdu Co. Ltd
• Chengdu Yinchi Culture Media Co. Ltd
• Chengdu Vines Interactive Entertainment Technology Co. Ltd
• Chengdu Tianfu Hualong Petroleum Co. Ltd
• Chengdu Renhe Daoyuan Enterprise Management Consulting Co. Ltd
• Chengdu Jingwei Zhidao Enterprise Management Consulting Co. Ltd
• Chengdu Feihang Zhiyun Technology Co. Ltd
• Chengdu Als Technology Co. Ltd
• Chengdu Aiweili Trading Co. Ltd

That’s a lot of companies to be sharing 1 room.

Given it location, lack of internet presence and the individuals associated with it – a front company springs to mind.

Lingma Information Technology Company Limited (凌码信息技术上海有限公司)

Upon leaving academia, Ren appears to have obtained a job in the private sector as the Head of Information Security at Lingma Information Technology Co. Ltd. Once again, all roads lead back to Chengdu.

This is an extract of a book written by UESTC masters alumnus Xu Sheng from the Network Attack and Defense Lab, to which Ren Yuntao offers his review.

Ren Yuntao book review of 游戏外挂攻防艺术 (The Art of Game Plugin: Attack and Defense) by 徐胜 (Xu Sheng)

Head of Information Security sounds like a grand title. The company Ren worked for (Lingma) is a wholly-owned subsidiary of Singapore’s Nyber company. Nyber was established in 2010 under CEO Zhang Taiyong（张台涌). It is described as a company committed to research and development of high-end technology, with its business scope covering China and overseas regions and its products often being used in government fields. 

Lingma has a base in Chengdu. The address is given as Area C, Floor 10, Sector F of the 9th Building of High-Tech Incubation Park, Tianfu Avenue, Gaoxin District, Chengdu. 

Does this address seem familiar? It did to us. It is in the same high tech zone as Chengdu Hanke, the front company created by Dong Jiazhi and exposed in article 1 of our series on Lonely Lantern.

Company profile of Lingma

Just like déjà vu, our searching led us back to UESTC in Chengdu. In 2014, Lingma were advertising positions within its company on the UESTC webpage (www1.cduestc.cn), aiming to recruit system software engineers, interface software engineers, and information security evaluation managers. Could this be where Ren first came across Lingma and led to his career in ‘Information Security’?

Lingma scholarship at SWPU

Further searches around Lingma shows the company’s ties to other universities in Chengdu. For example, it provides a scholarship program with Southwest Petroleum University (https://www.swpu.edu.cn/info/1248/1113.html) at an investment of 3000 RMB per year.

Browsing the website for SWPU, there are a number of articles outlining Lingma’s involvement with the university under its scholarship scheme. 

One particular article caught our eye. It was posted on the 9^th June 2016, and describes how the scholarship awarding ceremony for the Lingma Scholarship took place a day earlier at SWPU.

It states that the director of the institute, ZHAO Gang (学院院长赵刚), was present at the ceremony and gave a speech to the students. The Deputy Secretary of the institute’s party committee, YU Hui (学院党委副书记余辉) was also present alongside Secretary LIU Xiang from the institute’s group committee, who hosted the event (学院团委书记刘翔). The person representing the Chengdu R&D Centre of the Lingma Company is named as a Mr. Ren Weitao (凌码信息技术有限公司成都研发中心负责人任伟韬先生).

Is it a coincidence that another Mr. Ren also works for the same company as our Mr. Ren? We don’t believe in coincidences. Given that Lingma only has up to 50 staff, and our searches revealed nothing further on any other Ren’s working for Lingma during this time, it is safe to assume that Ren Weitao is Ren Yuntao. Was the change in name a deliberate attempt to fly under the radar? What was Ren trying to hide?

The last picture in the article is interesting and appears to depict Mr. Ren. The students are proudly displaying their awards. The caption of this group photo describes those in the picture, including the”scholarship-receiving representatives [students], the scholarship-awarding guests [Ren Weitao (任伟韬)] and the leader”.

