Intrusion Truth continues to deanonymize Chinese "government hackers." This is the fourth exposure on their account, and this time Intrusion Truth tracked down 13 shell companiesthrough which, they said, the government is recruiting hackers.
“APT groups in China have a common structure: they have hackers, contract specialists, shell companies, and intelligence officers,” said Intrusion Truth. “We know that several regions of China have their own APT.”
Earlier anonymous whistleblowers have already posted information about Apt3 (allegedly operating in Guangdong), APT10 (Tianjin Province) and Apt17 (Jinan Province), Now it is the turn of the island and the southernmost province of China, Hainan.
Intrusion Truth members write that they have calculated 13 companies working as "screens." These companies have the same contact information, share offices and are not represented on the Internet in any way, apart from the almost identical vacancies in which companies are looking for information security experts with offensive skills. Judging by the requirements for candidates, companies are looking for specialists to form a red team and conduct cyber attacks.
Some of these companies were managed to associate with a professor in the Department of Information Security at the University of Hainan. In fact, one of the firms is headquartered in the university library. Participants in Intrusion Truth write that the professor is a former military man and earlier he oversaw the conduct of IB competitions at the university, where they were looking for new ways to crack passwords, offering large amounts of money as prizes.
And although Intrusion Truth does not openly associate their research with a specific Chinese hack group, company experts Fireye and Kaspersky write that we are talking about the APT40 grouping. According to FireEye, the APT40 is a cyber espionage-focused group active since 2013. It usually attacks countries of strategic importance to the Chinese initiative. "One belt and one way".
I must say that Intrusion Truth has a very reliable reputation. So, in 2017, when Intrusion Truth first announced that APT3 was hiding under the guise of Boyusec (the contractor of the Ministry of State Security of China), many found it hard to believe. But soon the findings of anonymous whistleblowers were confirmed by analysts at Recorded Future, and then the Department of Justice brought charges. The situation repeated after the publication of data on APT10, official charges against members of which were brought in 2018.