Intrusion Truth uncovers APT 17

Intrusion Truth, a CyberSecurity researchers group, has revealed who is exactly behind Advanced Persistent Threat APT codenamed APT 17 or Deputy Dog or Axiom. This is the group who involved in hacks on private companies and government agencies this decade. Researchers at Cisco Talos accredited the attack to APT 17 and discovered that private companies were the targets in the campaign in which Floxif ransomware was distributed by compromising CCleaner and its software download service.

The Intrusion Truth will be its 3rd Cyber espionage group unmasked after APT 3 and APT 10. The Cyber researchers group has developed a reputation how to reveal masked group behind some of the more Cyber espionage. The Intrusion uses a technique named doxing to uncover identities behind APT groups. In the process, the hackers or in this case Cyber Security researchers retrieve and publish personal data of their targets. The list of the data includes names, addresses, phone number and credit card details. Hackers use the technique for coercion. However in this case, doxing is done in order to increase pressure on APT group or result in charges been laid against individuals.

The Intrusion Truth has concluded from the process that in APT 17, a man and two other hackers are involved. The man is believed to be an officer of the Chinese Ministry of State Security owns four shell companies. These three operates from Japan which is a Chinese Shadong province. The Intrusion has also able to undercover the companies behind the operations. Some front companies run by APT 17 are Jinan Quanxin Fangyuan Technology Co. Ltd., Jinan Anchuang Information Technology Co. Ltd., Jinan Fanglang Information Technology Co. Ltd., and RealSOI Computer Network Technology Co. Ltd. The name of those involved has also uncovered. As according to Intrusion Truth, MSS officer is one Guo Lin. The two hackers are Wang Qingwei and Zeng Xizoyong who are representative from Jinan Fanglang Campajny and the individual behind the online profile envymask respectively. In conclusion, the Intrusion Truth said:

“Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of Cyber Security outfits that claim the MSS as their clients and are coincidentally managed by an MSS Officer. Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.”

What’s next?

In 2017, Intrusion Truth claimed that APT 3 was a company named Boyused, many from Chinese Minostry of State Security had criticized and said this just an allegation. In was until when Recorder Future who came to a conclusion did the InfoSec community take note and described the MSS internal structure and how the Chinese government was using a network official in branches in major provinces in order hire contractors so as to conduct foreign companies hacking. APT 10 was accepted more readily. Now with the identity of APT 17, the question is obvious whether the claim is right. The off-putting answer is that US department of Justice may indict the individual named as they did in the past. Those behind the APT 17 will not be able to travel outside China’s borders. Practically, they will not be brought in US court of law.