Investigation into APT 5 and their inner workings of PLA Troop 61786
I am relatively new to the cybersecurity community and I have tracked low-level, criminal groups who conduct computer network exploitation (CNE). My method of investigating criminal activity begins with sleuthing the dark web for tipping information. From there, I overlay leaked CNE data and TTPs with persona information. I began tracking a subset of what was assessed to be low level criminal activity, which actually turned out to be a group of six officers working together within the PRC People's Liberation Army (PLA) Troop 61786. This group appears to be associated with Advanced Persistent Threat 5 (APT5).
My starting point for this investigation was Singaporean-based IP 5.188.34.116, which was a virtual private server (VPS) associated with G-Core Labs. A review of the VPS data from this IP on the dark web revealed that the user had unsophisticated tradecraft as evidence by the significant amount of PII and forensic artifacts left behind. This data point served as the foundation for my investigation and resulted in the identification of the below PLA officers’ identities, their tradecraft, potentially criminal behavior according to Chinese laws, and blatant corruption within PLA Troop 61786. I was able to attribute these officers to Troop 61786 thanks to Shi Qijiang's association of his work address “Haidian District, Hanjiaguan Military Compound, Beijing” to his SF Express and YTO accounts.
This team’s tradecraft is consistent with that of the least sophisticated CNE actors across the globe. I am unsure if this low-level tradecraft is derived from the team’s laziness, over-reliance on CNE technology to obscure or hide their subpar tradecraft, or ignorance. On one hand, the team utilized anonymization infrastructure services to conceal their identities, while also playing video games via Battlenet on their procured C2 infrastructure. In this same vein, they also utilize their C2 infrastructure to conduct personal business whether it be personal banking, reading emails, or signing into their PLA accounts. PS team lead Wang Huidong may want to update his password at http://mall.plap.cn/users/sign_in.html- “789044” is a rather weak password.
This group frequently targeted and conducted CNE against several telecommunications providers in places like Southeast Asia and the United States. They appear to heavily rely on rudimentary scripts to streamline their targeting and reconnaissance activities. The team also relies on publicly available CVEs to gain initial access or footholds into targeted networks. Anything beyond noisy scanning activity and outdated CVEs seems very complicated for this team of six, which has ultimately led to the compromise of activity of more refined CNE actors within the PRC such as Volt Typhoon targeting the same networks, companies and educational institutions.
This team has shown a propensity to conduct criminal and corrupt activities in violation of Chinese law. The team profited from the use of cryptocurrency mining tools while conducting their daily duties with Troop 61786, likely without the approval of their superiors or the PRC government as evidenced by the artifacts left on the aforementioned Singaporean-based VPS. While the whole team was involved in the corrupt activity, team leader Wang Huidong and team member Lyu Ning benefited the most from their investments in the Etherium cryptocurrency. While this activity happened on the job and leveraged their C2 infrastructure to carry out the purchases, they have transferred and stored their wealth from these sales in offshore bank accounts.
Specifically, the six-person team was associated with crypto hash 0x498E920C4710b600179779d6A30cDAf7f592aE04 and utilized the “Bminer” tool which was used while conducting fraudulent CNE activity. Lyu also has shown a propensity for certain immoral proclivities, as evidenced by his account on AdultFriendFinder.com with username “fatox2008”. This type of service is prohibited in the PRC based on existing laws; however, it seems these types of activities and corruption are acceptable within the PRC government for their military officers in Troop 61786.
Troop 61786 Team Members:
Wang Huidong / 王辉东 (Chinese name)
Email Addresses:
whenner@163.com (primary email address)
wuyingsuixing@126.com (associated with multiple online services)
tieshan@public.ty.sx.cn (associated with 17jifen.com)
National ID: 640302198611160017
DOB: 16th November, 1986
Birthplace: Ningxia Autonomous Region
Sex: Male
Phone Numbers:
8613811160360 (associated with multiple online services)
8618744040597
8615650737621
Online Services:
JD.com (multiple accounts with different usernames and passwords)
17173.com (multiple accounts with the username "whenn" and "whenner")
NetEase (126.com / 163.com) (multiple accounts with the username "whenner" and "wuyingsuixing")
whenner (associated with multiple online services, including 17173.com, yue.com / 123tv.com, and replays.net)
wuyingsuixing (associated with JD.com and other online services)
Contributions to Troop 61786:
Wang is the leader for this six-person team.
