TYB!
DECLAS
Written by Jeff Stone
JAN 9, 2020 | CYBERSCOOP
Intrusion Truth is back.
The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are recruiting attackers working on Beijing’s behalf.
By identifying job postings seeking offensive cybersecurity skills, the group wrote, they found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting to Intrusion Truth that employers actually are trying to recruit hackers for advanced persistent threat groups.
“We know that these companies are a front for APT activity,” states the blog post published Thursday.
This blog post is the first from Intrusion Truth since July 2019, when the group reported that a Chinese APT had offered to sell stolen data. Intrusion Truth emerged in April 2017 and, since then, intermittently has gone public with information purportedly exposing Chinese state-sponsored hacking efforts.
Two years ago, the group identified two employees of the Chinese company Boyusec who U.S. prosecutors later indicted for alleged involvement in breaches at Siemens and Moody’s Analytics.
If anyone knows who is behind the effort, though, no one is saying: the identities of the Intrusion Truth members have been the subject of ongoing speculation in the security community.
In the post published Thursday, the group argues “it is possible to take a [Chinese] province and identify front companies, from those companies identify individuals who work there, and the connect those companies and individuals to an APT and the State.”
The group explains further by highlighting advertisements for jobs at five Chinese companies.
The ads typically are seeking personnel capable of carrying out penetration tests or network security development engineering. In one case, the Hainan Xiandun Technology Development Company, a “fast-growing high-tech information security company,” according to Intrusion Truth’s translation, posted a bulletin seeking female English translators, preferably members of the Communist Party.
Job postings alone don’t prove that the companies are involved in nation-state hacking activity, as Intrusion Truth notes. Companies in the U.S. and abroad frequently hire penetration testers in order to test their own defenses. Bringing on penetration testers can help companies like Bloomberg and Amazon, both of which have active listings for pen-testers in New York.
Yet one posting from Hainan Tengyuan, the group noticed, seeks professionals “with a track record of sharing hacking exploits as well as specific experience with Windows Trojan shell code development and PE encryption.”
“The question we should be asking is: who develops their own encrypted executable files?, ” the blog post notes.
Neither Xiandun Technology Development nor Tengyuan could immediately be reached for comment.
Meanwhile, the phone numbers and addresses in many of the advertisements overlap, according to the anonymous blog post. From there, Intrusion Truth extrapolated their findings to larger internet searches, finding eight more companies (for a total of 13) that seemed to be connected in a kind of web.
“Hainan Xinhuaheng Technology Company shares a telephone number (19808984**) with Hainan Tengyuan, Hainan Dingwei, Haikou Fengshang, Hainan Hualian Anshi, and Hainan Jiaxi and and is co-located in the same building,” the blog post states, including the typo.
Security researchers suggested on Thursday that the data Intrusion Truth dumped was associated with APT40, a Chinese espionage group that FireEye says stole information from the U.S. Navy, among other targets. The group’s hacking victims are consistent with China’s geopolitical interests and “there are multiple technical artifacts” indicating its based in China FireEye noted in a March 2019 report. For instance, researchers uncovered a file that included an IP address based in Hainan, China that “had been used to administer the command and control node that was communicating with malware on victim machines.”
FireEye also observed APT40 using the archival tool rar.exe to compress and encrypt data it intended to steal.
APT40, also known as Leviathan, TEMP.Periscope and TEMP.Jumper, is the main suspect in attacks aimed at Cambodia’s elections and the U.S. maritime industry.
The Chinese government consistently has denied any involvement in hacking activity.
–MORE–
https://www.cyberscoop.com/intrusion-truth-chinese-hacking-front-companies-hainan-xiandun/
'Economic espionage': Special DOJ unit cracks down on China's illicit activities
By Bill Gertz - The Washington Times - Wednesday, January 8, 2020
The Justice Department’s special China unit is aggressively prosecuting technology theft and other illicit activities by Beijing’s spies and government officials, a senior department official said in an interview.
China was implicated in more than 80% of all economic espionage cases brought by the Justice Department since 2012, and more than 60% of all trade secrets theft cases were linked to Beijing’s aggressive spying and acquisition programs, U.S. officials said.
Those activities involve traditional human and cyber intelligence gathering operations as well as what officials term “nontraditional” spying: the use of students, business people and other nonprofessional collectors of intelligence.
“It’s an objective fact that the number of economic espionage investigations has increased dramatically in recent years,” Adam Hickey, deputy assistant attorney general in the Justice Department’s national security division, told The Washington Times.
“That could be a function of us seeing more or the private sector reporting more. It also could suggest that China is doing more,” said Mr. Hickey, a key official in a program called the China Initiative.
China’s efforts also involve purchases of American companies, a noncriminal matter but one involving Justice Department officials who are part of the Treasury Department-led Committee on Foreign Investment in the United States. Congress has passed reform measures strengthening regulatory procedures used to control Chinese investments that could harm national security.
At the Federal Communications Commission, Justice Department officials help counter Chinese electronic spying in the United States through a group called Team Telecom.
Attorney General William Barr recently backed the FCC decision announced in November to ban the use of telecommunications gear in the United States made by Chinese tech giant Huawei Technologies over electronic spying concerns.
–MORE–
https://www.washingtontimes.com/news/2020/jan/8/justice-department-special-china-unit-targets-beij/