Intrusion Truth, a mysterious group known for exposing suspected Chinese cyber-espionage operations, on Thursday published a new investigation that traced front companies allegedly used by two Chinese men whom a U.S. grand jury indicted last year.
The findings shed light on a dynamic that U.S. law enforcement officials say is increasingly common: foreign intelligence services’ use of front companies to try to conceal their hacking operations. The details also come at a time when Biden administration officials are dealing with the fallout of another suspected Chinese hacking campaign in which attackers leveraged widely used Microsoft software.
The Justice Department has alleged that the two suspects, Li Xiaoyu and Dong Jiazhi, met at university before embarking on a decade of malicious cyber activity, sometimes for personal financial gain and other times on behalf of the Ministry of State Security, China’s civilian intelligence agency. In some cases, the men allegedly probed the networks of U.S. firms working on a coronavirus vaccine. U.S. prosecutors have accused the men of stealing hundreds of millions of dollars in trade secrets and other data.
Now, the group known only as Intrusion Truth says it has discovered the roots of Li and Dong’s collaboration, and the alias that Li used on a Chinese hacking forum. The two men allegedly reused email addresses and phone numbers in registering front companies, a slip-up that Intrusion Truth says it used to track their activities.
“[W]e know Chinese APTs follow a common blueprint: One of contract hackers and specialists, front companies and an intelligence officer,” the Intrusion Truth blog says, using an acronym for state-linked hackers.
It’s unclear who is behind Intrusion Truth, but independent cybersecurity researchers have previously corroborated details in the group’s blog posts. It’s one of a number of shadowy groups that has released details about digital espionage while cloaking itself in anonymity. CyberScoop was unable to verify the accuracy of Intrusion Truth’s claims, though the group’s investigations typically line up with detailed indictments of alleged Chinese hackers released by the Justice Department.
Intrusion Truth often hypes its forthcoming blogs with tweets telling readers to prepare for a new bombshell on Chinese hacking. This week, Twitter temporarily restricted the Intrusion Truth account because, the tech platform said, the account triggered Twitter’s anti-spam mechanism after a long period of inactivity.
The latest exposé follows Li and Dong, who are in their mid-30s, starting with their study of computer science at University of Electronic Science and Technology of China in the southwestern city of Chengdu. Intrusion Truth says it uncovered, from a database leak, the instant messaging accounts Li and Dong used while attending information security classes at university.
After their studies, Dong, and to a lesser extent Li, subsequently set up a series of vaguely named technology companies based in Chengdu, according to Intrusion Truth. One of the firms, Chengdu Xinglan Technology Company, lists Dong as the primary point of contact and Li as its CEO, the investigation found. The firms have a minimal online presence and could not be reached for comment on Thursday.
The 2020 U.S. indictment of Li and Dong also accuses one of the men of using a vulnerability in Adobe’s ColdFusion software to pry into victim networks. Intrusion Truth said it used one of Li’s aliases listed in that indictment to find evidence that he was appointed moderator of a website for ColdFusion developers nine years ago, suggesting a longstanding interest in the hacking tool.
Following the restructuring of China’s People’s Liberation Army in 2015, cybersecurity analysts said the MSS became China’s go-to arm for conducting economic espionage. A 2018 U.S. indictment accused the MSS of working with contracted hackers in an effort to steal aerospace technology and other proprietary data from U.S. companies.
The 2020 U.S. indictment accuses Li and Dong of working for Guangdong State Security Department, a division of the MSS, under the direction of an unnamed intelligence officer. Intrusion Truth claimed Thursday that it would reveal that person’s identity in the future.