It all started with Joe Stewart, director of malware research at Dell SecureWorks, who when investigating an unusual piece of malware and the command nodes which it contacted discovered that many of them were registered under the names “Eric Charles” and “Tawnya Grilth”.
Some of these addresses were previously tied to Chinese espionage campaigns, but it wasn’t until “Tawnya Grilth” registered a command server with the URL dellpc.us that he reacted and asked ICANN to hand Dell SecureWorks control of the domain.
A whole new wold opened for Stewart, who could now follow a cyber espionage campaign as it was unfolding. As each compromised computer contacted the node, he discovered that they belonged to government agencies of several Asian states, oil companies, an embassy in China, and so on.
His investigation also uncovered Tawnya Grilth’s email addresses (an Hotmail one, and one of which listed a contact by the name of “xxgchappy”), which led to a number of posts on on rootkit.com‘s board. He also linked one of the domains to a company and a Gmail account that had the surname Zhang incorporated into it.
He stopped there, and wrote and published a report about his findings, which was picked up by another researcher that goes by the handle of Cyb3rsleuth in order to keep his real identity private and prevent retaliations against him and the company he runs in India.
Cyb3rsleuth followed the trail and unearthed other cyber- and real-world connections to the fake “Tawnya Grilth” persona. He discovered other forum posts and accounts, a “touristy” photo of a Chinese man and woman, other aliases tied to the Hotmail account, and the name of a second business whose shop’s website was registered using the same Hotmail account and the “Eric Charles” pseudonym.
From then on, the trail lead to the contact number for the company, which belonged to one Mr. Zhang with an address in the city of Zhengzhou in the Henan province. A QQ IM account was tied to the name, and it sported an email address that contained the handle “xxgchappy”. The account’s owner listed his occupation as “education”.
This last email lead Cyb3rsleuth to an account on a Chinese social network that belonged to one Zhang Changhe in Zhengzhou, and to his blog. The previously mentioned photo of the Chinese couple was there, and Cyb3rsleuth finally had a face to put to the name.
By googling “Zhang Changhe” he also discovered that a person by that name has authored a number of academic papers, several of which were on the topics of computer espionage, hacking techniques, security vulnerabilities and more. Apparently, Zhang works at the People’s Liberation Army Information Engineering University – the place where students come to learn how to collect and work with electronic intelligence.
Cyb3rsleuth even managed to contact him by phone, and during the conversation he found out that Zhang is a teacher at the university, but couldn’t get him to comment on what he teaches or does there, and whether he had anything to do with hacking and with “Tawnya Grilth”.
According to BusinessWeek‘s Dune Lawrence and Michael Riley, during his research Joe Stewart occasionally still uncovers clued that point to Zhang, and he believes that he is part of the so-called Beijing Group.
There is evidence linking the Beijing Group to cyber attacks against a great variety of targets, but it has yet to be unequivocally tied to the Chinese government – something that Stewart hopes to achieve in time.