Tag: #intrusiontruth

What’s Cracking at the Kerui Cracking Academy?

FeaturedWhat’s Cracking at the Kerui Cracking Academy?

A brand-new investigation – we know you love it. 

We’re back once more to tell a familiar tale: how an MSS-sponsored APT group – known for its hacking operations around the world – has been caught red-handed. This time, in Wuhan.

It should come as no surprise that Wuhan was already a place of interest to us before the city reached global fame in 2020. Wuhan is home to some of China’s most impressive cyber talent. We knew there was bound to be some shady things going on in the city – all we needed was a lead. 

We got to thinking. We know that not all of China’s best hackers are self-trained – what if they learn together? This thought led us to the tip of our metaphorical iceberg: the Wuhan Kerui Cracking Academy. 

Wuhan Kerui Cracking Academy

When we think of a typical hacker up to no good, a certain image comes to mind. A dingy, dimly-lit bedroom home to a young twenty-something who probably has more computers than friends. But the Wuhan Cracking Academy turns that all on its head, with seemingly big classrooms, stuffed with bright cyber talent.

Established in 2007, the Kerui Cracking Academy prides itself on providing its students the best information security training in the industry, including the ‘most professional reverse security course’ as part of its curriculum. So confident is the school of its teaching abilities that it tells prospective students not to worry about finding a job – in fact ‘almost 100% of students get a job within one month.’ Impressive! 

The ‘Professor X’ of the Kerui Cracking Academy is none other than the international cyber superstar Qian Linsong. Aside from his role as founder of Wuhan Kerui Cracking Academy, Professor Qian Linsong acts as part-time teacher at the National Cyber Security College of Wuhan University, a tutor at the Huazhong University of Science and Technology and the Vice Chairman of Quanzhou Artificial Intelligence Society. 

He is perhaps best known however for his book on C++ disassembly and reverse analysis. Here’s a picture of him in his superstar coat and glasses signing a book for one of his fans:

And for those looking to understand what led Qian to set up Wuhan’s own School for the Gifted, you are in luck. The ever so modest Qian has documented his life in a blog, complete with pictures at Disney World. 

Following an increase in China-US hacking, a youthful Qian started downloading hacking software from websites to tinker with at home. In 2002, at the age of 23, Qian lands a job in the US analyzing products developed by an American company. It’s not long though – only 2 years – before Qian finds himself resigning and moving back to China, taking up a lecturer position at Tsinghua University. 

Reading through his blog you get a sense of Qian the man. An intelligent, dedicated teacher who likes wine and archery as much as he enjoys working in cyber. But it’s not long before you begin to see Qian’s – and Kerui’s – links to the Chinese state…

Alongside the Kerui Cracking Academy, Qian runs a side-hustle as the owner of the Kerui Reverse Technology Company, also founded in 2007. The homepage makes clear that the company has provided ‘technical services for many projects of the Ministry of Public Security and the Ministry of State Security’. So, it is safe to assume that Qian is no stranger to working with Chinese intelligence services. 

We couldn’t help but wonder whether Qian’s cooperation with the MSS runs a little deeper. Is Qian supplying the MSS with freshly trained hackers? Or even up-skilling hackers the MSS have found? Just to add to our suspicions, the Kerui Cracking Academy seems to have kept a close eye on the work destinations of its graduates – with some of them labelled as ‘Mystery Unit’ and ‘Keep Confidential’. 

This got team I-T thinking: this site must be a goldmine for names of people hacking for Chinese intelligence services. We began investigating and struck gold. Kerui Cracking’s ‘Testimonials’ page. 

XI JINPING’S DATA HOOVERING

FeaturedXI JINPING’S DATA HOOVERING

Athletes beware: the 2022 Winter Olympics provide Xi Jinping with a golden opportunity to test his new data hoovering tools. 

Let’s take a look at China’s digital currency, the e-CNY, and how athletes could be tricked into helping the Chinese state fine-tune its latest surveillance weapon.

With Beijing on the world stage, China sees the Winter Olympics as the perfect opportunity to showcase its new digital currency. Issued by the People’s Bank of China (PBoC), the e-CNY is the CCP’s fight-back against Chinese tech giants – and the burgeoning crypto scene – for control of digital payments in China and beyond.

