There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)

ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

Through incidents handling and investigation with law enforcements, we found some evidences to prove the china hackers (targeted attack/ spearing phishing) were come from government (military,intelligent dept and public security).

We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.

At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.

What they want is to collect the contact list files (outlook, MSN ...) to build a huge database about relationships for future use,from the contact list, hackers can send a 'well-make' trojaned mail to the others in the contact list, then victims will trust the e-mail's subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the latest documents in all file types. Even steal your mail account to have a copy of your mail boxes.

From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:

(1) Organized: have principle, formal check-in/out time,

in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,

then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11485/34833#34833