This post is a republishing of an article from ITworld Morning Countdown
It turns out that Chinese cyberspies love Facebook, too. February 19, 2013, 1:10 PM, By Dan Tynan
Our nation is under attack by an army of Chinese hackers (continue to see video) But even they managed to get outed by their own social media accounts.
Yesterday the New York Times revealed a blockbuster report about how deeply Chinese spies have insinuated themselves into more than 140 US and Canadian companies, many of them related to the power grid.
The Times story was based on an early copy of a report released today by Mandiant, a security firm hired by the Times and other major corporations to ferret out attacks on their networks. That report reads like a spy novel, full of twists and turns about the activities of one Chinese Army group of cyberspies in particular, called Advanced Persistent Threat 1 by Mandiant but better known in security circles as the “Comment Crew” because of malicious code they embed within blog comments. Mandiant also released a five-minute video that captures three Chinese cyberspooks as they’re pwning various corporate systems:
Here’s the part I find funny. Mandiant managed to identify three of the hackers by their handles:UglyGorilla, SuperHard, and D0Ta. And they did it, in part, by tracking them down on Twitter and Facebook.
Of course, services like Facebook, Twitter, and Google are prohibited by the Great Chinese Firewall. But the army hackers working within the Datong Road compound just outside Shanghai are not encumbered by China’s Internet censors. So they used Gmail and Facebook and Twitter to communicate, which helped Mandiant track down their identities. Per the report:
Like many Chinese hackers, APT1 attackers do not like to be constrained by the strict rules put in place by the Communist Party of China (CPC), which deployed the GFWoC as a censorship measure to restrict access to web sites such as google.com, facebook.com, and twitter.com. Additionally, the nature of the hackers’ work requires them to have control of network infrastructure outside the GFWoC. This creates a situation where the easiest way for them to log into Facebook and Twitter is directly from their attack infrastructure. Once noticed, this is an effective way to discover their real identities.
D0Ta, for example, had at least one Facebook account, though it’s unclear what he or she used it for – probably spear phishing or some other form of targeted social engineering attack. (It still exists as I write this, but it’s entirely blank.)
The hacker known as UglyGorilla is also a member of several Chinese social networks, while SuperHard liked to log onto blackhat forums to advertise his hacking skills for hire. Using the information the Chinese hackers deposited in each place –and in particular, the email addresses they used to register for accounts – Mandiant was able to piece together their identities and possibly their real names.
UglyGorilla’s name is probably Wang Dong, Americanized to Jack Wang. SuperHard is most likely Mei Qiang, also a somewhat common name. D0Ta’s real identity is less certain.
Mandiant didn’t have to use super-sleuthing abilities to ferret out these identities. It used Google and a few tricks commonly used by investigative reporters. Thanks to an Anonymous hack of the hacker site rootkit.com in February 2011, Mandiant discovered that one of Rootkit’s members used the email address UglyGorilla@163.com. That handle matched one used to leave comments on security forums as well as signatures found within malware code. The email address in turn lead to various forums where it had been used to register one Jack Wang.
The moral here: If Chinese cyber spooks can get exposed via their social media connections, what chance have you and I got?
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld onTwitter and Facebook.