It’s no surprise the PBoC wants a slice of the pie. Since 2019, both WeChat Pay and AliPay – China’s two biggest mobile payment platforms – have had over 1bn active users, accounting for the vast majority of transactions within China. With increasing signs of China’s tech behemoths locking horns with the CCP, it’s clear to see how a mass roll-out of the e-CNY will ramp up the stakes. 

Athletes and their teams from all over the globe will have the opportunity, assuming they are allowed out of their rooms, to splash their virtual cash at a number of shops and restaurants, including athlete favourites such as Nike and…McDonalds. Athletes simply need to register for and open a digital e-CNY wallet on their mobile phone, and top up their wallet using their international bank account.

But what does Xi Jinping set to gain from the e-CNY? Aside from his desire to take over the digital currency world, the roll-out of the e-CNY marks the birth of perhaps China’s most potent tool for spying, coercion and social control. 

What will happen to my e-CNY data?

As the central regulator, the PBoC will be the entity collecting all your transaction data. This includes details of your mobile device, your account details, location, what you are purchasing and when you are purchasing it. The bank will use the data to improve its “services” to consumers, fine-tuning the digital wallet and hoping to expand the number of vendors which accept the payment system. But the data processing doesn’t stop there…

Once collected, data controlled by the PBoC can then be passed onto Chinese intelligence agencies without warning and without credible justification. While Chinese tech giants have also had to comply with the regulations, handing your data to the PBoC brings it even closer to Chinese state control. It is no secret in China just how closely the PBoC, Ministry of State Security (MSS) and Ministry of Public Security (MPS) work together to maintain the surveillance state. And we’re talking cooperation which stretches a lot further than some anti-money laundering checks…

An e-wallet display at the e-CNY pilot exhibition for the Beijing Winter Olympics (Costfoto/ Barcroft Media via Getty Images)

We know China’s intelligence services love data. They just cannot help themselves. It’s why Chinese state-backed hackers have been caught, named and shamed over and over again. Whether it’s hacking your travel data, your employment data, your academic data, your phone company’s data, or even your private health data, the Chinese state wants it all.

But it is what China’s intelligence services could do with the e-CNY data haul which is truly terrifying. This includes training algorithms to spot “unfavourable” activity, the definition of which appears broad and vague. For illustration, some past examples of unfavourable activity includes voting for a Chinese TV contestant too many times, talking about Korean pop music on Weibo, or playing computer games past your bed-time. The Australian think-tank, ASPI, released a piece last year detailing the potential for China to combine the e-CNY with its social credit system. Users of the e-CNY could then be punished for any purchases or financial activity which does not uphold Xi’s “socialist values”. If you fall foul of the e-CNY transaction police, you may one day find yourself on the same naughty step as the millions of Chinese deemed too socially disruptive to use public transport.

And you can be sure Mr Xi has global ambitions for the e-CNY, broadening its utility from a domestic surveillance capability to an international spy tool.

Key to fine-tuning Mr Xi’s latest tech surveillance tool is the collection and processing of masses of financial data. The more data there is to analyse, the quicker the algorithms will be trained to spot the activity it does not like. So if you are an athlete in Beijing, do yourselves – and Chinese shoppers – a favour: don’t feed Xi’s data beast and ditch the e-CNY wallet on your phone!    

Epilogue

Epilogue

Recap

In our last article, we identified Mr Zhao Jianfei as the MSS officer supporting Chinese hackers Li Xiaoyu and Dong Jiazhi. Mr Zhao works the Guangdong State Security Department, highlighting the direct support the Chinese government are providing criminal hackers in their illegal activities. We reached out to Mr Zhao for comment, and hear his side of the story, but we did not receive a response.

The bigger picture

It’s been a busy few months for the Chinese hacking community. Hafnium became a global threat almost overnight thanks to the zero-day exploit of the Microsoft Exchange Server compromise. Microsoft attributed Hafnium to the Chinese state. Their indiscriminate scattergun approach to deploying ransomware and infecting thousands of victims was wholly immoral and it is something we continue to monitor – get in touch if you can help.

MSS regional departments recruit Chinese criminals to conduct offensive cyber for the state. We now know this model is evolving, with regional bureaus outsourcing requirements to hackers not simply based in their region, but across the Chinese mainland – sharing expertise between provinces and seemingly working to one, broad model of a criminal, contracted service. Hafnium is a good example of this, with reports showing APTs 40 and 41 are just some of the many Chinese APTs taking advantage of the Exchange Server compromise.

