Intrusion Truth

The I-Soon Information Technology Co. Ltd. (aka Shanghai Anxun Information Technology Co. Ltd, or Anxun) on the face of it were known be a reputable company but they were hiding a dark secret. Under their mask they were being led by the CCP. As you are probably already aware, the company was the subject of a leaked document scandal in February 24. The leaks contained around 570 files including chat logs, contracts and client lists. Documents detailing over 70 victims countries I-Soon targeted for hacking were among the hordes of information that experts and translators had to trawl through. Motivated by money? Or was it all down to pressure to perform for the CCP?

Here at Intrusion Truth, we have been closely watching and reading as the documents have been translated and validated. Many discussions have been had among the community and every threat researcher worth their salt has had their own opinions. We have been taking our time combing the documents and getting insights from write ins, to understand the full picture. 

The Activity 

We would imagine the CCP would not have been best pleased upon seeing I-Soon’s secrets (and in turn, their own secrets) laid out on a GitHub repository. Right around the time of the I-Soon leaks, China published their revised State Secrets Law, emphasising their holistic view of national security and eco-landing their stance in data protection. Talk about awkward timing! The CCP is trying to mobilise the whole of society to be aware of national security, yet they were betrayed by a trusted company. Not to mention, the embarrassment of reading chat logs and finding out that I-Soon seniors have been double dealing state institutions, by selling the same products to both the MPS (Ministry of Public Services and the MSS (Ministry of State Security) without informing either one. A conversation between two I-Soon employees shows them talking quite openly about re-selling data that they’ve already sold to the MSS. When a company trusted with government work talks so casually about double dealing, we start to get a sense of I-Soon’s attitude and business practices. Practices that only benefited the wealth of the company and neglected their own workforce.

The People in Charge 

There is a clear chain of ownership linking I-Soon back to the Chinese state that we have been able to ascertain. When looking at the shareholders of I-Soon, we can see that Qi’Anxin (a large Chinese cybersecurity company) own 12.96%, a higher percentage than the former COO Chen Cheng (陈诚 aka lengmo) and a large enough investment that one would imagine they have a good understanding of I-SOONs operations. 

So, alongside Qi’Anxins stated mission to “make cyberspace safer and the world a better place,” it also seems they invest in a company which conduct large-scale, worldwide, hacking activity. Only I-Soon’s CEO Wu Haibo (吴海波 aka shutd0wn) and another of his companies hold more shares than Qi’Anxin. It is also public knowledge that state-owned China Electronics Corporation (CEC) purchased a 22% stake in Qi’Anxin in 2019. CEC is China’s largest state-owned electronic information company, and according to  thepaper.cn the main purpose of their investment in Qi’Anxin was strategic, to ensure Qi’Anxin are part of the ‘national team’ for network security. Qi’Anxin have been responsible for the cybersecurity at high profile events, including the 70th Anniversary of the CCP in Tiananmen Square, and were a Beijing Winter Olympics sponsor. Clearly, they are a trusted part of the PRC machine. The chain of ownership is clear from the state-owned CEC to I-Soon via Qi’Anxin, so it isn’t hard to see just how much of I-Soon’s irresponsible cyber activities can be traced back to the CCP. It is clear that the CCP are closely linked to I-Soon, but also to our good friends at Chengdu404 (APT41). Chat logs between Haibo and Cheng show that they were hesitant to employ Chengdu404 employees due to the heat from the FBI indictments. Maybe as they were concerned that it might draw attention to their own illicit activities.  

The Employees

The job market in China is tough right now, being oversaturated with graduates from tech universities. It is not unusual to see companies exploit graduates but from the leaks we know that less than 27% of employees at I-Soon had a university degree. They opted for a more practical experience approach to recruitment. This isn’t always a bad thing if employees are paid what they are worth, but the documents showed woefully underpaid staff doing work that was far beyond the level they should be expected to undertake. With employees suffering from very low pay and having bonuses withheld; it’s not hard to imagine that they would compromise standards for a quick buck. Evidence from the leaks show specific references to “qb” “Qing bao” “情报” which we know to mean intelligence. The employees are discussing how they have been selling their “intelligence” (making Trojans and social engineering databases and selling them onto other companies) on the side to cover the losses from working at I-Soon. 

Even though I-Soon paid their workforce so poorly, the company was somehow able to help Mr Cheng out with a loan of 1 million RMB (Approx $140,000) to buy a house; some very questionable priorities by I-Soon. For those that were employed as graduates, imagine believing you were joining a reputable company that would allow you to pour all your years of hard study into, only to find that your skills are being used to develop tools that enable illegal hacking, and worse – to monitor and suppress fellow Chinese citizens and diaspora. Is this not a prime motive for someone to have dropped these documents online? To add to these concerns, as reported by the Associated Press, the police are investigating the source of the leak. Presumably the investigation would include interviewing and therefore intimidating staff members over the CCP’s relentless want for hacking, surveillance and suppression.

The Innocent Parties

We can see from the leaks that I-Soon had no issues in targeting ethnic minorities with their services – a leaked draft contract shows us that I-Soon were selling “anti-terror” support to help the Bayingolin Public Security Bureau in tracking Uyghurs through phone, airline and government data. There is also evidence within the leaks that I-Soon targeted the Central Tibetan Administration as well as pro-democracy advocates in Hong Kong. I-Soon’s reach and abilities extend far beyond the PRC’s borders. It seem that even the PRC’s economic partners are not safe, from I-Soon’s extensive list of victims, 19 are fully signed up members to the PRC’s Belt and Road initiative (BRI). Those countries signed up to the BRI would have been forgiven for believing their ties to Beijing would have kept them safe from being hacked, but if anything, the case is the opposite and begs the question…just how compromised are the other 131 BRI members? I-Soon were clearly basing their services and products around requirements from their customers within China’s Public Security Bureau. It wouldn’t be a stretch to assume the exposure of irresponsible use of cyber tools would have a negative effect on the bottom line of I-Soon’s profits, but what are the real consequences of the CCP’s appetite for hacking? 