Wang also provides on keyboard support to several of the CNE operations.
Wang received his undergraduate degree in Information Studies and Security from the PLA Information Engineering University (PLAIEU), studied at PLAIEU from September 2004 to June 2008, and pursued a master's degree at Beihang University (BUAA), which he completed in late March 2017.
G-Core Labs VPS for Wang Huidong
IP Address: 5.188.34.116
Location: Singapore, Singapore
Operating System: Windows 7 Professional x64
Username: Administrator
Current Language: Chinese (Simplified, PRC)
TimeZone: (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Hardware Information:
CPU: Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz, 6 Cores
Graphics Cards:
Intel(R) UHD Graphics 630
NVIDIA Quadro M4000
RAM: 32.6 GB (34186715136 bytes)
Installed Software:
Browsers:
Google Chrome (94.0.4606.61)
Mozilla Firefox (93.0)
Internet Explorer (8.00.7600.16385)
Other Software:
GNS3 (2.2.16)
Microsoft Visual C++ 2005-2019 Redistributables (multiple versions)
NVIDIA Stereoscopic 3D Driver (7.17.13.7500)
Realtek High Definition Audio Driver (6.0.1.8470)
WinPcap 4.1.3 (4.1.0.2980)
Cookies and Online Activities:
Wang was logged into multiple online services, including BattleNet, 163.com, Weibo, QQ, CSDN, Zhihu, and Bilibili.
Wang visited various websites related to technology, gaming, e-commerce, and social media.
Wang used the VPS to conduct open-source research on Avaya devices.
Lyu Ning / 吕宁 (Chinese name)
Alternate Names:
Liu Ning (刘宁)
LV Ning
Identifiers:
Email Addresses:
snow1014@163.com
fatox2008@gmail.com
fatox2009@yahoo.com
liuming780707@yahoo.com
laurence.jados@yahoo.com
jean_luc_bolle@yahoo.com
fatox.fatox@yahoo.com
snow801014@163.com
Phone Numbers:
8613683150507
8613691513981
National ID: 210106198010145211
DOB: 14th October, 1980
Birthplace: Liaoning Province
Sex: Male
Services and Usernames:
AdultFriendFinder.com - fatox2008
Yahoo.com - fatox2009, liuming780707, laurence.jados, jean_luc_bolle, fatox.fatox
LinkedIn.com - (associated with fatox2008@gmail.com)
JD.com - snow801014, fatox801014
forum.eviloctal.com - fatox1980
online.sh.cn - 【战】征战づ肥牛2008
tgbus.com - fatox
PCOnline.com - fatox20082008
vivo.com - (associated with 13683150507)
Contributions to Troop 61786:
Lyu frequently configures the team’s exploits as they are conducting target development.
Examples of his support include changes made to open-source CVEs when the team exploited a telecommunications provider and moved laterally within the network to attempt access to infrastructure associated with the United States Government.
Zhang Yifan/ 张一帆 (Chinese name)
Phone Numbers:
8613701234705 (associated with multiple online services, including JD.com, vivo.com, Alipay, and Tencent)
National ID: 150204198603261214
DOB: 26th March, 1986
Birthplace: Inner Mongolia
Sex: Male
Email Addresses:
171700a@163.com (associated with JD.com)
907516088@qq.com (associated with Tencent and QQ users)
Online Services:
JD.com (username "Zy_xtp")
vivo.com (associated with phone number 8613701234705)
Alipay (associated with phone number 8613701234705)
Tencent (associated with phone number 13701234705 and QQ ID 907516088)
QQ users (QQ ID 907516088)
weibo.com (associated with phone number 13701234705)
Personal Information:
Name: Zhang Yifan / 张一帆 (Chinese name)
Contributions to Troop 61786:
Zhang set up and managed the team’s CNE infrastructure.