The Chinese Communist Party are using APTs and hackers for hire to do their bidding, something we at Intrusion Truth have been asserting for some time. This was perhaps most noticeable during the COVID crisis, where state-backed Chinese hackers have been seen time and time again – across various regions and provinces, hacking into international companies known for researching and advancing the COVID vaccine – and doing so for malicious gains. Li Xiaoyu and Dong Jiazhi are a prime example of this. Stealing intellectual property and profiteering from the pandemic at a time of global crisis is a new low even for the MSS. 

Victims

The MSS’s choice of victims is interesting to note. It follows a now familiar pattern of Chinese contract hackers stealing IP for the CCP’s interests (COVID research, antiviral drugs, personal information on Chinese dissidents) whilst moonlighting for personal gain.

Mr Li in particular attempted a ransom operation in 2017 according to the indictment, demanding $15,000 in cryptocurrency in exchange for not leaking data. Is the Chinese state turning a blind eye to criminal activities within their borders? Are they supporting and actively tasking this criminal activity? Or is it evidence of the MSS not having as much control as they would like over the criminals they employ?

Denial

As we and many others have documented, China seems to give with one hand, and take with the other. Double standards spring to mind: 笑里藏刀 ‘a knife hidden behind a smile’

Public criticism of their actions does not seem to have an effect. The Chinese response is simply to deny and bite back harder. Yet we have shown the direct links between these criminal hacking groups and the MSS departments running and supporting them.

In China’s own words, cyberattacks should be ‘unequivocally condemned by all’. Perhaps a lesson out of their own book wouldn’t go a miss… 

An APT with no name

These actors and their links to the MSS challenged us. The indictment landed talking of a Chinese group working out of Chengdu. Yet we hadn’t come across them before, nor had we previously noted their connections to the GSSD. Are they part of a bigger, wider known APT (APT41 perhaps)? Are they simply ‘hackers’ for hire? Either way, it shows how difficult it is to simply partition and package Chinese hackers into APT groups – more so than previously thought.  

We wanted to take this moment and suggest a name for these actors. It seems a shame to write about a group such as this without them having an appropriate APT name… Some ideas we at Intrusion Truth came up with:

  1. HYPOCRITICAL DRAGON
  2. LAUGHING DAGGER 
  3. LONELY LANTERN 

Other creative ideas welcome – you know how to get in touch.

Who is Mr. Zhao?

Who is Mr. Zhao?

In our last article, we identified a number of front companies used by two Chengdu-based indicted hackers Li Xiaoyu and Dong Jiazhi. 

What struck us when reading the US indictment was reference to the Guangdong State Security Department (GSSD). As eager readers of Intrusion Truth will note, we discussed the Guangdong SSD in our very first article series and their use of Boysec as a front company. However we didn’t manage to identify the MSS officers behind APT3. We feel there is unfinished business here and so we set to work to uncover MSS Officer 1.

We started with an address.

GSSD HQ

Why is the Guangdong Province International Affairs Research Centre (GPIARC) interesting? Well, its claim to fame most recently comes from the 2020 indictment, revealing it as a GSSD cover company. The address: Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou, Guangdong Province (越秀区农林上路六横道5号). 

We decided to reach out to our network of contributors, asking about the GPIARC and any previous reference to this company or their known address. We received an interesting response from a trusted source who wishes to remain anonymous. This source, with connections to the Bank of China, was able to provide a number of historic credit card statement sent to the cover address at Upper Nonglin Road. One bank statement in particular stood out.

Zhao Jianfei (赵剑飞)

On the top left corner on the image below, the corresponding address is Unit 5, 6th Crossroad, Upper Nonglin Road, Yuexiu District, Guangzhou. Furthermore, all the transactions appear in Guangzhou, Guangdong. 

We know this address is a cover for the GSSD. So, whoever is using this address works directly for the GSSD. So, who is this MSS officer?  

Underneath the address is a single name to which the statement is addressed to: Zhao Jianfei (赵剑飞). 

Interesting. So, we know Zhao was receiving correspondence about a credit card bill, using the GSSD cover company as the address. It stands to reason that Zhao Jianfei is an MSS officer, working for the Guangdong SSD. Could he be MSS Officer 1?