The Tools  

Another document in the leaks is a whitepaper for a Windows remote control management system, which includes a screenshot of the admin panel. The IP address on this screenshot has helpfully been linked by Sentinel Labs to a ShadowPad C2 server back in 2021.  For those who don’t know, ShadowPad is a backdoor often used in supply chain attacks. It was discovered in 2017 and, to begin with, was only thought to be used by APT41 but has since been shared amongst many Chinese threat actors. Some documents in the leaks appear to show I-Soon marketing Treadstone, which is a malware control panel used as a controller for the Winnti malware group. In 2019 Treadstone was directly referenced and attributed to APT41 in the US indictments against Chengdu404 employees. In light of the legal action Chengdu404 were taking aginst I-Soon over software development, it is entirely possible that I-Soon developed Treadstone on behalf of Chengdu404. ShadowPad samples have been seen in Cobalt Strike infections distributed by EARTH LUSCA who have also been linked to the Treadstone controller for Winnti. 

Following the leaks, EARTH LUSCA have now been identified as a likely penetration arm of I-Soon, given the overlap in IP locations, malware and victims (which includes gambling companies, COVID-19 research organizations, educational institutions in Taiwan and Hong Kong as well as telecoms companies and various government institutions globally.) We cannot emphasise enough how much over-kill the tools used were. Tools that were built to be deployed against whole states, mercilessly used against innocent parties. I-Soon themselves admit they are an APT and, according to the epochtimes a deleted “Business Services” webpage from 2013 showed that I-Soon had an established APT network penetration method research department. The title of our article speaks for itself. 

As we said before, the leaks have been analysed and covered by all the top dogs in the community, and none more thoroughly than “The Natto Thoughts Blog“. The team at Natto Thoughts have done a great job at explaining the details of the leaks and what it means for different demographics.  

We know this is not our usual scheduled content but we have been working extremely hard investigating new avenues to give our followers fresh insights into the Chinese cyber ecosystem. Clearly, looking at the individual actors is not enough – there is a wider state-sponsored network of companies and organisations hacking mercilessly on behalf of the CCP. Our next article we are challenging ourselves to lift the lid further on the companies, the people and ultimately those in the CCP behind it all…

Article 1 left some tantalizing breadcrumbs about the manager of our main character organization from this article series, Wuhan Xiaoruizhi. ‘What is he up to?’ We hear you cry. ‘And what is up with all the lasers?’

So, without further ado. Introducing: Deng Zhiyong.

Deng at surface glance is the manager and CEO of Wuhan Xiaoruizhi Science and Technology. As a reminder, this is a supposed information/network security company which recruits linguists and hackers for tasks including big data analysis, based in Wuhan Optics Valley.

A deeper dive reveals that Deng also serves or has served on the Board of Directors of a number of companies including Wuhan Laser Power Supply Technology LLC, and Wuhan Technology Innovation Facilitation Center. Furthermore, he holds official titles in three Chinese-government affiliated organizations: Director of the Foreign Exchange Center, Ministry of Science and Technology China; Director of the Hubei Wuhan China/Russian Technologic Cooperation Center, and Chief of the Department of Steelworks Management Administration, Dongxi, Wuhan. We have one busy man on our hands. 

As our research continued, a clearer picture of Deng began to emerge. In particular, his side hustle as one of Wuhan’s foremost laser-related experts. Most of the companies where he sits on the board and the government departments he serves have some kind of laser-flavor. Deng is also one of the official representatives of Optics Valley, a geographical area of Wuhan which specializes in ‘opto-electronics’.  Below is Deng at the 9th International Laser Summit of Optics Valley of China. 

Within his laser-related activities, Deng seems to be most at ease in his role as the director of the Hubei Wuhan China/Russian Technological Cooperation Center. Numerous articles and images show him hosting delegations from the Russian Laser association, visiting Russian laser companies, and patenting joint inventions of laser technology alongside Russian scientists.  

But this is not all. Fascinating open source trade data demonstrates that Wuhan Xiaoruizhi exported a number of shipments of laser technology to Russian laser production firms during 2016 and 2017.

At team I-T this information has generated quite a few questions. Props to Deng for his scientific achievements, but how on earth does he have time for all this extra-curricular activity? What do lasers have to do with ‘network security’ and hacking? With registered capital of only RMB250,000 (USD 36,000) Xiaoruizhi can hardly claim to be big enough to be doing both. If Xiaoruizhi is a front company, why is it buying and selling real lasers with real money? 

We let our imaginations run riot pondering these questions. Could it be that Deng, as the boss of a front company, doesn’t have a real job, and so is free to pursue his laser-related dreams using Xiaoruizhi funds? Could Deng have been co-opted by the MSS while running an initially legitimate laser company and forced to turn it into an APT shell? Or could it be that Wuhan Xiaoruizhi and Deng himself serve as the front for a separate strand of Chinese government activity…cozying up to Russian laser experts for the purposes of Chinese S&T advantage.

The latter point reminds us of something we read recently……..

Now, of course, we have no proof here. But given Xiaoruizhi’s links to a number of MSS officers and the government links of its employees and Deng himself this is not beyond the realms of possibility.

Regardless of whether or not Deng is really spying on Russia, surely his position as effectively Wuhan’s laser envoy to Russia is somewhat undermined by the reported activity of APT31, which sat under his command (on paper at least) at Xiaoruizhi: 

Perhaps it is a case of Deng and APT31 keeping their friends close but their enemies closer. Or perhaps Deng’s influence was the only thing stopping APT31 spying on Russia previously and since breaking free to new front companies the group has had free rein. And perhaps we will never know. One thing is for sure though, there are sure to be more secrets hiding under the metaphorical rock of Wuhan Xiaoruizhi Science and Technology than we have been able to tackle in this series. If you have anything to add to this or any part of our investigation, or to kick off a new one, please do get in touch. Our doors (inboxes) are always open to tips. 

For now, though, friends of I-T, this is where we will leave you, until our next big investigation at least. It’s been a blast. Until next time.

Welcome back Intrusion Truth readers, it’s been a little while. We hope you’ve spent the time reflecting on our findings from our previous set of articles on suspicious happenings in and around Wuhan. We don’t know about you, but even after six articles we felt we had some unfinished business with Wuhan Xiaoruizhi and friends. So, we put together the remaining information we had to give you a few more interesting snippets on APT31’s operational infrastructure. 

For our first annex, we will tackle a lead that was buried in the information leaked by our disaffected Xiaoruizhi insider, of articles 4 and 5. That employees of Xiaoruizhi (AKA APT31 actors) had moved to new companies in 2020. 

