Netizen Research Bolsters APT1 Attribution
In the week since we released our report on APT1, we have observed an amazing response, not only in the media but also by individuals who have taken the data we provided and conducted their own research. We are excited to see people using our data, both for online research and for their network defense. In this post we want to highlight and summarize information that others have discovered.
1. The phone number used by the APT1 DOTA persona was also a contact phone number for an apartment rental advertisement in 2009. This apartment is 600 meters away from the Unit 61398 headquarters building and further links the DOTA persona to that location.
Chinese-speaking netizens disclosed on Twitter that the phone number we associated with DOTA (159-2193-7229) was also the contact phone number listed at http://shanghai.favolist.com/05953558.shtml. This page is a rental advertisement dated 2009-10-09 and shown in Figure 1 with the phone number underlined. Figure 2 is an English translation of the advertisement title and body.
The apartment complex name, Yixinyuan (怡心苑), the location Waigaoqiao, and the description “about a 10-minute walk away from Gangcheng Road subway station” together pinpoint the apartment complex to be at Huashan Road 609 Long, Pudong, Shanghai, China, according to the Yixinyuan website at http://yixinyuan021.soufun.com. This apartment complex is only a 600-meter walk away from the Unit 61398 headquarters building, as depicted in Figure 3.
We observed DOTA/APT1 using the phone number in June 2011 and again in September 2011, showing that the number was not a simple “throw-away” number registered for one-time use. The date of the advertisement and the date we observed DOTA using the phone number are separated by over one and a half years. It is plausible that DOTA (or someone in APT1) worked for Unit 61398, lived in the Yixinyuan apartment complex and wrote this advertisement. The remaining possibilities seem significantly less likely, including:
- The phone number did not belong to APT1 in 2009, and it is a coincidence that the user of the phone at the time was associated with an apartment so close to Unit 61398.
- A member of APT1 lived 600 meters from Unit 61398, but APT1 is not Unit 61398.
- APT1 is not operating in Pudong but is intentionally trying to frame Unit 61398 or a Pudong-based organization. In 2011, someone in APT1 saw the rental advertisement from 2009 and configured a phone to successfully accept text messages to the phone number in the advertisement on multiple occasions.
2. The APT1 SuperHard persona may have been a student at the PLA’s Information Engineering University, one of the Chinese military’s premier training grounds for computer network operations.
On his blog, Cyb3rsleuth disclosed a person using the username “Superhard_M” and the email address email@example.com. In a job profile, this person “mentions that his interests are network security and developing hacking tools.” This person’s address in 2005 was listed as “Henan Zhengzhou 1001 mailbox 774”. Cyb3rsleuth noted this address “belongs to the famous PLA Information Engineering University [and] implies he was a student at PLAIEU.” Furthermore, a person named Mei Qiang (梅强) co-authored two papers in 2007 and 2008 that are associated with the PLAIEU. The papers are titled “HTTP Session Hijacking on Switch LAN and Its Countermeasures” and “Stack Protection Mechanisms in Windows Vista”. In a 2012 report prepared for the U.S.-China Economic and Security Review Commission, Northrop Grumman analysts noted, “The PLA Information Engineering University (PLAIEU), located in Zhengzhou, Henan Province, is perhaps the military university with the most comprehensive involvement in information warfare and computer network operations training, planning, and possibly also execution.” This information is consistent with the APT1 SuperHard persona, and given SuperHard’s development skills, it would not be surprising if SuperHard was trained at the PLAIEU.
3. The APT1 UglyGorilla persona may have been a student at Shanghai Jiaotong University in 2004.
Cyb3rsleuth also disclosed that a person with the username “uglygorilla” was logged as “on station 2 times” by the Shanghai Jiaotong University (SJTU) bulletin board system in August 2004. This person logged in from the Shanghai IP address 22.214.171.124. Other people may use the name “uglygorilla” and this may not be the APT1 UglyGorilla persona. However, if it is, it would indicate that he was probably a student at SJTU when he posed his question about Chinese cyber troops to Zhang Zhaozhong.
4. In 2004, Unit 61398 was located in Pudong, Shanghai and was recruiting computer science students from Zhejiang University.
An article published in the China Digital Times disclosed a 2004 recruitment notice on the Zhejiang University website advertising, “Unit 61398 of China’s People’s Liberation Army (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.” This corroborates our assertions concerning the kinds of personnel that Unit 61398 recruits. This also indicates Unit 61398 has been operating in Pudong since 2004, even though the current headquarters facility was not built and operational until years later.
Finally, our thanks to Wendy Nather, who expanded on our Occam’s Razor arguments in her Idoneous Security blog. We appreciated the entire blog post, but especially these closing words:
From what Mandiant has presented, the simplest explanation is the one it’s offering. It’s politically explosive, of course, and that’s why belief comes into play. But if you have to do more work to deny something than to accept it, you might want to reconsider your chain of logic.
 We are aware Marketplace reported that they called the phone number and reached someone unaffiliated with Unit 61398 or hacking activities. Marketplace said in the podcast that they called the number that the narrator said. This is when we discovered an unfortunate typo in the video narration script, which read “7729” instead of “7229” that was on the screen. The number was correctly published as “7229” in our main report.