Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around Chinas firewall that blocks ordinary citizens access, making it easier to track down their real identities.
In order to conduct their cyber-espionageand , the Chinese army hacking group known alternatively as Unit 61398, Comment Crew, Shanghai Group, and formerly asByzantine Candor must operate outside of the so-called Great Firewall of China, a governmentmonitoring system that . Since Comment Crew's users appeared to have received special hackingprivileges (presumably from the PLA itself), they would log into sites that the Great Firewall generally blocks. Like Facebook and Twitter, for example which allow for levels of free speech that the Chinese government doesn't like and certainly can't monitor. And apparently the Chinese Ministry of Industry and Information Technology's firewall, which spans multiple levels of government, can't even help the PLA monitor its own digital spies. From :
Additionally, the nature of the hackers work requires them to have control ofnetwork infrastructure outside the GFWoC. This creates a situation where the easiest way for them to log into Facebookand Twitter is directly from their attack infrastructure. Once noticed, this is an effective way to discover their realidentities
It's unclear if the Comment Crew hackers logged on to Facebook and Twitter for the purposes for hacking or just as an easier way to access the social networks for themselves in and around the PLA's "office" every day. But it's not the first social networking trail left by the group now most closely connected with what's being called "an asymmetrical digital war" with China. Facebook also helped Dell SecureWorks track down the identity of another Chinese hacker who may or may not have ties to the government, according to a from last week that began toon multiple U.S. organizations. SecureWorks' Joe Stewart discovered the personal details of a hacker later identified as "Zhang" through a business registered by the hacker that sold "likes" on Facebook and Twitter. From Businessweek:
Then Stewart discovered something much more unusual: One of the domains hosted an actual businessone that offered, for a fee, to generate positive posts and likes on social network sites such as Twitter andFacebook (). Stewart found a profile under the name Tawnya on the hacker forum BlackHatWorld promoting the site and aPayPal ()account that collected fees and funneled them to a Gmail account that incorporated the surname Zhang. Stewart was amazed that the hacker had exposed his or her personal life to such a degree.
That information ultimately led to the unmasking of this mystery Chinese hacker by someone else in the cyber-sleuthing world a world we are just starting to learn more about as it unmasks China's spy campaign, but that might just be getting a hand from China itself.