Apr 02 2009

Hunting the GhostNet Hacker

Published by at 10:16 am under Hacker Hunting,Hacker Organization

UPDATE: James Tay from Citizen Lab left us a comment.  That’s right, part of the support team for the Ghostnet Report.  God, we really should have cleaned up the place.  Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

ghostnetwhoiscompare

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

ghostnetPUDN

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

ghostnetfirstemail

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

ghostnetmopprofile

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33′s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

ghostnetbannerheader

Lost33 now blogs under the name Damnfootman:

ghostnetdamnfootman

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

ghostnetprofile

Blog bits of interest

  • He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

We have left a couple of posts on Lost33′s blog and are waiting to see if he will respond:

ghostnetpost

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

  • The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.
  • The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.
  • An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.
  • The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”
  • The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

lost33's QQ

20 responses so far

20 Responses to “Hunting the GhostNet Hacker”

  1. Harlson 02 Apr 2009 at 2:57 pm

    Heike,
    Thanks to you and Jumper for the excellent analysis! Between GhostNet and Conficker computer security sure is getting a lot of mainstream attention right now.

  2. james tayon 02 Apr 2009 at 2:58 pm

    Scott,

    this is excellent work. Very very interesting. thanks.

  3. Heikeon 02 Apr 2009 at 5:23 pm

    Thanks guys! Just a feeling, but I think we will be seeing more and more of this as we go forward.

    As the great “Chesty” Puller once said,

    “We’ve been looking for the enemy for some time now. We’ve finally found him. We’re surrounded. That simplifies things.”

  4. Heikeon 02 Apr 2009 at 7:07 pm

    James,

    I want to thank you guys once again for the great work you did with this project.

    It was fantastic that you decided to share it with everyone!

  5. Stevenon 02 Apr 2009 at 7:25 pm

    I’m a noob, but this is too much of a concidence.

    I found an old story off Xinhua, published in 2005…this might be the hacker you are tracking.

    ” A sophomore majored in computer sciences at University of Electronic Science and Technology of China in Chengdu, who is also a group member, is now responsible for personnel management of the group and the Web site maintenance.

    The student, surnamed Yang, said: “I can design a computer virus in a few minutes, which can disfunction the use of mouse and computer, but I will not do this because the mission of a ‘Red Hacker’ member is to protect the Web sites from being attacked.” ”

    Read the whole story here.

    http://news.xinhuanet.com/english/2005-04/26/content_2879866.htm

  6. Adrianon 03 Apr 2009 at 1:12 am

    Good detective work guys!

    This seems to point back to one individual or a very small group. Do you think this is a patriotic hack?

    It just seems from reading that its all too simple to be a government job, I cant see any sophistication here.

    honestly if you were running a Gov. hacking network or team wouldnt one of your first priorities be how to cover your tracks, how to obsecure your identity so it doesn’t point back to you. I’m quite they would build their defenses before they attacked.

  7. g00khunteron 03 Apr 2009 at 1:56 am

    “We have masked lost33’s QQ number on the condition he continues to speak with us.”

    Oh blackmail, there’s a way to get a accurate story.

  8. Heikeon 03 Apr 2009 at 4:07 am

    g00khunter,

    Ha, ha…you are right, that sounds horrible. It was late last night when I was typing the update…worded it poorly.

    What I meant to say was that he requested we take it out while we got his side of the story. Not that we were holding it ransom. Lost33 had to go while we were in communication and we wanted people to know that was the reason for the mask.

    I’ll make the correction. Thanks for pointing it out.

  9. Heikeon 03 Apr 2009 at 7:28 am

    Steven,

    I know about Yang, read about him back in 2006. Not the same guy but very interesting about the school. Wonder what the curiculum is there? :)

  10. Heikeon 03 Apr 2009 at 7:32 am

    Adrian,

    Your points are well taken and we are waiting for an update from IWM.

  11. DarkTyphoonon 03 Apr 2009 at 9:12 am

    Um… I’m pretty sure that lost33′s QQ number is still visible in the window title of the masked image. Might be wrong since I don’t know what it was before you masked it.

  12. Heikeon 03 Apr 2009 at 1:10 pm

    Thanks! Corrected the image.

    One.of.those.days.

  13. frikoon 06 Apr 2009 at 1:00 pm

    here is the QQ

    http://rapidshare.com/files/218231796/picture-1.png.html

  14. jumperon 06 Apr 2009 at 5:38 pm

    @friko,

    Yep – that’s it. Let us know if you get in touch with him…

  15. Ravion 08 Apr 2009 at 12:21 am

    Great Job.
    I would appreciate if the rapidshare link is posted again for me download the specific file (QQ) commented and posted by @friko.
    My team would like take this further and post the investigations details here and at
    http://www.linkedin.com/groups?gid=48066
    (the Group name is computer and forensic tools.) we are discussing at the technical grass root level regarding the above subject and objective.
    Thanks
    ravi

  16. jumperon 08 Apr 2009 at 5:17 am

    @Ravi -

    I updated the post with the original un-redacted QQ screenshot. Rapidshare is a pain.

  17. every1s0bviouson 10 Apr 2009 at 7:22 pm

    The fact that they hacked the Dali Lama is obviously the proof needed for anyone who has studied the practices of totalitarian intelligence agencies.

    It is nice to see track backs and further evidence, but it is important to remember China is using these guys as plausible deniability, just as the Soviets and Soviet Bloc countries had proxies work for them. Though the Russkies were more suave and smart enough to actually use foreign groups sympathetic to their cause (or enemies of their enemies).

    I really don’t think China’s system, however, is not transparently vile to anyone… even to base terrorist groups.

    They really need a democractic revolution.

    It is sad to see a people killing themselves. Communism is not even Eastern.

  18. Heikeon 11 Apr 2009 at 6:01 am

    “The fact that they hacked the Dali Lama is obviously the proof needed for anyone who has studied the practices of totalitarian intelligence agencies.”

    Motives are difficult to ascertain in these types of cases. We’ve had fairly well document cases of non-governmental groups attacking Japan, Taiwan, India, the US…etc, over political issues.

    Many of the Chinese hackers organizations are fervent nationalist, they mirror Beijing on a host of issues.

  19. Nart Villeneuveon 14 Apr 2009 at 5:47 am

    GhostNet & CasperNet…

    DarkVisitor picked up on some information in the GhostNet report that we didn’t really focus on — the email addresses and other information in the domain name registration records — and were able to track down the owner of the email a…

  20. [...] among a smaller, more knowledgeable group of researchers and reporters, a much different story was being told. And that story had nothing to do with the [...]