Researchers with CrowdStrike yesterday partially confirmed reports from the mysterious APT-hunting group Intrusion Truth, verifying several findings that allegedly draw connections between the threat group APT10 and a Chinese foreign intelligence agency.
Over the previous two months, Intrusion Truth has issued multiple reports on the group, also known as Stone Panda, linking it to the Tianjin Bureau of China's Ministry of State Security (MSS). In a company blog post, CrowdStrike says it has since affirmed several revelations from these reports -- in particular details about two individuals, Gao Qiang and Zhang Shilong, whose identities were uncovered during the attribution investigation.
According to CrowdStrike, Gao owned a blog account that used the handle "fisherxp", which was previously used in a 2010 spear phishing campaign previously attributed to Stone Panda; however, the individual deleted the account following Intrusion Truth's exposé.
Intrusion Truth said it has uncovered what appear to be several Uber rides taken by Gao to the MSS Tianjin Bureau's office address, but CrowdStrike so far cannot determine if the Uber receipts are authentic. Nor can it state for certain whether various online photos supposedly showing the owner of fisherxp accounts are the real deal.
Nevertheless, CrowdStrike was able to confirm that another fisherxp account on Chinese technology forum 51CTO remains active, with recent activity that includes the downloading of multiple tools typically associated with Chinese threat groups, including the Gh0st RAT trojan.
Intrusion Truth also reported that Gao listed his contact information in recruitment postings for two separate companies. One of these firms, Laoying Baichen Instruments, seems to share the same Tianjin address with a second company, Tianjin Henglide Technology Co., Ltd., which is listed as a “review center” certified by the China Information Technology Evaluation Center (CNITSEC), a unit of MSS that conducts security reviews of technology foreign companies intend to use or sell in China.
The other firm Gao represents is Huaying Haitai that documents show helped organize a network security competition for China's Ministry of Industry and Information Technology. CrowdStrike suspects the company is a front for recruiting operations for MSS cyber operations.
The other individual, Zhang, followed fisherxp's Twitter account (and vice versa), using the handle @baobeilong, or Baby Dragon. According to CrowdStrike, Baobeilong also recently scrubbed some of his online activity, including a GitHub account featuring forked versions of the Stone Panda-linked RAT malware Quasar and Trochilus.
It also appears the same individual had a Flickr account with photos that helps investigators pinpoint his location, the CrowdStrike blog continues, noting that IntrusionTruth later connected Baobeilong to a variety of registered websites and email addresses. "Zhang was active registering sites as recently as June 5, 2018," said CrowdStrike security researcher and blog post author Adam Kozy, "including a personal blog where his picture and name features prominently along with several technology-related blog posts."