How China's Top Digital Spies Got Outed by Facebook and Twitter
How's this for sweet social-media revenge in our brewing digital war with China? If it weren't for the strictness of the Chinese government's Internet firewall, security firm Mandiant may never have discovered the identities of the Chinese army's instantly notorious "Comment Crew." Within the watershed report from The New York Times today is this little nugget on how the hacker sleuths at Mandiant connected codenames toward a Chinese People's Liberation Army building in Shanghai:
Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities.
In order to conduct their cyber-espionage on U.S. infrastructure and beyond, the Chinese army hacking group — known alternatively as Unit 61398, Comment Crew, Shanghai Group, and formerly as Byzantine Candor — must operate outside of the so-called Great Firewall of China, a government monitoring system that maintains strict control over which sites its citizens can visit. Since Comment Crew's users appeared to have received special hacking privileges (presumably from the PLA itself), they would log into sites that the Great Firewall generally blocks. Like Facebook and Twitter, for example — which allow for levels of free speech that the Chinese government doesn't like and certainly can't monitor. And apparently the Chinese Ministry of Industry and Information Technology's firewall, which spans multiple levels of government, can't even help the PLA monitor its own digital spies. From the Mandiant report:
Additionally, the nature of the hackers’ work requires them to have control of network infrastructure outside the GFWoC. This creates a situation where the easiest way for them to log into Facebook and Twitter is directly from their attack infrastructure. Once noticed, this is an effective way to discover their real identities
It's unclear if the Comment Crew hackers logged on to Facebook and Twitter for the purposes for hacking or just as an easier way to access the social networks for themselves in and around the PLA's "office" every day. But it's not the first social networking trail left by the group now most closely connected with what's being called "an asymmetrical digital war" with China. Facebook also helped Dell SecureWorks track down the identity of another Chinese hacker who may or may not have ties to the government, according to a Bloomberg Businessweek cover story from last week that began to lift the veil on a wider Chinese cyber attack on multiple U.S. organizations. SecureWorks' Joe Stewart discovered the personal details of a hacker later identified as "Zhang" through a business registered by the hacker that sold "likes" on Facebook and Twitter. From Businessweek:
Then Stewart discovered something much more unusual: One of the domains hosted an actual business—one that offered, for a fee, to generate positive posts and “likes” on social network sites such as Twitter and Facebook (FB). Stewart found a profile under the name Tawnya on the hacker forum BlackHatWorld promoting the site and a PayPal (EBAY) account that collected fees and funneled them to a Gmail account that incorporated the surname Zhang. Stewart was amazed that the hacker had exposed his or her personal life to such a degree.
That information ultimately led to the unmasking of this mystery Chinese hacker by someone else in the cyber-sleuthing world — a world we are just starting to learn more about as it unmasks China's spy campaign, but that might just be getting a hand from China itself.
