China cyber attacks traced to Guangdong

Security researchers have provided new clues linking Chinese hackers behind recent widespread cyber attacks to China’s southeastern Guangdong Province.
Researchers working for a major security firm identified two state-sponsored Chinese hacking groups that were behind recent cyber attacks on a U.S. air carrier and two European corporations.
Investigators said “the activities initially seemed to correspond with the actors known as Wekby and the actors known as Deep Panda.”
“However, we remained convinced that the actors are potentially part of the same group or collaborate in the same overarching campaign,” the investigators stated in a report.
One attack was carried out through an IP address hosted by the Shenzhen Yi Yun Network Technology Co./EGI hosting.
Additionally, the security firm CrowdStrike has identified several IP addresses it has linked to Deep Panda as connected to Chinanet, the state-run Internet service, in Guangdong. Another IP address linked to Chinese cyber attacks was traced to a Chinese hacker identified as “jiangdayou,” believed to be operating out of Guangdong. An Internet domain foundations.ssl was linked by CrowdStrike to Deep Panda and is registered to a “li ning” in Guangzhou Shi, Guangdong province.
The domain, used for several subdomains that are part of Deep Panda attacks is registered to a “lin jianliang” in Guangdong; while was in the past hosted by a service called Take2/Exhera at an address in Guangdong.
Other Chinese hackers used cyber infrastructure connected to China Mobile Communications Corp., that is operated by Guangdong Mobile Communication Co.Ltd.
The researchers also discovered that state-sponsored Chinese hacking groups had used seven American computer services companies to provide web services for the attacks.
The use of American servers by the Chinese appears part of efforts to thwart U.S. intelligence agencies from attributing the attacks to Beijing.
Guangdong was also identified by India’s intelligence service two years ago as a hacker base in China.
In March 2013, India’s technical intelligence wing, National Technical Research Organization (NTRO), working with private cyber security experts uncovered malware that infected a large number of systems.
The files included thousands of top secret files, and other documents related to surface-to-air missile and radar programs from Indian defense agencies.
“All sensitive files stolen from infected systems uploaded on a server in China’s Guangdong province,” the Mumbai Daily News and Analysis reported at the time.

Cyber Threat News Briefs
July 19, 2015