We set out to investigate these claims and see if we could identify some, or all, of the follow-on destinations of Xiaoruizhi’s class of 2019. And, we are pleased to report, we had a pretty good run. 

Let’s begin with the link that was most straightforward to piece together. A company we named, briefly, in an earlier article. 

A touch of in-depth Googling on some of the known Xiaoruizhi actors brought up the below spreadsheet, which proved to be a goldmine. A spreadsheet of Wuhan City-based individuals in receipt of employment/training subsidies, which, luckily for us, includes the companies they are employed by. Poring through this enormous document, we hit the jackpot. Wuhan Shenzhou Human Resources Development Services.

As of October 2020, no less than 12 Xiaoruizhi actors who we named previously were now on the books of Wuhan Shenzhou Human Resources Development Service. 

We again see some familiar characters – graduates of Wuhan Kerui Cracking Academy who left feedback. Xiong Wang, Li Yilong, Hu Jiaxing (who we did not name but can be found on Kerui’s website) and Huang Zhen. Moving onto a human resources department can’t have been part of their plan following their elite hacker training, right? 

Wuhan Shenzhou Human Resources appears to be legitimate, at least in the sense that it’s probably a real company. It’s got its own website, which is a start, on which it claims to have 500 square meters of office space and a labor force of 4,000 people. Impressive. 

WSHRS claims to specialize in labor dispatch, labor outsourcing, subcontracting, and headhunting, among a number of other noble pursuits. But this provides a clue. The practice of labor dispatch in China is a process by which employees are hired through an employment services agency and contracted out to an end user, as opposed to the traditional practice of direct employment. The workers sign contracts with the employment services agency, rather than the end user of their services. It’s our best guess here at team I-T that Wuhan Shenzhou Human Resources now acts as labor dispatch for these 12 APT31 employees, and dispatches them out to – well – APT31 or as others may know it; the MSS’ Hubei State Security Department’s cyberespionage program.

Hubei Chuangxin 

Our next front company came to us via the gift that has given generously throughout this investigation. Social insurance. Specifically, the social insurance records for Liao Xuliang and Zhou Yin.

For our purposes, the most interesting rows of these documents are at the very bottom right. For both Liao and Zhou the entry marked 201912, i.e. the insurance contribution for December 2019, was registered to Wuhan Xiaoruizhi. But from 202001, January 2020, onwards, insurance contributions are registered to Hubei Chuangxin Human Resources Department. 

Readers, if you’re anything like us, the span of your interest in Chinese Human Resources Service providers will be limited, so we will spare you too much detail here. But it certainly looks, per the screenshots below, like Hubei Chuangxin provides labor dispatch services in exactly the same way as Wuhan Shenzhou, that is, most probably contracting Liao and Zhou back to the MSS (APT, oops – sorry; typo…..) 

Wuhan Juge/Hubei Win Future 

Moving on. A contributor speaking on condition of anonymity provided us with information that a further 12 former employees of Wuhan Xiaoruizhi Science and Technology were now in receipt of subsidies under a separate company, Wuhan Juge Enterprise Management:

• Chang Zhen 常振
• Zhang Chaofeng 张超锋
• Wang Guangcan 万光灿
• Tu Meng 涂梦
• Yan Wenlong鄢文龙
• Gu Chengwu 顾成武
• Liu Chencheng 刘晨成
• Huang Jin 黄金
• Zuo Hequn 左鹤群
• Li Haiqing 李海青
• Yuan Hongxi 苑红曦
• Hou Qiang 侯强

Wuhan Juge appears to have a number of branches across Wuhan City, and has a wildly diverse business portfolio, which includes (deep breath): Enterprise management, marketing planning, human resource services, loading and unloading, general cargo warehousing services, storage (excluding dangerous goods!), communication engineering construction and maintenance, and, most randomly, sales of automobiles. Seriously impressive range for a company staffed in large part by APT31.

Digging into the shareholders and management of Wuhan Juge we found something interesting. The main shareholders are as follows: 

• 武汉云栖传媒有限公司 Wuhan Yunqi Media Co. Ltd. – main shareholder. 
• 腾飞 Teng Fei
• 王道强 Wang Daoqiang  

All three are also shareholders of another company called Hubei Win Future Enterprise Management AKA Hubei Win Future Technology.  Similarly, the legal representative, GAN Chunyan, is the same for both companies, as is the registered phone number, 18995647475: 

So, there is considerable overlap in personnel/management between Juge and Win Future. Hubei Win Future, according to a congratulatory article about a semi-recent recruitment drive, is a human outsourcing company of China Telecom. It focusses on the recruitment of technical personnel and providing technical talent services for China Telecom’s business. 

According to the article, prospective employees can expect to enjoy all of China’s most significant holidays as leave. Lucky them. 

We had a source do some digging into Hubei Win Future to see if the overlap with Juge held any significance for us. And what do you know? We found another Xiaoruizhi employee. Cheng Feng. Looks like Wuhan Yunqi Media, Teng Fei and Wang Daoqiang own an APT front company empire!

Sensing we were on to something, we continued to look at Hubei Win Future and found a new link. A phone number registered to Hubei Win Future, 18995647475 was also registered to one Hubei Junxinda. 

Furthermore, historic ownership data demonstrated that Hubei Junxinda was once a 25% shareholder of Hubei Win Future; and Hubei Win Future has been, according to internal reports, Hubei Junxinda’s principle supplier (although of what, we don’t know – perhaps personnel?): 

Hubei Junxinda looks like a real company; various websites list numerous employees and a number of the projects that Junxinda has won and in-depth reports such as the one above pore over its finances. It also has its own website:

A friend of I-T investigated their premises on our behalf, and found a secure facility at Hubei Junxinda’s address. Here is some imagery of their entrance hall: 

Here, we have to admit, our curiosity was piqued, but we ran out of road. We didn’t find any additional APT31/Xiaoruizhi employees and were not able to uncover any more on the goings on behind closed doors at Wuhan Juge, Hubei Win Future, and Hubei Junxinda. Any tips, give us a shout. 

So, referring back to our original list of Xiaoruizhi employees, we’ve collated as many of their follow-on destinations as we can. 

