Mandiant Used Data Leaked by Anonymous in 2011 to Investigate Chinese Hackers

The tens of thousands of accounts leaked from rootkit.com turned out to be useful

By on February 20th, 2013 12:08 GMT

In the report highlighting the activities of the Chinese cyber espionage unit responsible for breaching the systems of over 140 organizations, security firm Mandiant has also published the details of three personas believed to be involved in the APT1 campaign.

So far, we’ve covered numerous aspects of the APT1 report, but there’s another one worth noting.

In order to collect information on the three hackers, Ugly Gorilla, DOTA and SuperHard, Mandiant relied on data leaked online by Anonymous back in 2011.

At the time, the hacktivists leaked tens of thousands of usernames, email accounts, IP addresses and passwords from research website rootkit.com.

Mandiant was fortunate enough to find an email and an IP address associated with an account registered by Ugly Gorilla. The IP address used by the hacker to register the account matched the IP range utilized in the APT1 campaign.

Data leaked by Anonymous from rootkit.com was also used to investigate the second hacker, DOTA. The information allowed the company to analyze his passwords, and link him to the People’s Liberation Army.

The IP address used by SuperHard to register his rootkit.com account also matched the IP range of the APT1 operation.

“Once again, in tracking SH we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit.com account ‘SuperHard_M’ was originally registered from the IP address 58.247.237.4, w within one of the known APT1 egress ranges, and using the email address ‘mei_qiang_82@sohu.com’,” the report reads.

In the meantime, it’s worth mentioning that unnamed sources have revealed the US’s intentions to issue penalties, fines and trade restrictions against China in response to the numerous cyberattacks.

However, China continues to deny any involvement, once again arguing that IP addresses are not enough to pinpoint the source of an attack.

Comments