Meet 'Intrusion Truth,' the Mysterious Group Doxing Chinese Intel Hackers
Since April last year, a group calling itself ‘Intrusion Truth’ has trickled out the real names of hackers working for Chinese intelligence. Recently the group has ramped up its efforts against a Chinese operation targeting governments and businesses.
People come and go from the large, grey complex, with one tall building towering over a garden facing a road in Tianjin, China. But according to alleged Uber receipts and other information posted on a mysterious blog called Intrusion Truth, at least one person traveling to this address is a member of APT10, a Chinese hacking unit that has targeted manufacturing, aerospace, and engineering firms to steal trade secrets, including from the United States.
Since the end of July, Intrusion Truth has steadily published a stream of alleged names of individual APT10 hackers, a bold and unusual move in the world of cyber-espionage, where operators typically remain anonymous, and cybersecurity companies only publish descriptions of victims in broad strokes. Multiple sources with knowledge of APT10’s operations told Motherboard some of the details in Intrusion Truth’s posts lineup with other data points on the Chinese group. Motherboard granted several sources in this story anonymity to discuss non-public information about government hacking operations.
Intrusion Truth and its controversial approach bring up questions of the ethics of unmasking government-backed hackers, and whether such moves may act as some sort of deterrent, or at least retribution, against state-sponsored cyber-espionage.
“We will work with companies, private analysts, hackers, governments—whoever can provide the data that we need,” a representative of Intrusion Truth told Motherboard in an email.
China has hacked its way to other nation’s manufacturing secrets for years, ransacking military fighter jet schematics and information on solar power, among other industrial treasures. This near constant barrage eventually pushed former President Obama into brokering a deal with Chinese President Xi. In 2015, the two countries reached an agreement to stop hacking focused on the theft of intellectual property. Cybersecurity researchers saw Chinese cyber-espionage dramatically decrease. This year, however, Chinese hackers stole sensitive data from a Navy contractor, and the country has ramped up intrusions in parallel with mounting trade tensions with the US.
This is the sort of wide-spanning industrial espionage that Intrusion Truth is particularly motivated against.
“Intellectual property theft is a global confrontation fought between the West and its online adversaries, mainly China. This theft damages hard working individuals, their companies and entire economies through lost revenue and competition that is completely unfair,” Intrusion Truth told Motherboard.
“Until recently, China has been winning—it has acted with impunity, stealing data using commercial hackers that it pays and tasks but later claims are criminals. The use of commercial hackers is a deliberate attempt to circumvent the statements that China has made committing to stop this illegal activity,” the group added.
Intrusion Truth first published snippets on APTs—advanced persistent threats; essentially industry parlance for government-backed hackers—last year. When it started, Intrusion Truth was focused on APT3, another Chinese group. At the time, and based on publicly available website registration information and other data, Intrusion Truth claimed that APT3 was really ‘Boyusec,’ a software-company acting on behalf of China’s Ministry of State Security (MSS) intelligence service. Intrusion Truth also named two specific individuals, Wu Yingzhuo and Dong Hao, the founding members of Boyusec. Seemingly in response, the Boyusec website went offline.
Sure enough, six months later, the US Department of Justice charged Yingzhou, Hao, and Xia Lei, a third Chinese national who also worked for Boyusec, with computer hacking and other related crimes. The indictment named European manufacturing giant Siemens as one of the group’s victims. The hackers haven’t been arrested, but as Intrusion Truth pointed out in a post-mortem of the charges, the Boyusec crew will likely find it harder to travel abroad now without the threat of being detained. (There is no indication that Intrusion Truth’s posts led directly to the indictment).
After a year of public dormancy, Intrusion Truth reemerged and shifted its focus to APT10, which is another top tier Chinese cyber-espionage group according to cybersecurity researchers.
“Right now they’re one of probably the two or three most prolific Chinese groups out there,” Ben Read, senior manager for cyber-espionage analysis at FireEye, which has tracked the outfit since 2009, told Motherboard in a phone call. "One of the biggest things that makes them different is their scale right now," Read added.
Multiple cybersecurity firms have linked APT10 to hacks against victims in the US, UK, India, and elsewhere, including a mining company, multiple IT service providers, and manufacturing firms. APT10 has a habit of targeting Managed Service Providers (MSPs)—companies that remotely provide tech products to clients—and then using that privileged access to infiltrate their ultimate targets.
“They really have global reach,” Read said.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Intrusion Truth has published the names of three alleged APT10 hackers. One source who has researched APT10’s operations said some of those names do overlap with non-public information about the group, as well as Intrusion Truth’s claim that at least one of the hackers is based in Tianjin.
(After the original publication of this piece, cybersecurity firm CrowdStrike released its own report on Intrusion Truth and the alleged APT10 hackers. CrowdStrike said the named hackers had been registering infrastructure as recently as June, and have significant connections to known Chinese hacking forums.)