We still have few gaps, but we are pretty pleased that we have been able to piece together as much as we have. 

Now, we may never know what happened at Xiaoruizhi at the end of 2019 that caused APT31 to pursue a mass career change.  Perhaps Xiaoruizhi had simply served its time as an APT front and the powers that be needed to move APT31 into different administrative structures. 

Any light that our readers can shed would, as always, be gratefully received.

 We haven’t quite finished with Mr. Cheng yet. We have one final document to share from Cheng’s cloud. A photo of a handwritten note, a series of names, and differing currency values. 

Now, we can’t make out the name in the top left, but we are pretty sure that this is a cast list of Cheng’s colleagues. Some of these names are old hat by now: Huang Zhen, Li Yilong, and Huang Zhen #2, for example, take up the bottom three rows. We also have some others we named earlier: Hou Qiang, Wan Guangcan, Chang Zhen, and Zhang Chaofeng. 

Not entirely surprising; we have already established the fact that Cheng and these other individuals work for the same front company. But one name caught our eye, occupying the top line of the table:  崔总 or Chief Cui. 

This seems like an apt time (if you’ll pardon the pun) to return to our disgruntled whistle-blower at Wuhan Xiaoruizhi. Among the individuals they outed as being part of Wuhan-based hacking team operating out of Xiaoruizhi were two MSS officers: Chief Wen and Chief Cui. 

The eagle-eyed amongst you might also recognize Chief Wen from an image in the previous article, on the price list of routers, firewalls, and network cables that Cheng had. 

Now we had a really good dig into Chang Jiang AKA Chief Cui and Li Yue AKA Chief Wen. Unfortunately, we could not find anything conclusive, which is possibly indicative of the level of personal operational security one might expect of the mighty MSS. In the absence of anything more concrete, Chief Cui’s name in Cheng Feng’s possession with a number of Xiaoruizhi employees, and Chief Wen’s name on a document in Cheng Feng’s possession at least adds weight to our friend on Breachforums’ association that Cui and Wen maintain links to the company.

This got us thinking: we wonder who else works in and around Wuhan Xiaoruizhi who has MSS links? 

Zhou Yuan

Thankfully, our investigation into Cheng Feng gave up one more lead. Some of the databases we queried looking for Cheng’s credentials contained access logs for the services. We knew Cheng didn’t work in a vacuum, in fact, we already knew he was one of many employees at Xiaoruizhi.  So, we wondered if we could find any more of his colleagues based on his IP history.  Analysis of three Wuhan Chinanet IP address indicated that through much of 2015, Cheng Feng’s accounts were co-located with an account owned by one Zhou Yuan周源. 

Now we have been giving everyone the deep dive treatment, and our friend Zhou is no different. We couldn’t find much trace of him on social media, but thankfully the gods of breached data continued to smile on us. We again worked with a trusted contact who was able to gain access to one of Zhou’s Cloud hosting accounts. Here we have, from that Cloud account, two 2016 photos of our friend Zhou in glorious selfie style. 

The uniform he is wearing is one used by both the Chinese Ministry of Public Security and the MSS. The two are near identical, but for a couple of distinguishing factors. The first, characters on the arm badge, above the orange and beneath the word ‘POLICE’.

MPS  “公安” (Public Security) badge on left; MSS “国安” (State security) badge on right. 

In his left-hand selfie, these characters are not visible on Zhou’s uniform – we can’t be sure if he has pixelated them. If he has, what is he trying to hide?

The second distinguishing factor can be found on the pin on Zhou’s chest, which conveniently is visible. 

A closer look at Zhou’s pin: 

Zhou’s badge reads  “国安” or State Security; distinct from MPS badges which display the province name as below:

MPS badge for “广东” or Guangdong 

So, we are pretty confident that Zhou is wearing an MSS uniform. 

Zhou’s selfies also provided us with another gift. Metadata. In this case, geolocating Zhou to the headquarters of the Hubei State Security Department. 

Zhou looks so young and innocent that we almost feel guilty. But then, if you are going to take selfies in an MSS uniform…in an MSS building… As they say in China 凡动刀的，必死在刀下. Those who live by the sword, die by the sword. 

Demonstrating the longevity of Zhou’s affiliation with the MSS, we also found a 2018 photo again geolocated to what appears to be the secure car park of the same imposing building. 

Now, we can’t be sure of Zhou Yuan’s true employer. But we can say for sure that he is an employee of the Chinese government, and at very least was affiliated with the MSS over a period of several years. 

So, we have a possible MSS officer regularly connecting to personal accounts from the same IP addresses as Cheng Feng, an employee of a supposedly private Wuhan-based technological enterprise. Strange, certainly, but not a smoking gun which proves Wuhan Xiaoruizhi’s links to the MSS beyond reasonable doubt. After all, spies have friends just like normal people, and Cheng and Zhou could be just that. 

Now we found one more photo we found in Zhou’s possession which we think brings our story nicely full circle and will be where we leave you, for now at least. 

This, dear reader, is part of the official business registration certificate for Wuhan Xiaoruizhi Science and Technology. Why, you might ask, does a possible MSS officer hold the registration certificate for a private technological enterprise? Surely, someone holding such an important document has to have some kind of senior oversight or administrative role in the company itself?  At the very least, he is linked to the company. 

At team Intrusion Truth we are satisfied Zhou having a photo of this certificate and being regularly collocated with a Xiaoruizhi employee bears out our theory that Wuhan Xiaoruizhi is not a private enterprise, instead it is a front for an MSS-sponsored APT. Zhou Yuan probably has a role in running the APT, along with his probable MSS colleagues Chief Cui and Chief Wen. 

This has been a wild ride. How about we summarize how we got here. 

We have found a suspicious hacking school whose owner has links to the MPS and MSS, and whose graduates go on to mysterious destinations and private companies supporting the government. One such destination is what looks to be a fishy APT front company. Said front company has a disgruntled employee leaking sensitive documents online and alleging that the company is affiliated with an elite hacking team in Wuhan. An employee of the front company bears out its links to Kerui Cracking Academy, and has material in his possession which supports his affiliation with APT31. Said employee has more material in his possession indicating links to two MSS officers who have already been doxed on the darkweb as part of Xiaoruizhi. This employee is also regularly collocated with a possible third MSS officer, who in turn has, in his possession, Xiaoruizhi documents. 

