Mandiant report links Anonymous 2011 hacks to APT1 campaign
By Pierluigi Paganini, Editor-in-Chief
The new is very curious and represents the demonstration that cyber threats could not be analyzed separately, security need a global approach, we cannot distinguish between cybercrime and cyber warfare but we must be focused on the cyber menaces, their effects and the risks connected to adoption of not appropriate security measures.
The case is related to Anonymous collective and the relationship between one of its popular operation and the recent cyber espionage campaigns that seems involve Chinese Government.
Members of the Anonymous such as Hector “Sabu” Monsegur may have helped security experts to collect evidences on the involvement of Chinese hackers in last cyber espionage campaigns denounced by security company Mandiant.
The Mandiant Intelligence Center released a report that reveals an enterprise-scale computer espionage campaign dubbed APT1, security experts link it to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
The operation is started in 2006 targeting 141 victims across multiple industries all over the world.
Mandiant declared that information released by Anonymous in 2011 helped to identify cybercriminals behind the APT1, it revealed the pseudonyms of three hackers believed to be involved with cyber espionage campaign: “uglygorilla,” “DOTA” and “SuperHard.”
- The first persona, “UglyGorilla”, has been active in computer network operations since October 2004. His activities include registering domains attributed to APT1 and authoring malware used in APT1 campaigns. “UglyGorilla” publicly expressed his interest in China’s “cyber troops” in January 2004.
- The second persona, an actor we call “DOTA”, has registered dozens of email accounts used to conduct social engineering and spear phishing attacks in support of APT1 campaigns. “DOTA” used a Shanghai phone number while registering these accounts.
- We have observed both the “UglyGorilla” persona and the “DOTA” persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1.
- The third persona, who uses the nickname “SuperHard,” is the creator or a significant contributor to the AURIGA and BANGAT malware families which we have observed APT1 and other APT groups use. “SuperHard” discloses his location to be the Pudong New Area of Shanghai.
Let’s step back to 2011 when Anonymous hacked security firm HBGary in response of its investigation on the collective, in fact its CEO, Aaron Barr, infiltrated the group of hacktivists to investigate on its members and denounce them to federal authorities.
The attacks of Anonymous was terrible with serious consequences, the hacktivists hacked company’s websites, compromising the online accounts registered and exposing thousands of emails.
During the same period Anonymous also target the portal rootkit.com founded by HBGary associate Greg Hoglund, the hacktivists compromised accounts belonging to Barr using them to access to Hoglund’s corporate email and with social engineering attacks targeting his colleagues to rootkit.com.
Anonymous compromised also rootkit.com web site obtaining access to user’s credentials, posting it on line, and to its content completely deleting it.
At this point the story gets interesting, among those account’s credentials there were data belonging to “uglygorilla” and “SuperHard,”, two profiles identified by Mandiant and that the security experts of the security firm sustains to be related to hackers members of Chinese Unit 61398.
Mandiant report states:
“In 2007, UG authored the first known sample of the MANITSME family of malware and, like a good artist, left his clearly identifiable signature in the code: “v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007”[sic].”
“The account “UglyGorilla” was used across various Web, … in February of 2011, the disclosure of all registered “rootkit.com” accounts published by Anonymous included the user “uglygorilla” with the registered email address firstname.lastname@example.org. This is the same email used to register for the 2004 PLA forum and the zone hugesoft.org. Included in the rootkit.com leaked account information was the IP address 126.96.36.199,”
Mandiant specialists revealed that the among data leaked from rootkit.com website there was also the IP address of uglygorilla which belonged to Shanghai-area address linked to cyber Unit 61398.
The reports also revealed another interesting particular, the third persona dubbed “SuperHard” (SH) was first observed as a tool author, and is either the creator or a significant contributor to the AURIGA and BANGAT malware families:
“Once again, in tracking SH we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit.com account “SuperHard_M” was originally registered from the IP address 188.8.131.52, within one of the known APT1 egress ranges, and using the email address “email@example.com”. We have observed the DOTA persona emailing someone with the username mei_qiang_82. The name “Mei Qiang” (梅强) is a reasonably common Chinese last/first name combination. Additionally, it is a common practice for Chinese netizens to append the last two digits of their birth year, suggesting that SuperHard is in fact Mei Qiang and was born in 1982. Unfortunately, there are several “Mei Qiang” identities online that claim a birth year of 1982, making attribution to an individual difficult.
Fortunately, we can use SH’s email address to connect him to a number of Websites and forums on which he registered and contributed using that address. Many of these accounts reveal details that reinforce SH’s link to the “firstname.lastname@example.org”email address and APT1 affiliation, such as SH offering to write Trojans for money, his involvement with malicious Windows kernel research (incidentally, also commented on by “greenfield”, possibly UG), and more recently, being local to Shanghai’s Pudong New Area.”
Now the question is … are we really sure that Chinese hackers are involved in the attacks? The evidences collected tell us only that the attacks are moved from Pudong area, nothing else. Other states such as Iran, Pakistan could be responsible for the attacks and Chinese governments is aware of these campaign IN MY OPINION. All these governments have strict relationship with government of Beijing that isn’t interested to stop them … the enemies of your enemies are your friends. It is also true that China has the highest number of compromised servers in the world, this means that a foreign state could be exploited its networks to conduct attacks originated from Chinese soil, but I find it very hard due the strict controls of governments on internal networks.
Another factor to consider is the great cyber skills of Chinese state sponsored hackers members of Unit 61398, how is it possible that the used their own IP address range?
Very often things that seem obvious hiding unimaginable reality …
Sources: CDM and Mandiant