None of the alleged hackers unmasked by Intrusion Truth responded to requests for comment from Motherboard.
Intrusion Truth’s posts include details of how the group allegedly identified its targets. Much of this appears to rely on building on already public reports from cybersecurity companies, following hacking infrastructure to email addresses, and then to social media accounts and other online records.
But the Uber receipts mapping an alleged APT10 hacker’s trips are clearly something else, likely requiring breaking into the person’s Uber account, or intercepting their use of the app some other way, multiple cybersecurity researchers said.
When asked about this specific data, Intrusion Truth told Motherboard “We won't comment on where our material originates, other than to say that everything we publish we know to be true.” In its Tianjin post, Intrusion Truth writes that “an analyst who prefers not to be named publicly” provided the screenshots.
Cybersecurity companies publishing reports on government hacking groups may provide the real names of hackers to their clients, but usually don’t release them publicly.
“We won’t achieve anything by publicly naming,” Andrei Barysevich, director of advanced collection at threat intelligence firm RecordedFuture, told Motherboard at the annual Black Hat cybersecurity conference earlier this month. Likely the only time the company may publish names is in a direct collaboration with law enforcement, a RecordedFuture spokesperson added. Legal issues are also a concern—accusing someone of being a government hacker, and likely a criminal in some contexts, without robust evidence could open up a company to libel cases.
“There’s no upside,” Barysevich said. Several other cybersecurity researchers felt the same.
Intrusion Truth, awarded the protection of anonymity and free from commercial liability, is taking another approach.
“We are directly challenging this illegal and unfair activity by exposing those responsible, naming the hackers themselves and identifying the agencies that hide behind them. We will be tireless in our approach and already have a large network of analysts working with us,” Intrusion Truth told Motherboard.
There may be merit to naming and shaming. In 2014, the Justice Department indicted five Chinese military hackers for conducting cyber-espionage against several US targets. But this likely wasn’t the sole reason China came to the negotiation table and the country’s cyber-espionage subsided.
“If you believe the agreement signed by Obama and Xi had an effect, then it was the combination of naming and shaming and the very real threat of sanctions on state-owned enterprises and very high level officials that eventually brought the levels of hacking down,” Adam Segal, director of the Digital and Cyberspace Policy Program at the Council of Foreign Relations, told Motherboard in an email. “If you believe the reprieve was temporary, driven by the reorganization of the cyber forces in the PLA [China’s People’s Liberation Army], as I do, then you think Chinese industrial cyber-espionage is going to continue given Beijing’s strategic and economic interests.”
One cybersecurity source with knowledge of Chinese APTs said that generally speaking the Chinese are not concerned with being caught; they only care about being successful.
Segal said naming and shaming would have to be married with other actions to have consequences. Intrusion Truth, it seems, knows this: they urge governments to tell China that commercial espionage cannot continue. “Only be acting together can they make a difference.” Intrusion Truth told Motherboard.
But triggering a grand, macro-level shift in China’s hacking policy is not necessarily Intrusion Truth’s goal anyway. Instead, it’s more about impacting those particular hackers they manage to name.
“We want individuals hacking on behalf of the Chinese state to think twice about their illegal online activities,” Intrusion Truth told Motherboard. “Like the APT1 and APT3 hackers before them, once named, their chances of international travel or obtaining private work outside China are greatly reduced and they risk being charged by foreign law enforcement agencies,” they added, with APT1 referring to a group that cybersecurity firm FireEye linked to a specific Chinese military unit in 2013.
Jake Williams, a former hacker for the NSA’s Tailored Access Operations unit, told Motherboard in an email “Naming individuals is a potential deterrent to crime, but that's not what we're talking about here,” saying that nation state hackers work within the laws of their own countries while breaking legislation in others. “Only time can tell if naming individual operators will impact recruiting and retention for those missions.” A group of self-described hackers called The Shadow Brokers, and which released a slew of powerful NSA exploits, previously called out Williams specifically for his work with the NSA.
It is not clear who is behind Intrusion Truth. In the headline of one post, the group asks which Chinese group is stealing “our intellectual property,” alluding to APT3’s hacks in the UK and US. Intrusion Truth, unsurprisingly, declined to provide specifics on its members or identities. But they do claim to be comprised of “analysts,” combing through data provided to them or digging up their own links.
“An individual that joined us this year likened the work of Intrusion Truth to that of the ‘Black Knights’ who had to paint their armour with dark paint to mask their affiliation and protect their identities. But too many people are preoccupied with our colour, asking whether we are a red force or a blue force, whether we wear black hats or white hats,” Intrusion Truth said.
“We will never name ourselves or those who work with us. Our ability to contest China's despicable activities in Cyberspace is derived precisely from our anonymity,” they added. “That, and our willingness to tell the whole truth.”
Update: This piece has been updated to mention a since published report on Intrusion Truth.