FacebookTwitterLinkedIn

APT 17 Unmasked

An online group of anonymous cybersecurity researchers called Intrusion Truth has revealed who exactly is behind the advanced persistent threat APT group codenamed APT 17, or often also referred to as Deputy Dog or Axiom. The group has been linked to numerous hacks on private companies and government agencies this decade. In 2017, this publication published an article detailing how the popular drive cleaner CCleaner and its software download service was compromised to download and install the Floxif malware. Researchers at Cisco Talos attributed the attack to APT 17 and also discovered that numerous private companies were also targeted in the same campaign including security firms.

This will be the third Chinese cyber espionage group unmasked by Intrusion Truth, with earlier investigations resulting in the US Department of Justice indicting members from both APT 3 and APT 10. The anonymous crusaders have developed a reputation for uncovering who exactly is behind some of the more infamous cyberespionage groups. Intrusion Truth uses a technique, called doxing, to help uncover the identities of those behind APT groups. Doxing has come to mean the process by which hackers, or in this case security researchers, retrieve and publish personal details of their targets. Information can include but is certainly not limited to, names, addresses, phone numbers, and credit card details. Often in malicious cases of doxing the main aim of the hacker is coercion, however, in this instance, it could be argued that the doxing is done to increase pressure on the APT group or result in charges been laid against individuals.

As a result of this process of retrieving personal information, Intrusion Truth has concluded that a man and two other hackers are behind APT 17. Further to help hide the activities of the group the man in charge, believed to be an officer of the Chinese Ministry of State Security (MSS), owns four shell companies. All three of them operate in the city of Jinan, the capital of China's Shandong province. Intrusion Truth has also published articles on both Mr. Wang and Mr. Zeng with both articles helping further illuminate the companies run by APT 17. The companies have been used as a front are Jinan Quanxin Fangyuan Technology Co. Ltd., Jinan Anchuang Information Technology Co. Ltd., Jinan Fanglang Information Technology Co. Ltd., and RealSOI Computer Network Technology Co. Ltd. Not only has Intrusion Truth been able to uncover the companies behind the operations but also the names of those involved.

apt 17 unmasked

The MSS officer, according to Intrusion Truth, is one Guo Lin. The two hackers are Wang Qingwei, a representative of the Jinan Fanglang Company, and Zeng Xiaoyong, the individual behind the online profile “envymask”. The link to Zeng Xiaoyong was made by similarities in the code used in the malware ZoxRPC and Zeng’s code. Analyzed by Novetta and the code used by Zeng was also found in the malware MS08-067, a variant which “envymask” apparently created and claimed responsibility for. The evidence against Zeng was used to link the active players behind APT 17, which started life out been called “missll”. Intrusion Truth concluded that,

“Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of Cyber Security outfits that claim the MSS as their clients and are coincidentally managed by an MSS Officer. Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.”

Named, now what?

In 2017 when Intrusion Truth claimed that APT 3 was a company named Boyusec, a Guangdong contractor for the Chinese Ministry of State Security, many criticized the allegations. It was only until Recorder Future came to the same conclusion did the InfoSec community take note. The claims were bold in the extreme and when made by an anonymous group, suspicion of the findings was perhaps wise. However, only once Recorded Future described the MSS internal structure, and how the Chinese government was using a network of local MSS branches in major provinces to hire independent contractors to conduct hacking against foreign companies and government networks did private organizations and law enforcement see the value in Intrusion Truth’s initial claim. All told the credibility of Intrusion Truth’s claims regarding APT 10 was accepted far more readily. Now with the identities of those behind APT 17 been revealed the question asked is no longer if their claims are right. Rather, many will ask how to stop or punish future hacking campaigns conducted by APT 17.

The answer to that may be disheartening. The US Department of Justice may indict the individuals named as they did in the past. This will mean that those behind APT 17 will not be able to travel outside of China’s borders to any country seen as allied with the US. Practically though if they remain within China they cannot be brought before a US court of law. Such investigations, like the one completed by Intrusion Truth, reveal the extent of the Chinese state-sponsored cyber-espionage network. Given the size of the network, it is unlikely that the naming and shaming of individuals will do little to hamper further campaigns. Given China’s role as a global player in both the political and economic spheres very little can be done to stop future attacks. Diplomacy may be other countries best bet in helping prevent organizations within their borders becoming victims, however, with the constant talk of trade wars and the apparent gains cyber espionage can provide state-sponsored actors attacking networks, whether Chinese or countries from the West, will remain a reality.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal