Chinese Cybercrime Campaign Traced Back to One Man
A image from the English-language website of Sichuan University in Chengdu, Sichuan Province, southwestern China.
CREDIT: Sichuan University
A notorious malware campaign that infected hundreds of computers in Japan and India has been linked back to a former graduate student at a Chinese university — a rare instance in which a name and face is able to be attached to the dark underground world of Chinese hackers and state-sponsored cybercriminals.
Based on information presented by the security firm Trend Micro, the New York Times tied a string of online attacks aimed at Tibetan activists in Japan and India to Gu Kaiyuan, who attended Sichuan University in Chengdu, China. Gu, the Times said, is now an employee at Tencent, a leading Chinese Internet portal company.
Contacted at Tencent, Gu told the Times, "I have nothing to say."
In the Trend Micro report, "Inside an APT Campaign with Multiple Targets in India and Japan," researchers tracked the "Luckycat" campaign, which has been active for nearly a year and has compromised 233 computers in 90 separate malware attacks.
These attacks came to light recently when it was found that Mac malware targeting Tibetan protestors was being spread through rigged Microsoft Word and Office documents exploiting Java and Adobe vulnerabilities to open backdoors on targets computers. Once the Trojan took hold, it intercepted information and transmitted it back to remote command-and-control servers.
The Luckycat campaigns targets include the aerospace, military, energy, shipping and engineering industries, as well as Tibetan activists and organizations. Given its technical similarities, Luckycat is believe to be a continuation of ShadowNet, also known as GhostNet, a Chinese cybercrime campaign that has been targeting Tibetan activists as well as the Indian government since 2009, Trend Micro said.
Trend Micro connected the email address used to register one of the command-and-control servers to a hacker using the named "dang0102." Researchers found that "dang0102" — he also went by "scuhkr," shorthand for Sichuan University hacker — published posts in a well-known hacker forum, XFocus, and recruited two to four people to join a research project on at Sichuan University's Information Security Institute in 2005.
Using online records, the Times connected "scuhkr" to Gu, who studied at Sichuan University from 2003 to 2006.
Sichuan University receives government funding for its computer network defense research, the Times said, giving credence to the widespread reports that the Chinese government sponsors its hackers.