More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?

More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?

In the absence of more concrete proof, the 2017 Cloud Hopper report on APT10 relied on timing analysis to make the connection to China. Compile times of executable files and registration times of domains all pointed to work undertaken between 9am and 5pm Beijing time.

If Zheng Yanbin, Gao Qiang and Zhang Shilong were working between 9am and 5pm and managed to orchestrate one of the largest Cyber attacks on western infrastructure of all time, it follows that any company for whom they were working would probably have been involved in the operation.

Continue reading “More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?”

Who is Mr Gao?

Who is Mr Gao?

The menuPass Sample

Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.

Continue reading “Who is Mr Gao?”