today-is-a-good-day
13.1 C
New Delhi
Monday, February 10, 2025
spot_img

Sichuan-based ‘cyber security’ firm bared for hacking operations against Tibetans, Uyghurs

Must Read

(TibetanReview.net, Jan30’25) –Intelligence Online, a group which monitors the organisation and functioning of the domestic and foreign intelligence services of key governments (CIA, MI6, BND, MI5, DGSE…), has said Jan 29 that it found a Chengdu-based cyber security contractor with China’s public security ministry to be behind recent IT hacking operations carried out in China and abroad against Tibetans and Uyghurs.

On paper, Sichuan Dianke Network Security Technology (aka Sichuan UPSEC Technology or simply UPSEC) and its subsidiary, Chengdu Anmo Technology, and their 150-strong team of engineers, 90% of them working on research and development, claim simply to be contributing to China’s cyber security effort. Based in the capital of Sichuan province, the company has an unremarkable online presence and presents itself as a humble provider of services to the police and to be a partner of numerous academic institutions.

However, in reality, it is a provider of particularly virulent cyber penetration tools, which are being used to target the Tibetans and Uyghurs, two ethnic groups especially reviled by Beijing.

The group said that In concrete terms, UPSEC, founded in 2018, seemed to have close human and IT links with a group of malicious hackers already identified by threat intelligence company Trend Micro, which has given it the name Earth Minotaur.

Trend Micro had published a report in Dec 2024 entitled “MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks”, which looked at Earth Minotaur’s use of an exploit kit (a box of tools for attacking vulnerabilities in IT systems to install malware or facilitate other hacking activities) called MOONSHINE as a means of distributing a “backdoor” (covert access system) called Dark Nimbus. This backdoor mainly targets the Chinese instant messaging service WeChat used on Android and Windows devices belonging to China’s Uyghur and Tibetan minorities.

DarkNimbus allows information to be collected from the infected device, the applications installed on it and its geolocation. It extracts “personal information including the contact list, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple instant messaging apps. It also supports call recording, taking photos, screenshotting, file operations, and command execution”.

Trend Micro found the IP addresses of DarkNimbus victims in the logs of a badly configured – and therefore accessible – server used by the hacking group. These addresses were generally geolocated in China, but some were also located in North America and Europe, particularly France. The victims outside China were stated to have been compromised via phishing attacks which redirected victims to online Tibetan and Uyghur music and dance videos.

While Trend Micro does not establish any link with UPSEC, Intelligence Online said it noticed that a number of IP addresses in communication with DarkNimbus were linked to the URL “aninfosec[.]cn”. Examining the URL using a WHOIS service – which makes available technical information about the URL and, in some cases, the name of its owner – revealed that it is owned by Chengdu Anmo Technology.

Other technical elements are also stated to make it possible to link the DarkNimbus infrastructure to a URL, ‘git[.]upsec[.]net’, and Intelligence Online has confirmed that the domain name ‘upsec[.]net’ is indeed linked to UPSEC’s website.

UPSEC claims to have established “relations of cooperation with the Ministry of Public Security and hundreds of public security units” throughout China, working in both the defensive and offensive domaines using the “school-company cooperation model”. It has thus established a partnership with the public security technological research centre at the University of Electronic Science and Technology of China (UESTC) for the creation of two research institutes, the Kongming Security Laboratory and the Yufeng Security Laboratory., noted the intelligenceonline.com report Jan 29.

UPSEC has not responded when contacted by Intelligence Online for comments on its findings.

The report noted that the offices of UPSEC are locate very close to those of Sichuan Silence Information Technology Co., which was hit with sanctions last month by the US Treasury Department’s Office of Foreign Assets Control (OFAC). In fact, both firms are stated to be located inside the Chengdu High-Tech Zone.

The group said their proximity illustrates the rising importance of Chengdu in the Chinese cyber-intelligence world. The city is also home to Chengdu 404 Network Technology (IO, 18/07/24), which the US Department of Justice accuses of being behind APT41, the advanced persistent threat, attributed to the Chinese government, that also goes by the names Barium, Winnti, Wicked Panda and Double Dragon. Also based in Chengdu is i-Soon, the cyberoffensive firm that weathered a data leak early last year, the report noted.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

SOCIAL MEDIA

7,026FansLike
1,180FollowersFollow
10,608FollowersFollow

Opinions

Communist China: Weaponizing Buddhism and Erasing Tibet

OPINION Professor Tenzin Dorjee* argues that China cannot succeed in erasing Tibet's identity after turning "China's Tibet" into "Xizang" and...

Restoring Tibetan Supreme Justices: An Ode to the Supreme Strength of Public Mobilization

OPINION While not claiming a direct causal link to the recent and widely welcomed amendment of the Charter of Tibetans...

Latest News

More Articles Like This