Disclaimer: We have obfuscated the students in this image due to their lack of involvement in APT activity

Conclusion

So what do we know?

1. An individual called Ren Yuntao tweeted his implication that he was the MSS officer associated with the APT group (Lonely Lantern) working out of Chengdu and for the Guangdong SSD.
2. Ren Yuntao attended the same university as the indicted criminal hackers for Lonely Lantern and has worked with the Sichuan SSD whilst at university. His university professor also likes to talk of his close links to the MSS.
3. Ren Yuntao sets up a front company in Chengdu High-Tech Incubation Park in Tianfu High Tech zone, suspiciously similar to Chengdu Hanke (linked to Dong Jiazhi from Article 1 in this series).
4. Ren Yuntao works for Lingma and is directly involved with local universities in Chengdu, handing out scholarships to students and providing apprenticeships to support their ‘cyber security’ effort.

If it walks like a duck, and quacks like a duck…

Ren – I know you were keen to talk:

An (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

Every so often, we like to take the opportunity to step back from our regular OSINT sleuthing and take stock about why we spend our time doing what we do.

So, we thought we would honour the 100-year anniversary of the Chinese Communist Party (CCP) by pulling together a brief history of how the Chinese cyber programme developed into what it is today and our musings on this trajectory.

Our take on the history of the Chinese Cyber Programme

The First World Hacker War

Cyber is entwined with the real-world. Not a particularly ground-breaking statement. But an important one to make. Real world tensions can spill into the cyber realm, and vice versa. Remember the 2001 China-US tension? To refresh your memory, a US EP-3 aircraft collided with the Chinese F-8 fighter jet and the Chinese pilot was killed. What followed was a sustained DDoS attack against US servers including defacement of the White House and military from Chinese hacktivists. US hacktivists retaliated and it became a cyber graffiti war of sorts. What we found interesting is that it wasn’t until the Chinese called out this behaviour as ‘web terrorism’ that the attacks stopped. 

China: No longer hiding its strength

Former leader Deng Xiaoping touted the mantra of ‘hide your strength and bide your time’ (韬光隐晦). Well, it seems that time has passed, and with Xi Jinping now at the helm, China is certainly showing its strength on the world stage. China is no longer hiding from the world. 

China has aggressively and consistently built its national cyber program, prioritising education in computer science and technology and creating a recruitment pipeline of graduates from within its universities. Its focus seemingly being on offensive capabilities rather than security or intelligence analysis.  

As evidenced in our bottom-heavy timeline (seen above), the CCP have increased their scope for hacking and stealing. What is obvious to any observer is that they hack indiscriminately – friends and enemies are fair game. China’s BRI initiative is even considered a driver of cyber activity, which this graphic from Security Affairs neatly highlights.

Tsinghua university IP traffic aligning with BRI initiatives

And their activity is at an industrial scale. This uptick reflects the CCP’s priorities targeting intellectual property (IP) that have coincided with China’s Five-Year Plans. It is now so common that barely a day goes by without another article reporting Chinese cyber theft. Provides us with lots of rich content though!

Disgruntled Hackers and ties to Academia

Back in 2013, a disgruntled hacker from the PLA (given the name Wang) wrote about his time in the PLA hacking for his country. “My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation,” he wrote on his blog. Few incentives and minimal benefits can lead some to defect and leave. Who knew. We wonder if conditions have changed in China since.

What hasn’t changed however are the links between Chinese hackers and academia. Wang himself co-authored two academic papers whilst at the PLA university. And interestingly, it was this same year that Cyb3rSleuth outed Zhang Changhe. His 9-5 job was as an assistant professor at the PLA Engineering University. Cyb3rSleuth was one of the first public uses of OSINT to attribute Chinese cyber-attacks to named individuals within the Chinese system (having named 10 Chinese hackers in total). Kudos – an inspiration to our platform.

