• The mysterious APT-hunting group Intrusion Truth, reported that APT10 is linked to a Chinese intelligence agency.
  • Intrusion Truth also named two Chinese individuals who are believed to have sourced hacker tools currently being used by China-based threat groups.

The China-linked APT10 group, also known as Stone Panda, is believed to have ties with a Chinese intelligence agency. The revelation comes after the mysterious APT-hunting group Intrusion Truth reported that Stone Panda is linked to China’s Ministry of State Security (MSS).

The Intrusion Truth also named two individuals - Gao Qiang and Zhang Shilong - as being connected to APT10 and the MSS. Part of the Intrusion Truth’s report was confirmed by security experts at CrowdStrike.

The researchers confirmed that the two individuals named by the Intrusion Truth have links to an underground Chinese hacking forum that sourced hacker tools currently being used by China-based threat groups. CrowdStrike researchers also uncovered that Huaying Haitai, Chinese firm named in Intrusion Truth’s report, “has been connected to a Chinese Ministry of Industry and Information Technology (MIIT) sponsored attack and defense competition”.

Uncovering connections

A previous Recorded Future report linked MSS to the China Information Technology Evaluation Center (CNITSEC). However, CrowdStrike believes that CNITSEC and MSS havea much more symbiotic relationship than previously thought. The researchers uncovered that CNITSEC’s former director WU Shizhong was also the director of technology at MSS. This indicates that MSS plays a significant role in China’s code reviewal of foreign products. In other words, MSS has the unique ability to cherry pick high-value targets and vulnerabilities.

“The exposure of STONE PANDA as an MSS contractor would be another blow to China’s current cyber operations given STONE PANDA’s prolific targeting of a variety of sectors, and may prompt an additional U.S. investigation at a tenuous time for Sino-U.S. relations during an ongoing trade war,” CrowdStrike researchers said in a blog. “However, it is important to note that such public revelations often force these actors to cease operations, improve their operational security (OPSEC), and then return stronger than before.”

Cyware Publisher