Security researchers rarely managed to trace hacking attacks back to a person or a specific entity, but it seems that Trend Micro experts have succeeded in tying a former Sichuan University student to a string of breaches of computers belonging to Tibetan activists and a number of Japanese and Indian companies.
According to a recently released report, the attacks were traced back to an email address that was used to register one of the C&C servers coordinating the attacks.
The email address was consequently tied an IM screen name and the online alias “scuhkr” (the researchers speculate it is an abbreviation of “Sichuan University hacker”), which has finally been traced back to one Gu Kaiyuan, a graduate of the university who published a string of articles under his name and the alias.
According to the NYT, Gu Kaiyuan is a current employee of Tencent, a company running a popular Chinese Internet portal.
When contacted, both the company and Gu denied his involvement in the attacks. Afterwards, Gu posted a message on Weibo that the IM number associated with the C&C server belongs to a classmate of his, and the company said that the report included a second IM number that doesn’t belong to Gu, and that the person behind that number is likely the one responsible for the attacks.
The Sichuan University released a statement saying that the two aliases mentioned in the report were used by two of its former students, who “never participated in malicious Internet attacks or hacking activities while at school and have graduated and left the university several years ago.”
According to the report, the attacker(s) compromised 233 computers with various types of malware, and while the attacks don’t seem to have been executed by government-employed hackers, the approach and especially the victims of the attacks seem to suggest that the campaign has been backed by the government.