How Chinese insiders are stealing data scooped up by President Xi’s national surveillance system – Source: go.theregister.com

Feature Chinese tech company employees and government workers are siphoning off user data and selling it online – and even high-ranking Chinese Communist Party officials and FBI-wanted hackers’ sensitive information is being peddled by the Middle Kingdom’s thriving illegal data ecosystem.

“While Western cybercrime research focuses heavily on criminals in the English- and Russian-speaking worlds, there is also a large community of Chinese-speaking cybercriminals who engage in scammy, low-level, financially motivated cybercrime,” SpyCloud senior security researcher Kyla Cardona said during a talk at last month’s Cyberwarcon in Arlington, Virginia. 

It’s no secret that President Xi Jinping’s government uses technology companies to help maintain the nation’s massive surveillance apparatus. 

But in addition to forcing businesses operating in China to stockpile and hand over info about their users for censorship and state-snooping purposes, a black market for individuals’ sensitive data is also booming. Corporate and government insiders have access to this harvested private info, and the financial incentives to sell the data to fraudsters and crooks to exploit.

“It’s a double-edged sword,” Cardona told The Register during an interview alongside SpyCloud infosec researcher Aurora Johnson.

“The data is being collected by rich and powerful people that control technology companies and work in the government, but it can also be used against them in all of these scams and fraud and other low-level crimes,” Johnson added.

China’s thriving data black market

To get their hands on the personal info, Chinese data brokers often recruit shady insiders with wanted ads seeking “friends” working in government, and promise daily income of 20,000 to 70,000 yuan ($2,700 and $9,700) in exchange for harvested information. This data is then used to pull off scams, fraud, and suchlike.

Some of these data brokers also claim to have “signed formal contracts” with the big three Chinese telecom companies: China Mobile, China Unicom, and China Telecom. The brokers’ marketing materials tout they are able to legally obtain and sell details of people’s internet habits via the Chinese telcos’ deep packet inspection systems, which monitor as well as manage and store network traffic. (The West has also seen this kind of thing.)

Crucially, this level of surveillance by the telcos gives their employees access to users’ browsing data and other info, which workers can then swipe and then resell themselves through various brokers, Cardona and Johnson said.

Scammers and other criminals are buying copies of this personal information, illicitly obtained or otherwise, for their swindles, but it’s also being purchased by legitimate businesses for sales leads — to sell people car insurance when theirs is about to expire, for example.

Information acquired through DPI also seems to be a major source of the stolen personal details that goes into the so-called “social engineering databases,” or SGKs (short for shegong ku​), according to the researchers. 

It poses privacy risks to all Chinese people across all groups. And then it also gives us Western cybersecurity researchers a really interesting source to track some of these actors

In addition to amassing information collected from DPI, these databases contain personal details provided by underhand software development kits (SDKs) buried in apps and other programs, which basically spy on users in real time, as well as records stolen during IT security breaches.

SGK records include personal profiles (names, genders, addresses, dates of birth, phone numbers, email and social media account details, zodiac signs), bank account and other financial information, health records, property and vehicle information, facial recognition scans and photos, criminal case details, and more. Some of the SGK platforms allow users to do reverse lookups on potential targets, allowing someone to be ultimately identified from their otherwise non-identifying details.

This data is advertised and sold, or sometimes given away for free, on more well-known places like Telegram announcement channels and also on dark web souks. Subscribers can purchase access to a basic lookup service, which is cheap (between $1 and $5) and allows a buyer to query a database of information obtained via a security breach. Or they can spend more on a private or premium lookup that typically involves rifling through a database of information stolen by a rogue insider from their place of employment.

What you can find via ‘social engineering databases’

One SGK that has since been taken down had more than 3 million users. As of now, one of the biggest stolen-info databases has 317,000 subscribers, we’re told, while most of the search services each see about 90,000 users per month.

“If you can’t find something on one, you’ll probably find it in another, or you’ll find it in a Chinese data-leak channel,” Cardona said. “This is a really important part of the entire cybercrime ecosystem, and it’s being missed by the Western side.”

During the Cyberwarcon presentation, the duo showed a series of case study slides that highlighted the types of information anyone can find in SGKs. Some of these contained personal information about ethnic minorities living in China. One also displayed a ton of sensitive details belonging to a high-ranking CCP member.

​A free SGK search query about this individual pulled up the person’s name, physical address, mobile number, national ID number, birth date, gender, and issuing authority, which the researcher surmised is the issuing authority for the ID card.

An additional query produced even more: The person’s WeChat ID, vehicle information, hobbies and industry information, marital status, and monthly salary, and his phone’s International Mobile Equipment Identity (IMEI) number with a link to click for more information about the device.

The researchers found similar info about a People’s Liberation Army member using SGKs, plus details about suspected nation-state-backed criminals wanted by the FBI. 

FBI-wanted fugitives aren’t immune, either

They started with one fugitive living in China, Fu Qiang, aka StandNY, who in 2020 was charged by the Feds with breaking into more than 100 computers across the globe. According to the US government, he is a member of China’s APT41, aka Wicked Panda, and employed by Chengdu 404 Network Technology, which infiltrates organizations around the world on behalf of the Chinese government.

US-based SpyCloud collects and aggregates stolen and leaked data — not for nefarious purposes, but to help customers prevent account takeovers and identity theft — and the researchers used this data collected from one security breach to connect a random person’s phone number to their name and online alias.

Looking up that phone number in a couple of SGKs produced the IMEI, Tencent QQ information, address, password hash from a breach of e-commerce company JD.com, multiple account passwords, and an IP address.

• Good: US boasts it collared two in Chinese hacking bust. Bad: They aren’t the actual hackers, rest are safe in China
• Salt Typhoon’s surge extends far beyond US telcos
• Telco engineer who spied on US employer for Beijing gets four years in the clink
• China has utterly pwned ‘thousands and thousands’ of devices at US telcos

The duo had similar success with Zhu Hua, who is also wanted by the FBI for allegedly compromising cloud giants, aerospace and defense companies, chip designers, and US government agencies and military on behalf of Beijing.

And then they turned their attention to Wu Haibo, aka shutd0wn, founder and CEO of I-Soon, which suffered its own data leak earlier this year that exposed China’s massive data stealing efforts.

A couple of SGK queries uncovered his email addresses and multiple passwords, WeChat ID and QQ account information, physical address, birth date, national ID number, and a hotel check-in from a few years back.

“This could be a very powerful tool to track advanced threat actors and pivot off of any selector you have to find more data on an individual and get a complete user picture of them,” Johnson said.

“There is a huge ecosystem of Chinese breached and leaked data, and I don’t know that a lot of Western cybersecurity researchers are looking at this,” Johnson continued. “It poses privacy risks to all Chinese people across all groups. And then it also gives us Western cybersecurity researchers a really interesting source to track some of these actors that have been targeting critical infrastructure.” ®