Yesterday the New York Times revealed a blockbuster report about how deeply Chinese spies have insinuated themselves into more than 140 US and Canadian companies, many of them related to the power grid.
The Times story was based on an early copy of a report released today by Mandiant, a security firm hired by the Times and other major corporations to ferret out attacks on their networks. That report reads like a spy novel, full of twists and turns about the activities of one Chinese Army group of cyberspies in particular, called Advanced Persistent Threat 1 by Mandiant but better known in security circles as the “Comment Crew” because of malicious code they embed within blog comments.
Mandiant also released a five-minute video that captures three Chinese cyberspooks as they’re pwning various corporate systems.
Here’s the part I find funny. Mandiant managed to identify three of the hackers by their handles: UglyGorilla, SuperHard, and D0Ta. And they did it, in part, by tracking them down on Twitter and Facebook.
Of course, services like Facebook, Twitter, and Google are prohibited by the Great Chinese Firewall. But the army hackers working within the Datong Road compound just outside Shanghai are not encumbered by China’s Internet censors. So they used Gmail and Facebook and Twitter to communicate, which helped Mandiant track down their identities. Per the report:
Like many Chinese hackers, APT1 attackers do not like to be constrained by the strict rules put in place by the Communist Party of China (CPC), which deployed the GFWoC as a censorship measure to restrict access to web sites such as google.com, facebook.com, and twitter.com. Additionally, the nature of the hackers’ work requires them to have control of network infrastructure outside the GFWoC. This creates a situation where the easiest way for them to log into Facebook and Twitter is directly from their attack infrastructure. Once noticed, this is an effective way to discover their real identities.
D0Ta, for example, had at least one Facebook account, though it’s unclear what he or she used it for – probably spear phishing or some other form of targeted social engineering attack. (It still exists as I write this, but it’s entirely blank.)
The hacker known as UglyGorilla is also a member of several Chinese social networks, while SuperHard liked to log onto blackhat forums to advertise his hacking skills for hire. Using the information the Chinese hackers deposited in each place – and in particular, the email addresses they used to register for accounts – Mandiant was able to piece together their identities and possibly their real names.
UglyGorilla’s name is probably Wang Dong, Americanized to Jack Wang. SuperHard is most likely Mei Qiang, also a somewhat common name. D0Ta’s real identity is less certain.