One thing is for sure. All is not as it seems at Xiaoruizhi. 

And now a plea to you: what else can you find on these individuals? Can you help us tighten the Xiaoruizhi’s attribution to APT31? 

Goodbye for now, but we will be back. We still have more to share on Xiaoruizhi and friends – 等着瞧. 

You might be wondering why we have picked on Cheng Feng. Just a hard-working cyber security professional, right? Well, wrong, as it turns out. Cheng Feng helped us deduce what APT Wuhan Xiaoruizhi is a cover for. 

As regular readers will know, Intrusion Truth is nothing without its global network of supporters. We had to reach out for support investigating Cheng Feng using the start points from his insurance certificate, and one of our collaborators came through with the goods. A cache of emails, documents, and photos from a cloud storage account belonging to Cheng. 

Let’s start here:

On 14th June 2019, Mr. Cheng sent an email to an address he believed to belong to the Kerui Cracking Academy. He described himself as a security company in Wuhan who had heard that Kerui’s graduates were excellent, and asking when the next graduation date was. Well, well, well. It looks like our suspicions of Kerui were correct: not only have several Kerui graduates gone on to Wuhan Xiaoruizhi, we also now have Xiaoruizhi employees attempting to snap up their graduates. Looks like Kerui might be a pipeline into Xiaoruizhi after all. 

Let’s continue. 

A deeper dive into Cheng’s documents revealed the beginnings of overlap between his apparent research interests and those of APT 31. 

CISCO router exploitation:

He we have Cheng, presumably in the course of his work duties, accessing the configuration manual for Cisco broadband routers. 

Cheng Feng’s document cache contains a number of indications of him being in possession of, or purchasing, or testing configurations of possible router exploitation on, varying different models of routers, including small office/home office (SOHO) routers, including Huawei Echolife, Huawei AR151-S, Cisco 2911/K9, and Cisco 1721 routers.

Bottom image reads: sold by Chief Wen 2015.8.4

• 1 Service Router: CISCO 2911/K9
• 2 VPN Routers Huawei: AR151-5
• 1 Firewall: Huawei USG2130
• 1 Layer 3 Switch: Huawei 5700-28C-SI
• 3 Layer 2 Switches: Huawei 1728GWR-4P
• 4 Gigabit Network Switches: 8 Huasan (H3C) S1208
• 1 Network Cable: AMP Cat 6 GB (305M)
• 1 RJ Connector: Box (100 piece/box)
• 5 Wireless NICs: TPLINK 300M Wireless
• 1 Network Cable: Tester Wire Tracer
• 1 Network Plier: Sanbao Brand
• 15 IBM jumpers

APT31 is famous for router exploitation. APT31 hit the press in France over summer 2021, accused by the French cyber security agency of launching a major hack targeting French entities which utilized a network of more than 1000 compromised routers, including Pakedge, Sophos and Cisco routers. These routers were compromised and leveraged as anonymization relays, before APT31 carried out reconnaissance and attack activities. The listed devices in particular are SOHO routers, which APT31 have been exploiting since at least November 2019. 

So – here we have Cheng in possession of a manual for Cisco routers and in possession of a number of different SOHO router devices. Could have been his process to begin learning to exploit them? 

APT IoT

Next. In August 2017, Cheng created a task intriguingly labelled “做了什么 apt31 物联网”, or ‘what did APT31 IoT do’/’what did APT 31 do with regards to IoT’.

We know from our previous discussion that APT31 is known to exploit IoT devices, in particular SOHO routers, to form part of their operational infrastructure. And APT31 is clearly on Cheng’s mind. In addition, the timing of the task in August 2017 was prior to public exposure of APT31’s involvement in IoT/router exploitation, indicating that Cheng had insider knowledge of APT31’s TTPs. Perhaps because he is APT31?

Clibcom 

We’ll leave you with one more clue which we think rounds things out nicely. Mr. Cheng also had in his possession a 2015 photo of a computer screen showing usernames and passwords for 58.55.127.233. 

On investigating this domain, we discovered that it’s hosted in Wuhan. From March 2015, it hosted webmail.dnsapple.com, and later hosted Clibcom.com from 2017. An industry source told us that clibcom.com was previously attributed to APT31. Can anyone help us verify this? 

We are pretty confident that Cheng is affiliated with APT31. He has material indicating his interest in Cisco and SOHO router exploitation, known TTPs of APT31. Notes on his phone indicate he is thinking about APT31 and, presumably, their exploitation of IoT devices, and he has the log in credentials for an IP which a source has attributed to APT31. 

Overall, things are heating up. We’ve linked the hacking school to the MSS via its owner. We’ve linked the hacking school to Xiaoruizhi via its employees and its poaching of graduates. And we have enough information to tentatively link Xiaoruizhi in turn to APT31. But, there’s one missing link. The MSS. 

Our last article left you on a cliff edge. What did we find on the dark web which proved so illuminating? 

Well, it would seem things at Wuhan Xiaoruizhi are not all well.

In a post which was later redacted and then disappeared with the downfall of breachforums, we found a post from someone who claimed to be a representative of a disaffected hacker selling the identities of 100 of their colleagues from an ‘elite hacking team’ in Wuhan.

The poster goes on to claim that Wuhan Xiaoruizhi was a cover company for MSS hacking activity in Wuhan. The company had a few teams working for the MSS, but in 2020, teams started working under new companies.  

These are some astonishing claims, but at team Intrusion Truth we are nothing if not diligent and wanted to get to the bottom of this ourselves. Could we also link Wuhan Xiaoruizhi to the MSS? Could we link it to an APT? 

One thing was for sure, Wuhan Xiaoruizhi deserved more of our attention. We searched far and wide for months to gather more information on who works or has worked there. Inspired by our success with Xiong Wang’s insurance record, we decided to widen the net. After months of effort, we found the gem we had been waiting for: the social insurance records for Wuhan Xiaoruizhi. 

