An anonymous group known as Intrusion Truth has published evidence that links an intelligence contractor working with the Chinese government to cyber-attacks that have been carried out by a cyber-espionage group known in the infosec community as APT3.
Intrusion Truth's findings — posted online between the end of April 26 and May 9 — have been confirmed and validated yesterday by Recorded Future, a well-respected threat intelligence security firm.
The blog posts published by Intrusion Truth [1, 2, 3, 4] reveal that Wu Yingzhuo and Dong Hao, shareholders at Boyusec — the Guangzhou Boyu Information Technology Company, Ltd — have registered many of the domains used in the infrastructure detected in past APT3 attacks.
APT3 is a nefarious hacking group that has been active since 2010. The group — also identified in the reports of various cyber-security firms as UPS, Gothic Panda, and TG-011 — has been tied to the theft of intellectual property from private businesses, but also to cyber-espionage with substantial political implications.
According to Intrusion Truth and Recorded Future, Boyusec is just one of the many cyber-security contractors the Chinese government is using to support its cyber-intelligence gathering operations.
The two say Boyusec reports to the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC), who is a local branch of the China Information Technology Evaluation Center (CNITSEC), an organization run by the Chinese Ministry of State Security (MSS). This hierarchical structure is well known and has been exposed before.
In its report, Recorded Future says it stands by its attribution of APT3 activity to Boyusec "with a high degree of confidence."
Finding Boyusec tied to APT3 activity is not a surprise. In November 2016, a Pentagon report unearthed a backdoor in equipment jointly developed between Boyusec and Huawei.
According to the Pentagon's Joint Staff J-2 intelligence directorate, US analysts also believe Boyusec was tied in some form or another to the Chinese government.
"[Boyusec is] closely connected to the [Ministry of State Security] and Huawei and they are developing a start-up program that will use malware allowing for capturing and controlling devices," the report read.
In the autumn of 2015, the US and China signed a pact that would restrict hacking between the two countries only to cyber-espionage operations, safeguarding private businesses. Following that pact, China's cyber-activities targeting the US have slowed down. In the past year, APT3 activity has been detected in Hong Kong, mainly aimed at activists supporting Hong Kong's political independence from China.