Cyb3rSleuth identifying Zhang Changhe from Chinese social media as a PLA hacker

Further, it was a Tsinghua university (清华大学) IP (self-proclaimed state-owned technological institution) that engaged in network reconnaissance targeting a number of countries actively working with China on their Belt and Road Initiative (BRI) – see image above.

The PLA led the way with cyber hacking back in the 90’s and early 00’s. However, in 2015 there appeared to be a shift within the Chinese government, with the PLA transferring the bulk of cyber operations over to the MSS. After all, when the PLA hack – it’s very clear the direction of activity is coming from within the Party itself. This transfer (at least in the mind of the CCP) enabled plausible deniability following the public indictments of PLA unit 61398 a year earlier. After all, signing cyber agreements with a number for Western countries meant the Chinese military needed to ‘hide their strength’ and fade into the shadows.

Enter the MSS

As dedicated readers will know by now, it is the MSS that we at Intrusion Truth have focussed on for some time. And we do so given their continued support and engagement with criminal hackers. The MSS get something out of this relationship: deniability on the world stage (supposedly). But what do the criminal hackers get out of this? I’m sure some would say ‘security’. After all, the relationship between citizen and the state is deliberately murky. In recent years, there is evidence that China will not prosecute hackers within its borders unless they attack China. However, as indictments have shown, the Chinese state cannot, and do not, protect their own.

China is a vast surveillance state. They monitor everything and everyone. Thus, one could say that their continued denial of Chinese APTs, or cries of rouge actors… is laughable. Chinese APTs leave traces of their activity on the internet. Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.

State-sponsored theft

Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.

There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage.  And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.

Home-grown hēikè

The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.

The APT side hustle

An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.

A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.

The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.

So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?

We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.

Chain of command

As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?

We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.

So, who is leading the Chinese Cyber Programme?

Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.

One person giving the direction.

One person overseeing the Chinese cyber programme.

That person?

Chen Wenqing (陈文清).

Cyber karma

Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.

The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.

Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?

Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.

Conclusion

There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):

1. Does Xi know what the MSS are doing in cyber space?
2. Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
3. Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?

Happy Birthday CCP

生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.

Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.

Epilogue

Recap

In our last article, we identified Mr Zhao Jianfei as the MSS officer supporting Chinese hackers Li Xiaoyu and Dong Jiazhi. Mr Zhao works the Guangdong State Security Department, highlighting the direct support the Chinese government are providing criminal hackers in their illegal activities. We reached out to Mr Zhao for comment, and hear his side of the story, but we did not receive a response.

The bigger picture

It’s been a busy few months for the Chinese hacking community. Hafnium became a global threat almost overnight thanks to the zero-day exploit of the Microsoft Exchange Server compromise. Microsoft attributed Hafnium to the Chinese state. Their indiscriminate scattergun approach to deploying ransomware and infecting thousands of victims was wholly immoral and it is something we continue to monitor – get in touch if you can help.

MSS regional departments recruit Chinese criminals to conduct offensive cyber for the state. We now know this model is evolving, with regional bureaus outsourcing requirements to hackers not simply based in their region, but across the Chinese mainland – sharing expertise between provinces and seemingly working to one, broad model of a criminal, contracted service. Hafnium is a good example of this, with reports showing APTs 40 and 41 are just some of the many Chinese APTs taking advantage of the Exchange Server compromise.

The Chinese Communist Party are using APTs and hackers for hire to do their bidding, something we at Intrusion Truth have been asserting for some time. This was perhaps most noticeable during the COVID crisis, where state-backed Chinese hackers have been seen time and time again – across various regions and provinces, hacking into international companies known for researching and advancing the COVID vaccine – and doing so for malicious gains. Li Xiaoyu and Dong Jiazhi are a prime example of this. Stealing intellectual property and profiteering from the pandemic at a time of global crisis is a new low even for the MSS. 