To spare the reader endless documents we have collated as many of the names we can find who have worked at Wuhan Xiaoruizhi as we can: 

And here are some examples of the documents which form the basis of this list: 

Cheng Ding insurance record

Zhao Guangzong insurance record

Zhang Chaofeng insurance record

Xiong Wang insurance record 

You might recognize some of the names on the larger list: 黄振 AKA Huang Zhen, 黄震 AKA Huang Zhen, and 李义龙 Li Yilong were also satisfied customers from Kerui Cracking Academy from Article 2. Don’t you just love it when things come full circle? Could it be that the ‘undisclosed private company working supporting the government’ Li Yilong claimed to work at is none other than Wuhan Xiaoruizhi itself? Could Kerui be a pipeline into Xiaoruizhi? 

Beyond getting reacquainted with our old friends above, this list of employees provided a number of interesting leads. But one of the names cracked our case wide open. Meet Cheng Feng. 

As our readers know from our investigation into Hainan Xiandun Technology Development Company, the Intrusion Truth team have become quite adept at spotting a fishy front company when we see one. 

Typically, these are ‘companies’ with a generic-sounding ‘technology’ name and a minimal online presence. They often post adverts on university websites looking for graduates with offensive cyber skills and, very importantly, foreign language expertise. The language of the adverts is vague, and often recycled from other, similar adverts posted online. The front companies provide contact details which just don’t seem to add up – such as numbers shared by other businesses. So, when we began investigating Wuhan Xiaoruizhi Science and Technology Company, it soon became clear that we were onto a winner. 

We started with a 2017 job advert posted by the School of Computer and Information Engineering, Hubei University. 

Looking for a number of software and system development engineers, Wuhan Xiaoruizhi describes itself as working in the ‘network security field’, and being vaguely located ‘near Wuhan Optics Valley’. Prospective applicants should be proficient in C and C++, scripting languages such as python, JavaScript and php, as well as IDA and OD. They should be familiar with automated testing processes, and web frameworks. Oh, and they must be au-fait with vulnerability mining. In fact, vulnerability mining is so important to Wuhan Xiaoruizhi, in this small university flyer, it is mentioned no less than three times. 

A further search of Wuhan Xiaoruizhi reveals another advert posted on a university jobs site – the College of Foreign Languages at Huazhong Agricultural University. This time, Xiaoruizhi is looking for English majors to become analysts who will be responsible for ‘information collection, processing and text editing’ in Chinese and English. 

Xiaoruizhi gives us an introduction to the company, which is committed to providing ‘information processing, industry research and big data analysis’ for customers, which include ‘relevant government departments’. We also get to know more about the company’s ‘ethical research and consulting team’, ‘win-win approach’ and its ‘concept of integrity-based innovation’. Only the company isn’t that innovative – nor does it have much integrity: such wording appears to be a word-for word copy of a description from another company’s job advert in Shenzhen. Shenzhen Prothinker Consulting. 

Shenzhen Prothinker

So what is it about Shenzhen Prothinker Consulting that got Wuhan Xiaoruizhi so inspired? Well, funnily enough, Shenzhen Prothinker was also on the lookout for English speakers with interests in politics, and graduates with computer-related majors. Hmm. Unfortunately, the website for Prothinker is now defunct. However, there is still some information out there on Baidu about the company. The legal representative of Shenzhen Prothinker was a Huang Ruohang, and the address for the company is listed as Room 2511, 25th Floor, Oriental Science and Technology Building, Science and Technology Park, Yuehai Street, Nanshan District, Shenzhen.

A search for “Huang Ruohang” (Chinese characters given below) showed that Huang Ruohang was also listed as the executive director for Shenzhen Zhongan Domain Technology Company. And as ‘coincidences’ would have it, Shenzhen Zhongan Domain Technology Company was also once located on the 25th Floor of the Oriental Science and Technology Building in Nanshan District Shenzhen. 

Shenzhen Zhongan Domain Technology Company appears to be also known, according to its branding, as ZIONSEC. ZIONSEC describes itself as providing ‘advanced solutions for national security issues such as national defense and intelligence’ to ‘help the dream of a powerful country’.

Sounds…suspicious. 

Let’s park the shenanigans in Shenzhen for now and return to Wuhan. Who actually works at the Xiaoruizhi Science and Technology Company and what do they do? Unfortunately, this technology company doesn’t have its own website, but we do have the name of the manager, Deng Zhiyong. 

Deng is an interesting character. Aside from holding official titles at no less than three (!) government-affiliated organizations, (Director of the Foreign Exchange Center, Ministry of Science and Technology China; Director of the Hubei Wuhan China/Russian Technologic Cooperation Center; Chief of Department of Steelworks Management Administration, Dongxi, Wuhan) our friend Deng also seems to have a thing for Russian lasers. 

We will return to this in a later article. It’s a wild ride. 

A phone number which seems to be linked to Mr. Deng also seems to be used by both a construction company and a ‘business information consulting company’. Quite the diverse business empire. 

So, to summarize, we have a sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts and linked to a phone number shared between many businesses. Lacking some imagination, the company decides to borrow language used by another sketchy-looking company in Shenzhen, which in turn appears to have some quite considerable overlap with an info-sec company dedicated to national defense and intelligence work. We also have government clients, a CEO with official PRC government titles, and a bonus link to a shifty hacking school. 

You know the drill by now. If it walks like a duck and quacks like a duck…. (should we get that printed on merch?).

Beyond this, Wuhan Xiaoruizhi hasn’t given us much to go on. So, it was time to take our search to the dark web. 

Bingo. 

Our last article introduced the mysterious graduates of Kerui Cracking Academy. As luck would have it, said mysterious graduates have left feedback, complete with graduate destinations and contact details on Kerui’s website. 

We won’t bore you by going through each individual piece of feedback – feel free to peruse at your leisure. Suffice it to say that Kerui graduates were pretty pleased with their student experience. But there were a few which we found interesting, and a couple which serve to flesh out Kerui’s links to the government. 

Let’s start here. 

Ouyang Jilei 欧阳继雷 

Ouyang attended the 24th iteration at Kerui and in their feedback provided advice for later generations of Kerui students. How generous. But it was their claim to now be employed by a state-owned enterprise in Wuhan that really caught our eye. Could this be it? Could we finally be on an APT’s trail in Wuhan? 

