In our previous articles we identified a network of front companies for APT activity in Hainan and showed their links to Hainan University academic Gu Jian. Although it was difficult to find people who work for these companies we identified a number of individuals and concluded that this network of companies was actually APT40. One of the individuals we identified, Ding Xiaoyang, is the owner of a phone number used on job adverts under the name Mr Chen.
Ding Xiaoyang’s role
When we started we weren’t sure what Ding Xiaoyang’s role was.
So we ran the numbers. How many Dings are there likely to be in Haikou, Hainan, and would it be possible to identify a specific Ding Xiaoyang among them?
Continue reading “APT40 is run by the Hainan department of the Chinese Ministry of State Security”
You knew where this was heading.
In our previous articles we identified a constellation of front companies for APT activity in Hainan and a computer science specialist at Hainan University who is linked to one of the companies. We named the individuals that we could identify as working for these companies, including one that we know to be Hainan resident Ding Xiaoyang who had used his telephone number on a job advert using the name ‘Mr Chen’.
Having identified a network of interlinked technology and information security companies in Hainan, looking at other job adverts posted by the companies is illuminating…
Continue reading “Hainan Xiandun Technology Company is APT40”
We started by stating that Chinese APTs have a blueprint that us applied in multiple regions across China: contract hackers and specialists, front companies, and an intelligence officer. Applying this blueprint in Hainan, we surfaced inter-linked companies recruiting for people with hacking and specialist IT skills.
We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?
Continue reading “Who is Mr Ding?”
In our previous articles we identified a network of front companies for APT activity in Hainan, and showed that Gu Jian, an academic at Hainan University, is listed as a contact person for one of these companies – Hainan Xiandun. Additionally, Gu Jian appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so. The registered address for Hainan Xiandun is the Hainan University Library.
Our analysts and contributors were reassured to know that this blog is not alone in being suspicious of these Hainan front companies. Questions abound online about why these companies have such a thin presence on the Internet or, as below, whether the jobs they are promoting even exist.
This Chinese post is titled “Hainan Yili Technology Company: How can you find this company on the Internet, can I trust this job advert?” and asks other users of the site for their views.
Continue reading “Who else works for this cover company network?”
This blog has previously shown that by starting with an APT it is possible to identify the individuals and companies responsible for conducting their attacks and the State actors behind them. We have also shown that you can start with the State and work backwards to the APT.
APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.
After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.
Continue reading “What is the Hainan Xiandun Technology Development Company?”
We started this story with Guo Lin (郭林), identified to us as an MSS Officer. We showed that he had personal links to a number of companies and individuals involved in Cyber security, at least one of whom helped develop a key tool used by APT17. We have also shown direct links between Guo Lin’s company Antorsoft and the Chinese Ministry of State Security.
But what were APT17 really doing? We know from media coverage in our part of the world that APT17 hacked a number of targets in the West and did untold damage. What isn’t well known is that they were also hackers for hire, acquiring data and selling it for profit.
Continue reading “Encore! APT17 hacked Chinese targets and offered the data for sale”
In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.
We also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang company and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.
Continue reading “APT17 is run by the Jinan bureau of the Chinese Ministry of State Security”
In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. (济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) and Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan. We also identified an IT Security expert from Jinan, Wang Qingwei (王庆卫), as the representative of the Jinan Fanglang company. Another, potentially separate, individual goes by the name ‘iamjx’.
The identification of further individual in Jinan requires us to follow the trail from what we believe to be a fourth front company.
Continue reading “Who is Mr Zeng?”
In our last article we identified Jinan Quanxin Technology Co. Ltd. (济南全欣方沅科技有限公司) and the Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.
Jinan Fanglang Information Technology Company
As disclosed previously by this blog, the antorsoft[.]com domain name listed the main address for Jinan Quanxin Fangyuan as 238, Jing Shi Dong Lu, Jinan, China.
Continue reading “Who is Mr Wang?”
In our last post, we stated that a source whose identity we had verified had named an MSS Officer in Jinan who was believed to be involved in Cyber operations. We are now in a position to reveal that the name provided to us is 郭林 (Guo Lin). Open source research conducted by analysts working for Intrusion Truth quickly revealed a potential candidate for Guo Lin.
Guo Lin, Masters Student
An IT security paper from 2007 called ‘基于多维角度的攻击分类方法‘ (Method of Classifying Attacks Based on Multi-dimension) was authored by a Guo Lin in which he described himself as a Masters student conducting research into network and information security and malicious code detection. Guo was a Computer Science student at Nanjing University (not Jinan), making it uncertain whether he is indeed the same individual in Jinan named in our tip.
Continue reading “Who is Mr Guo?”