Cyber-Espionage Experts Want to Know Who’s Exposing China’s Hacking Army (#GotBitcoin?)
The world’s cyber-sleuths are investigating a new mystery: Who is behind an anonymous effort to expose China’s hacker army?
An anonymous group calling itself Intrusion Truth in August published a blog post about one of the most prolific suspected China-linked hacking groups tracked by cybersecurity researchers. It was the latest in a series of online messages and blog posts dating back to May 2017 that outlined two alleged Chinese hacking campaigns, including providing the names of suspected hackers. Separately, two of those named were later charged by U.S. authorities.
Security researchers say they don’t know who is behind Intrusion Truth. The group’s method of anonymously dumping information and targeting a foreign intelligence agency is something new, they say, and exposing alleged illegal activity could up the pressure on Chinese companies cooperating with state-sponsored hacking efforts.
U.S. officials and security researchers have linked Chinese hackers for years to government-backed computer intrusions into U.S. companies. China has denied involvement in hacking U.S. companies.
Intrusion Truth’s anonymity might itself be a clue to its identity. Some large corporations and security companies that employ researchers who track China’s hackers might be reluctant to release findings for fear of reprisals from China’s government, said Ben Read, who manages cyber-espionage investigations at FireEye Inc.
Intrusion Truth named individual alleged culprits—unusual in the world of nation-state hacking research—posted photographs, dug up alleged hackers’ places of work and even revealed Uber receipts that appeared to link the individuals to particular addresses in China.
That is the kind of expert sleuthing few people would have the language skills, tools and research abilities to pull off, said Thomas Rid, a professor at Johns Hopkins University.
“It’s somebody who is professional,” he said, “somebody who knows what they’re doing.”
A round of finger-pointing has erupted in the cyber-sleuth community over who is behind Intrusion Truth. One theory is the group may work for a corporate victim of Chinese hackers.
“There are a whole load of people accusing each other,” one researcher said. He said he has received multiple messages asking whether he is part of Intrusion Truth.
Intrusion Truth has published dozens of messages to Twitter and more than a dozen posts to the blog site Medium over the past 16 months.
In them, it has posted evidence linking Chinese companies to a suspected China-backed hacking group known as APT 3 and another known as APT 10, or Stone Panda, shedding light on the continued threat of Chinese hacking.
“APT 10 is one of the most active groups we track,” said Mr. Read. The group has hacked companies in Japan and Europe, and has targeted entities in the U.S., he said.
Intrusion Truth also has zeroed in on several Chinese companies, alleging they are linked to government-backed hacking campaigns.
“We are focusing our efforts on determining whether these are just ‘companies that hack,’ or would they be better described as fronts enabling the Chinese state to employ hackers who can later be scapegoated as criminals?” Intrusion Truth said in a Twitter message in August.
Early last year, the group said two employees of Guangdong Bo Yu Information Technology Co., known as Boyusec, were part of APT 3. Six months later, U.S. authorities indicted the men—Wu Yingzhuo and Dong Hao—saying they were involved in APT 3 computer intrusions at Moody’s Analytics and the German engineering company Siemens AG .
Messrs. Wu and Dong couldn’t be reached for comment. Representatives from Boyusec, which dissolved before the indictments were unsealed, couldn’t be reached.
Intrusion Truth didn’t respond to messages seeking comment. In late August, the group said its aim is to make Chinese hackers “think twice about their illegal online activities,” according to Motherboard.
Intrusion Truth linked internet domains and email addresses associated with websites used by APT 10 to two other Chinese companies, Tianjin Huaying Haitai Science and Technology Development Co. and Laoying Baichaun Instruments Equipment Co.
A woman answering a number listed for Huaying Haitai hung up when asked for comment. Laoying Baichaun couldn’t be reached.
Typically, Intrusion Truth posts data that could be uncovered online or via research tools used by professional threat analysts. The APT 10 evidence, though, included material that would have been harder to obtain: copies of alleged Uber receipts belonging to an employee who had worked at the two companies.
Intrusion Truth says these receipts show travel by this person to a building operated by China’s intelligence agency. The agency doesn’t accept media inquiries.
CrowdStrike Inc., which tracks Chinese hacking campaigns, in late August published a blog post agreeing with much of what Intrusion Truth had reported on APT 10.
“The information they have access to goes way beyond what we would have access to,” said Adam Meyers, an executive with the cybersecurity firm.