Asls1027

An FBI flash memo released on the 21st July reveals further information pertaining to the email used by MSS Officer 1 to send Li and Dong zero-day exploits for use in their APT campaign. The memo has redacted the mail provider, but the handle is the bit we need: asls1027.

Remember when we said one statement in particular from the Bank of China was interesting to us?

Well, turns out that Bank of China sent the credit card statement to the personal email of Zhao Jianfei. 

The email address was asls1027@hotmail.com.

Zhao Jianfei is an MSS officer, working for the GSSD and receiving credit card statements to the address of a GSSD cover company. Furthermore, this correspondence was sent to his personal email; the same email account that sent cyber actors a zero-day exploit for use in their illegal activities.

Zhao Jianfei has been directing Li Xiaoyu and Dong Jiazhi by providing them with malware and supporting their APT campaign.

Asls1027’s social media

As we know, humans are biased and often rely on availability heuristics: we tend to choose the least cognitively demanding option. As such, we tend to reuse email handles, passwords and so on. And it appears our Mr. Zhao falls into this category, reusing his handle across multiple social media sites.

Asls1027 has an interest in cars, posting on the car forum autohome.com.cn.

He also maintains a relatively empty yet bizarre Twitter profile. 

However none of this provided us with any more information on Zhao Jianfei himself. We know he uses the asls handle and his name is Zhao Jianfei so we decided to get even more creative, and found an interesting profile on Facebook with the stub Asls Zh.

Given the unique of the handle ‘asls’, we strongly believe this profile belongs to our Mr. Zhao. The profile picture was updated in 2014, a similar timeframe to other asls social media posts, as well as Zhao’s credit card activity in Guangdong. Zh = Zhao.

It seems Zhao was born in Xi’an, Shaanxi Province. Also note Asls Zh’s current residence – Guangzhou, in Guangdong Province. The same location as the Zhao Jianfei’s credit statement. 

Asls Zh went to the PLA Information Engineering University to study Computer Science. It fits with what we know about MSS Officer 1, and his ability to deploy zero-day exploits to support criminal hackers.

Conclusion

Zhao Jianfei is MSS Officer 1. 

He grew up in Shanxi, and attended a PLA university studying computer science. He now resides in Guangdong and has been working for the GSSD from at least 2013. An email account linked to his GSSD activity was also used to send Li and Dong malware to advance their APT campaign. 

Contract hackers – check. 

Front companies – check.

MSS officer working to the Guangdong State Security Department – check.

An APT with no name

An APT with no name

When the 7th July indictment was released naming two Chinese hackers affiliated with the Guangdong State Security Department, it grabbed our interest. Hackers… in China…working with the MSS. Sounds right up our street. But who are Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志)? How do they conduct their activity? The indictment also mentions an unnamed MSS Officer 1. Who could this be? Let’s start with the named hackers…  


FBI wanted poster naming indicted hackers Li Xiaoyu (李啸宇) and Dong Jiazhi 董家志)

Former classmates, Li Xiaoyu and Dong Jiazhi studied Computer Application Technologies at the University of Electronic Science and Technology of China (UESTC) in Chengdu. Mr Dong and Mr Li are not individuals we have come across before in our investigations into Chinese APTs. However, we do love a challenge. So, we set about getting to work and decided to start in the city Li and Dong are based: Chengdu.

Our findings reveal a number of spurious science and technology companies linked to the indicted actors. A familiar pattern is once again emerging… 

Chengdu Shirun Technology Company Ltd (成都诗润科技有限公司)

Let’s start with Dong Jiazhi. There is very little to go on from the indictment. However, we know Chinese APTs follow a common blueprint: One of contract hackers and specialists, front companies and an intelligence officer. 

We know Mr Li and Mr Dong are the contract hackers. So we set about digging into their connections to front companies based in Chengdu. 

It turns out Dong has been investing in a company called Chengdu Shirun Technology Company Ltd. Specifically, 30,000RMB came from Dong, who invested in the company when it was registered. This roughly equates to $4,5000 or £3,500.


Registrant of Chengdu Shirun Technology Company Ltd: Dong Jiazhi

A deeper look into this company reveals its location is 16 Tongsheng Rd, Qingyang District, Chengdu. It also provides a contact number: 18828070461.

Interestingly, this is not the only company that is linked to this contact number. It seems a number of other companies in Chengdu also share this point of contact.