Moving on: Li Yilong 李义龙

Li attended the 13th class iteration at Kerui. Li was effusive about his time at Kerui, highlighting the sense of humor of his teachers, the laughter in his classes, and how he has harnessed the ‘Kerui spirit’ to overcome challenges since moving to the world of work. Li claims to be working for an ‘undisclosed private company supporting the government’. We did a fair bit of digging here to try and identify said company and managed to link him to one ‘Wuhan Shenzhou Human Resources Services Department.’ Doesn’t sound cyber-y, does it? But we will come back to Wuhan Shenzhou later.

Huang Zhen #1黃震: 

Huang Zhen #1 attended the 11th Kerui program. Huang’s feedback includes his personal experiences, praise for the faculty members and some study tips for future students, but did not disclose his onward employment. 

Huang Zhen #2 黄振

Huang Zhen #2 attended the same iteration as Li and happily found employment at an ‘undisclosed cyber security company’. Huang 2 thanks his friends for helping him through bumps in the road and credits his teachers with the ability to ‘write code at the speed of flowing water’. He also left his QQ number: 361920879. 

We know what you are thinking. Not much to go on here. But we will return to our friends Li, Huang and Huang in due course.

Xiong Wang 熊旺  

At first glance, Xiong’s feedback is rather non-descript.

He describes how the class helped him and provides some recommendations on study methods for future students. He leaves no contact details or information on graduate destination. But some in-depth digging into Xiong provided our first real lead: his social insurance record.

Social insurance contributions in China are effectively a social security program. They include mandatory insurance schemes, such as pension, medical insurance, and a housing fund. 

Luckily for us, they also list their employer.

As of 2016, Xiong Wang was employed by one Wuhan Xiaoruizhi Science and Technology Company.

A brand-new investigation – we know you love it. 

We’re back once more to tell a familiar tale: how an MSS-sponsored APT group – known for its hacking operations around the world – has been caught red-handed. This time, in Wuhan.

It should come as no surprise that Wuhan was already a place of interest to us before the city reached global fame in 2020. Wuhan is home to some of China’s most impressive cyber talent. We knew there was bound to be some shady things going on in the city – all we needed was a lead. 

We got to thinking. We know that not all of China’s best hackers are self-trained – what if they learn together? This thought led us to the tip of our metaphorical iceberg: the Wuhan Kerui Cracking Academy. 

Wuhan Kerui Cracking Academy

When we think of a typical hacker up to no good, a certain image comes to mind. A dingy, dimly-lit bedroom home to a young twenty-something who probably has more computers than friends. But the Wuhan Cracking Academy turns that all on its head, with seemingly big classrooms, stuffed with bright cyber talent.

Established in 2007, the Kerui Cracking Academy prides itself on providing its students the best information security training in the industry, including the ‘most professional reverse security course’ as part of its curriculum. So confident is the school of its teaching abilities that it tells prospective students not to worry about finding a job – in fact ‘almost 100% of students get a job within one month.’ Impressive! 

The ‘Professor X’ of the Kerui Cracking Academy is none other than the international cyber superstar Qian Linsong. Aside from his role as founder of Wuhan Kerui Cracking Academy, Professor Qian Linsong acts as part-time teacher at the National Cyber Security College of Wuhan University, a tutor at the Huazhong University of Science and Technology and the Vice Chairman of Quanzhou Artificial Intelligence Society. 

He is perhaps best known however for his book on C++ disassembly and reverse analysis. Here’s a picture of him in his superstar coat and glasses signing a book for one of his fans:

And for those looking to understand what led Qian to set up Wuhan’s own School for the Gifted, you are in luck. The ever so modest Qian has documented his life in a blog, complete with pictures at Disney World. 

Following an increase in China-US hacking, a youthful Qian started downloading hacking software from websites to tinker with at home. In 2002, at the age of 23, Qian lands a job in the US analyzing products developed by an American company. It’s not long though – only 2 years – before Qian finds himself resigning and moving back to China, taking up a lecturer position at Tsinghua University. 

Reading through his blog you get a sense of Qian the man. An intelligent, dedicated teacher who likes wine and archery as much as he enjoys working in cyber. But it’s not long before you begin to see Qian’s – and Kerui’s – links to the Chinese state…

Alongside the Kerui Cracking Academy, Qian runs a side-hustle as the owner of the Kerui Reverse Technology Company, also founded in 2007. The homepage makes clear that the company has provided ‘technical services for many projects of the Ministry of Public Security and the Ministry of State Security’. So, it is safe to assume that Qian is no stranger to working with Chinese intelligence services. 

We couldn’t help but wonder whether Qian’s cooperation with the MSS runs a little deeper. Is Qian supplying the MSS with freshly trained hackers? Or even up-skilling hackers the MSS have found? Just to add to our suspicions, the Kerui Cracking Academy seems to have kept a close eye on the work destinations of its graduates – with some of them labelled as ‘Mystery Unit’ and ‘Keep Confidential’. 

This got team I-T thinking: this site must be a goldmine for names of people hacking for Chinese intelligence services. We began investigating and struck gold. Kerui Cracking’s ‘Testimonials’ page. 

As we near the end of 2022 we wanted to finish with our opinion related to the Chinese hacker paradise. Not the beaches on Hainan island, but the networks of Ukraine and Russia…

This is something we have taken an interest in since we Tweeted on 15 March 2022 so wanted to pull together some fantastic work that is out there for our community as a little ‘night cap’ before we get back to shining a light on the Chinese cyber machine, exposing their villainous activity and to enable them to ditch their state sponsored computer and escape to Hainan island in 2023.

So pull up a chair, grab a drink and snack of your choice and let’s dive in together.

Russian invasion of Ukraine

For a while we have been researching and reporting on Chinese state cyber activity around the globe. Their malcontent for the rules-based order is evident as is their disregard for intellectual property with all the hard work that goes into this.

24 February 2022 is a date that will forever be etched in the minds of the Ukrainian people and the world as the day the Russians decided to invade Ukraine. The images of the atrocities carried out in Bucha by the Russian army is just one example of the horror show being conducted by the Russian military. The world in unison condemned this activity, but the Chinese Community Party (CCP) was somewhat absent coming just weeks after President Vladimir Putin and President Xi Jinping declared their “no-limits” partnership. Which makes us question: Did the CCP know? Actions speak louder than words.

The Chinese state’s reaction was initially one of neutrality before rolling back as the relationship became an embarrassment to China. Most evident of all was President Xi Jinping signing the final declaration at the G20 summit in Bali, condemning the Russian invasion of Ukraine. Was the partnership ever anything more than a ruse by the CCP?

