In previous posts, Intrusion Truth showed that the Cloud Hopper / APT10 hackers that attacked thousands of global clients of Managed Service Providers (MSPs) in 2016 were based in Tianjin, China.
We identified Zheng Yanbin, Gao Qiang and Zhang Shilong as three actors responsible. We associated them with the Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司) and Laoying Baichen Instruments Equipment Co Ltd in Tianjin China. But we haven’t yet explained who was masterminding or controlling the attacks.
Continue reading “APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security”
Gao Qiang and Zheng Yanbin weren’t working alone. In this article we identify another member of the group.
fisherxp to baobeilong
Inspection of @fisherxp’s Twitter account shows that he follows 259 people and has 16 followers. One particularly interesting account, @baobeilong, both follows @fisherxp and is followed by it.
Continue reading “Who is Mr Zhang?”
The menuPass Sample
Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.
Continue reading “Who is Mr Gao?”