Victims

The MSS’s choice of victims is interesting to note. It follows a now familiar pattern of Chinese contract hackers stealing IP for the CCP’s interests (COVID research, antiviral drugs, personal information on Chinese dissidents) whilst moonlighting for personal gain.

Mr Li in particular attempted a ransom operation in 2017 according to the indictment, demanding $15,000 in cryptocurrency in exchange for not leaking data. Is the Chinese state turning a blind eye to criminal activities within their borders? Are they supporting and actively tasking this criminal activity? Or is it evidence of the MSS not having as much control as they would like over the criminals they employ?

Denial

As we and many others have documented, China seems to give with one hand, and take with the other. Double standards spring to mind: 笑里藏刀 ‘a knife hidden behind a smile’. 

Public criticism of their actions does not seem to have an effect. The Chinese response is simply to deny and bite back harder. Yet we have shown the direct links between these criminal hacking groups and the MSS departments running and supporting them.

In China’s own words, cyberattacks should be ‘unequivocally condemned by all’. Perhaps a lesson out of their own book wouldn’t go a miss… 

An APT with no name

These actors and their links to the MSS challenged us. The indictment landed talking of a Chinese group working out of Chengdu. Yet we hadn’t come across them before, nor had we previously noted their connections to the GSSD. Are they part of a bigger, wider known APT (APT41 perhaps)? Are they simply ‘hackers’ for hire? Either way, it shows how difficult it is to simply partition and package Chinese hackers into APT groups – more so than previously thought.  

We wanted to take this moment and suggest a name for these actors. It seems a shame to write about a group such as this without them having an appropriate APT name… Some ideas we at Intrusion Truth came up with:

1. HYPOCRITICAL DRAGON
2. LAUGHING DAGGER 
3. LONELY LANTERN 

Other creative ideas welcome – you know how to get in touch.

An APT with no name

When the 7^th July indictment was released naming two Chinese hackers affiliated with the Guangdong State Security Department, it grabbed our interest. Hackers… in China…working with the MSS. Sounds right up our street. But who are Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志)? How do they conduct their activity? The indictment also mentions an unnamed MSS Officer 1. Who could this be? Let’s start with the named hackers…  

FBI wanted poster naming indicted hackers Li Xiaoyu (李啸宇) and Dong Jiazhi 董家志)

Former classmates, Li Xiaoyu and Dong Jiazhi studied Computer Application Technologies at the University of Electronic Science and Technology of China (UESTC) in Chengdu. Mr Dong and Mr Li are not individuals we have come across before in our investigations into Chinese APTs. However, we do love a challenge. So, we set about getting to work and decided to start in the city Li and Dong are based: Chengdu.

Our findings reveal a number of spurious science and technology companies linked to the indicted actors. A familiar pattern is once again emerging… 

Chengdu Shirun Technology Company Ltd (成都诗润科技有限公司)

Let’s start with Dong Jiazhi. There is very little to go on from the indictment. However, we know Chinese APTs follow a common blueprint: One of contract hackers and specialists, front companies and an intelligence officer. 

We know Mr Li and Mr Dong are the contract hackers. So we set about digging into their connections to front companies based in Chengdu. 

It turns out Dong has been investing in a company called Chengdu Shirun Technology Company Ltd. Specifically, 30,000RMB came from Dong, who invested in the company when it was registered. This roughly equates to $4,5000 or £3,500.

Registrant of Chengdu Shirun Technology Company Ltd: Dong Jiazhi

A deeper look into this company reveals its location is 16 Tongsheng Rd, Qingyang District, Chengdu. It also provides a contact number: 18828070461.

Interestingly, this is not the only company that is linked to this contact number. It seems a number of other companies in Chengdu also share this point of contact.

Chengdu Hanke Technology Company Ltd. (成都撼科科技有限公司)

This company shares the same contact number as Chengdu Shirun but lists this as an email contact (18828070461@139.com). Additional contact numbers (18980738906 and 18190696626) are also provided. 

Contact details for Chengdu Hanke Technology Company Ltd.