Chengdu Hanke Technology Company Ltd. (成都撼科科技有限公司)

This company shares the same contact number as Chengdu Shirun but lists this as an email contact (18828070461@139.com). Additional contact numbers (18980738906 and 18190696626) are also provided. 


Contact details for Chengdu Hanke Technology Company Ltd.

Even more interesting is the change record for the company. Prior to 2019, Dong Jiazhi was listed as the company contact.


Change record for Chengdu Hanke listing Dong Jiazhi on line 3

Chengdu Hanke doesn’t have much of a presence. The website domain 51409903.1024sj.com does not exist. However, we did come across a LinkedIn profile for someone who claims to be the project manager and lead programmer – a Kevin Lynx. Further digging did not reveal anything more on this person or the company. Kevin, if you are out there – feel free to get in touch…

Chengdu Xinglan Technology Company Ltd. (成都兴蓝科技有限公司)

It seems 18828070461 is a theme. The number from Shirun and the 139 email from Hanke was also used to register another Chengdu-based technology company: Chengdu Xinglan. 

So who is behind this company? Well, as we mentioned, it shares contact details with companies linked to Dong. And Mr Dong is mentioned as the company’s primary point of contact.


Company registration details listing Dong Jiazhi as a contact person for Chengdu Xinglan on line 2.

Furthermore, records show Li Xiaoyu as Chengdu Xinglan’s legal representative, CEO and Executive Director, having a 99% stake in the company. It seems the pair intertwined at University, and expanded together into their business ventures and criminal activity concealed by front companies based in Chengdu.  


Chengdu Xinglan, detailing the 18828070461 contact email and Li Xiaoyu as the company’s legal representative.  

Chengdulzy

Li and Dong haven’t learnt to mix things up – reusing the same email number for their multiple front companies. 

And once again, this number (18828070461) was used as the registrant contact number for a domain: ‘chengdulzy.com’.

The registrant of this domain? Dong Jiazhi. Unfortunately, we haven’t found out what this domain was used for, and it now appears to have been deleted. 

Chengdu’s many Science and Technology companies

We are finding a similar pattern to previous investigations. An overlap of numbers and emails linking to contract hackers (Dong and Li), and subsequently to a number of technology companies based in Chengdu. All with little to no online presence suggests – you guessed it – front companies. 

However, what about the individuals themselves? They clearly have been busy investing in, and creating multiple technology businesses within Chengdu to act as fronts for their hacking activity. But what else have they left on the internet for us to find? 

Oro0lxy

The handle used by Li, and named in the indictment provides a helpful starting point. A quick scan of the internet shows various accounts with this handle, most now defunct or empty but the majority pertaining to hacking forums, such as the Chinese Software Developers Network (CSDN).

It seems oro0lxy has had a long standing interest in ColdFusion, using this knowledge (according to the indictment) to develop vulnerabilities in support of his APT activity.


oro0lxy posts question on CSDN ColdFusion sub forum

In keeping with his interest in this vulnerability, Li was appointed moderator of a website for ColdFusion developers, CFwindow.com, in 2012. 

However, oro0lxy was later flagged for posting scams on CSDN.

QQ account links

Looking into Li and Dong’s QQ accounts, we attempted to identify their actions and any overlaps that were interesting or of note. According to leaked databases, QQ 3120988 was associated with the display name Li Xiaoyu, whilst QQ 191956463 had historically used the username Dong Jiazhi.

We also pulled out a number of QQ groups that crossed the two hackers profiles. Specifically their QQ accounts linking to university groups such as ‘Class of 2005, Class 5’ (2005 级5 班),‘Information Security Lab’ (信息安全实验室) and ‘Computer Applications Technology Class 2’ (计算机应用技术 2 班). 

These are historic but provide useful context for what we know about the pair. Get in touch with us if you have any further information or leads pertaining to these accounts.

So… we know that Li and Dong have been indicted as hackers working to the MSS. Contract hackers – check. 

We know that they set up a number of front companies based in Chengdu to shield their APT activity. Front companies – check.

And we know they have been working together for a number of years, having met at university and remained active on Chinese hacker forums. But who specifically is behind their activity with the Guangdong State Security Department? Who is MSS Officer 1?

Tune in next week to find out… 

#youknowwherethisleads