ARE RUSSIAN CYBERCRIMINALS OFFERING HACKING SERVICES IN CHINA ?

On July 27, 2020, a group of threat actors published a post in the advertisement section of a prominent Chinese Darknet marketplace offering hacking services. Hacking-as-a-service offers appear frequently on Chinese underground platforms, and many actors publish these services – accompanied by varying degrees of details – on both Clearnet hacking forums and Darknet marketplaces. However, what makes this offer unique is the identification of the actors, who claim to be Russian.

WHAT INDICATES THAT THE HACKERS ARE REALLY RUSSIAN ?

  1. Several linguistic features suggest the actors are indeed non-native Chinese speakers. First, they use anachronistic vocabulary and terms rarely seen in contemporary Chinese online chatter, which is common on these forums. Two examples are the use of the term 万维网 for “World Wide Web,” and the rare version of the word “hacker” 骇客 (pronounced haike, instead of the commonly used term 黑客, pronounced heike); Second, some sentences are oddly phrased, using a combination of wrong vocabulary and/or unnatural syntax or formulation, giving the impression the text was translated from a foreign language, possibly via a machine-translation tool; Third, there are linguistic inconsistencies in the group’s posts on the forum: whereas most of the posts are written in simplified Chinese characters, used in mainland China, one is written in traditional Chinese characters, used in Taiwan and Hong Kong – this transition by the same writer is very uncommon. Furthermore, different variations of the same word or term are used simultaneously in the same post.
  2. Contact details include several Telegram, QQ and Jabber accounts, with the former two widely used by Chinese cybercriminals and hackers selling their services. However, in addition to those, they also offer their services via Yandex email service, which is rarely used outside of Russia and the former Soviet Union countries, and even less so by Chinese users. This corroborates the assumption that these actors are not Chinese, and may indeed be Russian, as they claim to be.
The post from July 27, offering “high quality hacking services”, as appeared on the Chinese Darknet marketplace. The sentence highlighted in yellow reads: “we come from Russia”. Source: Verint LUMINAR

THE THREAT ACTORS’ OFFERING

The hacking services on offer are listed in more detail in another post by the same threat actors, published on this marketplace on June 15, 2020. The list of services includes:

  • Web penetration and data extraction. The actors state they have mastered the structure and special features of the main database types, such as MySQL, MSSQL, Oracle and PostgreSQL.
  • Obtaining web shells by exploiting major vulnerabilities, such as CMS, WP and Joomla, among others.
  • Cracking of software and encrypted files; secondary packaging and unpacking.
  • Software and source code secondary development.
  • Various web security-related services, such as penetration tests, code design, vulnerability scanning, emergency response, alerts and web security training, among others.
The post from June 15 listing the services this group offers. Unlike other posts by these actors, this post was written in Traditional Chinese characters. Source: Verint LUMINAR

In addition to these two posts offering hacking and web-security services, in two other posts from May and June 2020, these actors also offer for sale, bots for boosting the number of “friends” and “followers” on social media networks, as well as SMS-bombing services and tools.

Finally, in recent months, we have noticed an increasing trend of Chinese threat actors operating on non-Chinese platforms. They typically use their linguistic skills and familiarity with Chinese underground platforms to make easy profits by offering data sold exclusively on Chinese platforms (usually Darknet marketplaces and Telegram groups) on English-language platforms outside China for a higher price. However, it is highly unusual to see non-Chinese actors actively operating on Chinese-language platforms. If the actors’ claim of being Russian is indeed correct, this is a relatively novel and unusual phenomenon worth noting.

PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”