Pages

Wednesday 20 February 2013

Chinese Threat Actor Part 5

Follow up on Mandiant report

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Mandiant Report

"Once again, in tracking SH we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit. com account “SuperHard_M” was originally registered from the IP address 58.247.237.4, within one of the known APT1 egress ranges, and using the email address “mei_qiang_82@sohu.com”. We have observed the DOTA persona emailing someone with the username mei_qiang_82. The name “Mei Qiang” (梅强) is a reasonably common Chinese last/first name combination. Additionally, it is a common practice for Chinese netizens to append the last two digits of their birth year, suggesting that SuperHard is in fact Mei Qiang and was born in 1982. Unfortunately, there are several “Mei Qiang” identities online that claim a birth year of 1982, making attribution to an individual difficult."

One of the threat actor identified by Mandiant is "SuperHard_M". His name is Mei Qiang and email is "mei_qiang_82@sohu.com"

Attribution

Rootkit database

(32261,'SuperHard_M','bf787577ff656cde5b5d1f8236a75d2a','mei','mei_qiang_82@sohu.com',1,1130405749,'',''
,'','','','',1,'','',1267772902,'58.247.237.4',0,0,0,1267772654,0,0,0,'','','','','',800,'')

IP Address 58.247.237.4 -  CHINA, SHANGHAI, SHANGHAI

This email is the registrant email at kaixin001 social network

http://www.kaixin001.com/home/13874928.html

Full Name -  Mei Xiao Qiang ( 梅小强 ), Living in Shanghai




Tianya Chinese Board

meo_qiang_82@sohu.com is also the registrant email at Tianya chinese board but the name linked to this email address is "2005_9_24" and profile information says he is a Male, living in city of ZhengZhou, Henan Province with Date of Birth September 12th 1982, Virgo and this profile is registered on 24 Sep 2005 suggesting that he was in Zhengzhou at this time.

http://www.tianya.cn/3963856




Interesting enough, there is another account on Tianya with the handle "SuperHard_M" which is registered with email address "mei_qiang_82@hotmail.com"

http://www.tianya.cn/5685768



"mei_qiang_82@hotmail.com" is also the registrant email at kaixin social network but the profile is deleted now and we know why :)

Search on mei_qiang_82@hotmail.com reveals he is aged 24 in 2005, that means he is 31 years old now.
He was living in Zhengzhou, Henan province during 2005. In a Job profile, he mentions that his interests are network security and developing hacking tools.

http://www.sxsoft.com/index.php/it/employee/show/2331

Name: SuperHard_M
Gender: Male
Age: 24
Education: Masters
Tel: 13503456644
Contact Address: Henan Zhengzhou 1001 mailbox 774
PostalCode: 450002
E-mail: mei_qiang_82@hotmail.com
Date: 2005-11-28 08:50:40
Published Username:  SuperHard_M


The mailbox address 1001 mailbox 774, Zhengzhou city, Henan Province belongs to the famous PLA Information Engineering University that implies he was a student at PLAIEU.

Mei Qiang published two journals along with Zhu Yue-Fei related to HTTP Session Hijacking on Switch LAN, Man In The Middle (MITM), ARP Spoof. It is important to note that Zhu Yue-Fei also published articles with Zhang Chang-he

 http://www.cdblp.cn/namedisambiguation/%E6%A2%85%E5%BC%BA/%E4%BF%A1%E6%81%AF%E5%B7%A5%E7%A8%8B%E5%A4%A7%E5%AD%A6/32123.html



(Credit goes to Tommy for the Journal link)

Read online

http://www.docin.com/p-53977513.html


SuperHard_M profiles on chinese boards


Weibo Profile 

Lives in Shanghai Pudong area



T QQ Profile

Lives in Shanghai Pudong area and Virgo




http://www.douban.com/people/SuperHard_M/




Wolf's World

http://superhard.blog.sohu.com




http://www.pinglunjuhe.com/pinglun/1009858.aspx?bt=3



One of the other possible email of SuperHard is mei_qiang_82@163.com

Update

After few hours of this blog post, Mei Qiang's Kaixin profile is deleted and sxsoft profile details are changed.


No comments:

Post a Comment