Shi Qijiang/ 石其江 (Chinese name)
Phone Numbers:
8613982290422 (associated with vivo.com)
8613439709218 (associated with multiple online services, including SF Express, YTO, and JD.com)
National ID: 110105197211131831
DOB: 13th November, 1972
Birthplace: Beijing, China
Sex: Male
Online Services:
JD.com
friend8899 (associated with 8613439709218)
SF Express
associated with 8613439709218 and address "Haidian District, Hanjiaguan Military Compound, Beijing"
YTO
associated with 8613439709218 and address "Haidian District, Hanjiaguan Military Compound"
Alipay
associated with 8613439709218
wxid_pzc1n845hh6aq2 (associated with 13439709218)
wxid_3q8v4kwuqcm2qd (associated with 13439709218)
Personal Information:
Address: Haidian District, Hanjiaguan Military Compound, Beijing
Contributions to Troop 61786:
Shi served on the team as a vulnerability researcher in support of their CNE requirements.
Shi has provided the team with vulnerabilities that were then utilized to exploit websites associated with the United States Government.
Wu Bi/ 吴比 (Chinese name)
Phone Numbers:
8618319041629 (associated with China UnionPay)
National ID: 220322197903214796
DOB: 21st March, 1979
Birthplace: Jilin Province
Sex: Male
Email Addresses:
45662511@qq.com (associated with multiple online services, including QQ Groups, NetEase, and pipix.com)
wbisdragon@gmail.com (associated with forum.eviloctal.com and pipix.com)
wbisdragon@hotmail.com (associated with ccidnet.com)
Online Services:
QQ Groups (multiple groups with the username "Wu Bi" and "Wu Erbao")
NetEase (126.com / 163.com) (multiple accounts with the username "luckywubi")
pipix.com (multiple accounts with the username "luckywubi")
forum.eviloctal.com (username "luckywubi")
ccidnet.com (username "luckywubi")
Zol.com.cn (username "luckywubi")
Personal Information:
Address: Siping City, Lishu County, Jilin Province, and Shenzhen, Guangdong Province
IP Addresses:
123.116.146.58 (associated with forum.eviloctal.com)
123.116.144.141 (associated with ccidnet.com)
Contributions to Troop 61786:
Wu often provides hands on keyboard support to this team’s CNE efforts as a CNO.
Xiao Feng/ 肖锋 (Chinese name)
Email Accounts:
xiao@vip.qq.com (primary email address)
188589342@qq.com (associated with domain registration)
765800668@qq.com (associated with domain registration)
zjfblog@qq.com (associated with domain registration)
Phone Numbers:
8615110030883 (associated with multiple online services and domain registration)
8616673052122 (associated with China UnionPay)
8618780727337 (associated with domain registration)
National ID: 430723198505246014
DOB: 24th May, 1985
Birthplace: Hunan Province
Sex: Male
Domain Registrations:
53xinke.com (registered multiple times with different registrars and contact information)
cdwlzxx.com (registered with HiChina Zhicheng Technology Ltd.)
Usernames and Associated Services:
xiao1011 (Anjian.com)
xiaofeng6862 (JD.com)
xiaofeng6863 (JD.com)
xiaomin (JD.com)
776503455 (NetEase, zhenai.com, 766.com)
868123456 (houdao.com)
Personal Information:
Address: Changde City, Hunan Province, China (associated with China UnionPay)
Contributions to Troop 61786:
Xiao set up the team’s infrastructure and conducted general scanning or reconnaissance activities. Xiao’s specialties include VPN tunnels for infrastructure, building python scripts for parsing and various internet protocols, and utilizing publicly available scanning tools for target research.
I was able to track the actors “first hop” IPs from their source range by investigating forensic artifacts within their C2 infrastructure. The most notable IPs are listed below and belong to China Telecom. I am almost certain China Telecom has to be aware of the nefarious activity being carried out via their networks.
218.30.23.11
123.181.192.51
106.38.113.244
106.38.113.247
106.38.113.250
106.38.113.243
106.38.113.246
106.38.113.248
106.38.113.249
106.38.113.251
106.38.113.254
106.38.113.245
106.38.113.252
106.38.113.253
106.120.218.131
106.120.218.134
106.120.218.135
106.120.218.137
106.120.218.149
106.120.218.152
106.120.218.156
113.25.85.194
119.147.226.22
Comments
Post a Comment