Leaked data points to Sino-cyber espionage ring

Posted by Trent Nouveau

A massive Pastebin dump of domain names and IP addresses appears to be linked to a Sino-cyber espionage ring.

The data - posted on August 15th by an unknown individual - lists approximately 850 entries which are allegedly exploited to facilitate command and control operations.

Leaked data points to Sino-cyber espionage ring"My motivation is purely selfless in nature and I only wish the security community to improve upon what has already been done in this realm. Most of the security community is a fraud and continues to subsist on half-assed analyses and bogus data. All information was compiled from open sources and leaked information; no customer-based data was used for the analysis," 'RSA Employee #15666' wrote in a recent Pastebin post.

"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved. These attacks have targeted US and Canadian companies almost exclusively for at least five years; the tools, tactics, and procedures have changed very little during that timeframe and continue to be extremely effective."

According to #15666, the cyber espionage ring is motivated primarily by financial considerations.

"If your company is one outlined in the list below chances are you're doing business in the Peoples' Republic of China or plan to shortly.

"Negotiations are a common target for economically motivated hackers and hence email and other relevant information pertaining to contract negotiation data will be taken. If you currently conduct business with the PRC chances are that your organization has knowingly or unknowingly been compromised."

As Patrick Gray of Risky.Biz notes, the mysterious data leak is lent "serious credibility" by a previously hacked and extracted analysis from HBGary - which matches a number of the IP addresses and domain names in the new Pastebin dump.

"HBGary codenamed the operation 'Soysauce.' The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China," Gray explained.

"The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong. The vast majority of the leaked IP addresses are physically located in the US."



Although the true identity of "RSA Employee #15666" remains unknown, there is little reason to believe he or she actually works for the RSA. The enigmatic individuals claims: "I have no allegiances, I make no money, I am not legion [Anonymous]."