From: Ars Technica
The HBGary hack offered security researchers a treasure trove of information.
by Nate Anderson
How did security firm Mandiant put names to two previously unknown Chinese hackers who, it says, steal American corporate secrets for the Chinese government? With a little inadvertent help from Anonymous.
Mandiant’s 74-page report covers a particular hacking group referred to as “APT1” and contends that the group works for or under the direction of the Chinese government as part of the military’s secretive “Unit 61398.” The report ties a huge string of hacks over the last few years to Unit 61398 and goes on to show the building where the hacks might be hatched. The report is stuffed with detail uncommon in these types of stories; it even includes a translated Chinese document showing a local telecom company agreeing to Unit 61398’s request for additional fiber optic connections in the name of state security.
The Mandiant researchers then tried to go one step further, putting at least a few real names to the coders involved. (BusinessWeek recently did something similar, with fascinating results.) Mandiant began with a malware coder who goes by the name “UglyGorilla”—a name which is left repeatedly in code tied to the APT1 group.
Back in 2007, for instance, Mandiant says that UglyGorilla “authored the first known sample of the MANITSME family of malware and, like a good artist, left his clearly identifiable signature in the code: ‘v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007′[sic].” But despite all the uses of the name “UglyGorilla” buried in code samples, leads to the person’s actual identity were hard to come by—until Anonymous hacked security firm HBGary Federal in early 2011.
Slip-ups?
When we spoke to the hackers involved in the 2011 attack, they explained how they had penetrated HBGary Federal e-mail accounts and moved from those to other systems. One of these was rootkit.com, a project run by HBGary’s top technical mind, Greg Hoglund, an expert in the rootkit technology that lets malware evade easy detection on compromised computers. The Anonymous hackers used Hoglund’s e-mail account to convince another rootkit.com administrator to reset the root password on the site’s server to “changeme123.” Once done, they entered the server and—among other things—dumped the entire list of user account and password hashes for rootkit.com, which had been hashed with the MD5 algorithm and proved susceptible to third-party password cracking tools. The cracked list was then publicly released.
This list was a boon to Mandiant because UglyGorilla was on it; he had signed up as “uglygorilla” and had used the password uglygorilla@163.com during registration. The password matched one that had been used by someone to register for a People’s Liberation Army event back in 2004 and to register hugesoft.org, a domain long associated with the APT1 hacks.
The rootkit.com leak also included some IP address information on each account, and it showed that UglyGorilla had registered from 58.246.255.28, which came “directly” from the APT1 home range that Mandiant linked to Unit 61398 and to its base in the Pudong New Area of Shanghai. Further sleuthing of code uploaded to Chinese developer sites by UglyGorilla suggested that the man’s name might be “Wang Dong” and that he might go as “Jack Wang” to English speakers.
Leave a Reply