Now, as we have all seen through the year, it’s not going well. So is the public image of the “no-limits” relationship the full story?

Chinese state hackers get involved

In March 2022 the Ukrainian ‘computer emergency response team (CERT-UA)’ issued a warning about cyberattacks on the countries police agencies. The activity was via phishing emails with HeaderTip malware included inside weaponized documents. The message when translated stated “on the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which also included an executable with the same name. All of this could easily point back to Russian state hackers. They are invading Ukraine and as such would want to know what is going on in the country. However, an investigation by SentinelOne identified the link between the HeaderTip malware and “scarab” which has links to the Chinese government. This is a fantastic bit of work by SentinelOne exposing a clear link to the Chinese state. This activity is reported within a couple of weeks of the Russian invasion of Ukraine, with Check Point Research (CPR) also flagging that the “frequency of cyberattacks from Chinese IP addresses around the world jumped 72% in the week from March 14 to March 20, compared with the seven-day period before the Russian invasion of Ukraine began”. Why such an interest from Chinese state hackers in Ukraine? Our next stop is to what was happening before the Russian invasion.

On Friday April 1st, 2022, The Times UK released an exclusive outlining the Chinese state’s hacking activity. According to this article, this activity had occurred during the Beijing winter Olympics up to 23 February 2022 (the day before the Russian invasion of Ukraine). What is interesting is that the source stated the hack was widespread, across “600 websites belonging to the Ukrainian defense ministry” but also “Ukrainian government, medical and education networks”.

Chinese state relationship with Russia

So, are we seeing the “no-limits” relationship at work behind the scenes? Having reviewed other avenues there is a mixed picture. Where we see hacking in Ukraine by Chinese state hackers, we also see reporting of Chinese state hackers targeting Russia itself. Of note, SentinelOne state that the Chinese hacker group Scarab mentioned above has previously targeted Russia in a quest to hack, interpreting the “no-limits” relationship tagline in a different way to the Xi Jinping of early February 2022…

As outlined in the National Interest, the CCP is vying to become a “cyber superpower”. It has the numbers, not necessarily the talent, but is a highly capable thief (just ask all the companies who have lost intellectual property over the years). Is this just the Chinese state stealing all the data for themselves? As Tim Starks and AJ Vincens wrote in July 2022 “the Ukraine war could provide a cyberwarfare manual for Chinese generals eying Taiwan” but you could argue it is more than that. China is surpassing its Russian ‘comrade’ and will take advantage of any opportunity to acquire all the information it can get.

Not so much a relationship….

On this note, we move to the Chinese state’s targeting of Russia. We start with a piece by CPR in May 2022. Another phishing attempt, another set of emails, another Chinese state cyber hack but this time the target was Russian military research and development institutes (with Belarus thrown in for good measure). What is that saying, ‘all is fair in love and war’? Well, we have love between Xi and Putin, but when Putin’s eyes are on Ukraine, Xi is stabbing his comrade in the back. CPR also flagged that this targeting had overlaps with Stone Panda and Mustang Panda. This seems like a homerun to us.

In a friendship of equals some are more equal than others…and the Russians seemed to know the Chinese state are hacking them to their hearts content. Kaspersky identified Chinese state sponsored hacking activity as early as January 2022. Reported in August by Spiceworks, “Kaspersky blamed Chinese state sponsored hacking group TA428 for a number of phishing attacks targeting industrial plants, research institutes, government agencies and ministries across Russia, Belarus, Ukraine and Afghanistan”. The use of a 17-year-old memory corruption (CVE-2017-11882) was ‘in’ before utilising TTP’s distinct to TA428 with sensitive searches being conducted. Now I don’t know about you but does the above look like an ally you want in a “no-limits” relationship? What were these Chinese state hackers looking for? If you ask us, the Russians clearly are aware of the Chinese state’s hacking campaign against them. They aren’t exactly covering their tracks. The Russian government is desperate, along and weaker than ever.

Dragonbridge and fighting back

Yet all hope is not lost. We are aware we are swimming against the tide here; it appears the CCP is relentless and cannot be stopped. But during a Wikipedia edit war which the hacktivist collective Anonymous state is part of a Chinese influence operation to remove information from Wikipedia, Anonymous hacked the Chinese Ministry of Emergency Management among other websites. It highlights that China’s ‘Great Firewall’ is prone to attacks and exploitation.

And on something we haven’t commented on but wanted to wind up with. It would be rude not to mention the botnet menace from Dragonbridge. First flagged by Mandiant in September 2021, not only are the Chinese state hackers stealing intellectual property but they are shifting to the influence game. We see Dragonbridge target events in the US and clearly, we are hitting them where it hurts as they turned their attention to us recently in an attempt to shadowban our content. Now – don’t get us wrong. It is nice to be noticed by the Chinese state hackers. I means we are getting under their skin. But it’s a global redline when they are targeting the Ukrainians with disinformation. Now Dragonbridge hasn’t really been that effective. In our case, having the community identify and flag these accounts has ensured it didn’t really make much of a splash. Thank you to everyone who contributed to spotting Brandi, Monique and the rest of the botnet bandits!

Now both examples demonstrate that although the CCP want to be seen as a “cyber superpower”; they really aren’t. As a community we can continue to expose Chinese state hacking activity, the actors behind the keys and the hypocrisy of the Chinese state. All it takes is that continued vision from the community to flag this hostile activity, keep running down those leads and continue to help us in our quest for the truth.

And finally…..

So alas, the Chinese state hackers are not sunning themselves on a beach, enjoying some time away from the keys and considering a more productive and fulfilling life away from their CCP puppet masters. Instead, they continue to look for any opportunity to target people, companies or countries. Even when those countries are simply fighting for their independent survival….

We hope that these Chinese state hackers walk away from their keyboards in 2023. However, our New Year’s prediction is that they will continue and as such this community needs to stay the course in exposing malign cyber activity: for our loved ones, for our brothers and sisters in Ukraine and for the hard-working people across the globe whom the CCP steal and hack at will.

As always, you know how to get in touch.

Wherever you may be, we wish all our readers a happy holiday. We will be back in 2023. See you for the fireworks.