Even more interesting is the change record for the company. Prior to 2019, Dong Jiazhi was listed as the company contact.

Change record for Chengdu Hanke listing Dong Jiazhi on line 3

Chengdu Hanke doesn’t have much of a presence. The website domain 51409903.1024sj.com does not exist. However, we did come across a LinkedIn profile for someone who claims to be the project manager and lead programmer – a Kevin Lynx. Further digging did not reveal anything more on this person or the company. Kevin, if you are out there – feel free to get in touch…

Chengdu Xinglan Technology Company Ltd. (成都兴蓝科技有限公司)

It seems 18828070461 is a theme. The number from Shirun and the 139 email from Hanke was also used to register another Chengdu-based technology company: Chengdu Xinglan. 

So who is behind this company? Well, as we mentioned, it shares contact details with companies linked to Dong. And Mr Dong is mentioned as the company’s primary point of contact.

Company registration details listing Dong Jiazhi as a contact person for Chengdu Xinglan on line 2.

Furthermore, records show Li Xiaoyu as Chengdu Xinglan’s legal representative, CEO and Executive Director, having a 99% stake in the company. It seems the pair intertwined at University, and expanded together into their business ventures and criminal activity concealed by front companies based in Chengdu.  

Chengdu Xinglan, detailing the 18828070461 contact email and Li Xiaoyu as the company’s legal representative.  

Chengdulzy

Li and Dong haven’t learnt to mix things up – reusing the same email number for their multiple front companies. 

And once again, this number (18828070461) was used as the registrant contact number for a domain: ‘chengdulzy.com’.

The registrant of this domain? Dong Jiazhi. Unfortunately, we haven’t found out what this domain was used for, and it now appears to have been deleted. 

Chengdu’s many Science and Technology companies

We are finding a similar pattern to previous investigations. An overlap of numbers and emails linking to contract hackers (Dong and Li), and subsequently to a number of technology companies based in Chengdu. All with little to no online presence suggests – you guessed it – front companies. 

However, what about the individuals themselves? They clearly have been busy investing in, and creating multiple technology businesses within Chengdu to act as fronts for their hacking activity. But what else have they left on the internet for us to find? 

Oro0lxy

The handle used by Li, and named in the indictment provides a helpful starting point. A quick scan of the internet shows various accounts with this handle, most now defunct or empty but the majority pertaining to hacking forums, such as the Chinese Software Developers Network (CSDN).

It seems oro0lxy has had a long standing interest in ColdFusion, using this knowledge (according to the indictment) to develop vulnerabilities in support of his APT activity.

oro0lxy posts question on CSDN ColdFusion sub forum

In keeping with his interest in this vulnerability, Li was appointed moderator of a website for ColdFusion developers, CFwindow.com, in 2012. 

However, oro0lxy was later flagged for posting scams on CSDN.

QQ account links

Looking into Li and Dong’s QQ accounts, we attempted to identify their actions and any overlaps that were interesting or of note. According to leaked databases, QQ 3120988 was associated with the display name Li Xiaoyu, whilst QQ 191956463 had historically used the username Dong Jiazhi.

We also pulled out a number of QQ groups that crossed the two hackers profiles. Specifically their QQ accounts linking to university groups such as ‘Class of 2005, Class 5’ (2005 级5 班),‘Information Security Lab’ (信息安全实验室) and ‘Computer Applications Technology Class 2’ (计算机应用技术 2 班). 

These are historic but provide useful context for what we know about the pair. Get in touch with us if you have any further information or leads pertaining to these accounts.

So… we know that Li and Dong have been indicted as hackers working to the MSS. Contract hackers – check. 

We know that they set up a number of front companies based in Chengdu to shield their APT activity. Front companies – check.

And we know they have been working together for a number of years, having met at university and remained active on Chinese hacker forums. But who specifically is behind their activity with the Guangdong State Security Department? Who is MSS Officer 1?

Tune in next week to find out… 

#youknowwherethisleads