Apr 02 2009
UPDATE: James Tay from Citizen Lab left us a comment. That’s right, part of the support team for the Ghostnet Report. God, we really should have cleaned up the place. Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).
UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story. He has requested we mask his QQ number now that he is in contact and we have complied. (Never do late night updates. A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us. That certainly wasn’t my meaning but that is definitely what it sounded like. Just wanted to explain the reason for the sudden masking of his contact number.)
First, hats off to the researchers at IWM. They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.
One aspect skipped over in the GhostNet report were the e-mails associated with the websites, email@example.com and firstname.lastname@example.org. For the last two days, Jumper and I have been tracking them down to see where they would take us.
Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:
Double-click to fully englarge
We conclude that this is the same person using different e-mail addresses or associates working together. The domains are registered on the same server and are too close in content to be considered a random coincidence.
The Opanpan e-mail went nowhere, so we concentrated on losttemp33. A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:
Clicking on the link leads to three programs losttemp33 provided for download.
Next we were able to locate a post from 2005 on Windows hacking:
Notice that the author of this post uses the signature Lost33 in the upper left-hand corner. Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier. More importantly, we found a blog under the same name.
This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching. The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan. It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33′s personal motto, “The bored soldier swaying on an empty battlefield.”
We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006. That was when we decided that a person might change their user id but never their motto. Can’t abandon your motto.
Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:
Lost33 now blogs under the name Damnfootman:
Why are we sure this is the same person as Lost33? Well, they not only share the same motto but birth date and place of residence as well:
Blog bits of interest
- Lost33 attended the University of Electronic Science and Technology in China.
- Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.
We have left a couple of posts on Lost33′s blog and are waiting to see if he will respond:
The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.
There were two QQ numbers associated with the opanpan and lost33 email addresses. We attempted to contact both of them but were rejected.
While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:
- The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.
- The e-mail address email@example.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.
- An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.
- The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”
- The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).
Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.
<edit> – A few readers have asked for the QQ number that was redacted. Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:
20 Responses to “Hunting the GhostNet Hacker”