APT-doxing group exposes APT17 as Jinan bureau of China's Security Ministry

Intrusion Truth's previous two exposes -- for APT3 and APT10 -- resulted in DOJ charges. Will this one as well?
Written by Catalin Cimpanu, Contributor

Intrusion Truth, an online group of anonymous cyber-security analysts, have doxed another cyber-espionage hacking group linked to the Chinese government.

This is the third Chinese cyber-espionage group (also known as an APT, or advanced persistent threat) that Intusion Truth has doxed in as many years.

They previously revealed the secret identities of individuals part of two Chinese hacker groups in May 2017 and August 2018 -- namely APT3 and APT10.

Those revelations resulted in the Department of Justice (DOJ) indicting some of the group's members in November 2017 and December 2018, respectively.

Another year, another Chinese APT dox

Now, Intrusion Truth is back with another series of exposés. Over the past week, the shadowy white-hat group has published details about three individuals it believes are behind APT17.

APT17 is a codename -- together with Deputy Dog and Axiom -- that cyber-security firms have assigned to the group of hackers responsible for a series of similar cyberattacks that have happened in the early 2010s [1, 2, 3, 4, 5], and which have targeted everything from private companies to government agencies, in countries all over the world.

Intrusion Truth has now doxed a man running four Chinese companies and believed to be an officer of the Chinese Ministry of State Security, along with two hackers [1, 2], both who are believed to have worked for the named companies.

The thing the three have in common is their location in the city of Jinan, the capital of China's Shandong province.

According to Intrusion Truth, these three individuals are some of APT17's members, and they are allegedly operating as contractors for the Jinan bureau of the Chinese Ministry of State Security (MSS), for which they carried out on-demand hacking operations.

MSS involvement is not a shocker anymore

Intrusion Truth's assertment that "APT17 is run by the Jinan bureau of the Chinese Ministry of State Security," isn't actually a novel or shocking concept anymore.

In 2017, when Intrusion Truth first made its bold claims that APT3 was a company named Boyusec, a Guangdong contractor for the Chinese Ministry of State Security, the cyber-security world had a hard time believing their claims.

Nevertheless, a few months later, cyber-security firm Recorded Future independently confirmed Intrusion Truth findings -- which later resulted in DOJ charges, giving the group immense credibility.

At the time, Recorded Future's report described the MSS internal structure, and how the Chinese government was using a network of local MSS branches in major provinces to hire independent contractors to conduct hacking against foreign companies and government networks.

Chinese Ministry of State Security hierarchy

This hierarchical structure was well known and has been exposed before, by scholars, years before the cyber-security community even caught on.

Image: Recorded Future

Taking into account these details, Intrusion Truth's latest exposé that APT17 is run by a local MSS bureau isn't such a shocker as it was back in 2017.

After the APT3 and APT10 exposés, people aren't wondering if Intrusion Truth is right anymore. The question on everyone's lips is if the DOJ will follow through with new indictments, as it did in previous years.

A constant hum from Chinese hackers

But while the cyber-security world waits for new charges, Chinese hackers are continuing their hacking sprees, unabatted by both past DOJ charges or name-and-shame strategies.

Today, newspapers in France and Germany revealed two massive Chinese hacking operations, which, even if not connected to APT17, show China's incredibly vast cyber-espioange aparatus.

In France, L'Opinion revealed how Chinese hackers broke into the email accounts of a French candidate for the leadership of the UN Organization for Agriculture and Food (FAO) days before the official election, which was eventually won by the Chinese diplomat.

In Germany, journalists revealed a barrage of cyber-attacks aimed at Germany's biggest companies, such as Siemens, Bayer, Rouche, Thyssenkrupp, Teamviewer, Valve, Gameforge, and more.

The world's most famous and dangerous APT (state-developed) malware

Related cybersecurity coverage:

Editorial standards