WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Key Points
Documents recently leaked from Anxun, a key private security contractor of the Chinese Ministry of Public Security (MPS), provide rare insight into Chinese state-sponsored cyber-threat activity, especially the domestic hacker-for-hire ecosystem. The documents revealed that the Chinese government uses Anxun as hackers-for-hire to facilitate cyber-threat operations against foreign governments and dissidents, as well as other entities. Defenders can use the insights and recommendations described in this report to better guard against similar APT activity and insider threats—particularly in frequently targeted sectors: manufacturing; professional, scientific, and technical services; public administration; wholesale trade; information; and construction.
On February 16, 2024, the stolen Anxun data became available on GitHub, and was subsequently removed. The documents included staff information, communication among employees and with customers, details of surveillance tools that Anxun developed for the Chinese government, and more. They revealed dissident surveillance, espionage against foreign governments, and the dissemination of pro-Beijing content on social media:
There are several possibilities regarding who leaked the Anxun documents:
ReliaQuest regards, with medium confidence, the perpetrator as being a disgruntled employee, mainly based on the leak contents found on GitHub. The files were organized into several sections whose headings accused Anxun of jeopardizing national security and being a bad company to work for. The documents also contained screenshots of conversations in which employees complained about low company morale, long hours, low salary, and the difficulty of tasks.
A rival hacker-for-hire company would have been unlikely to publicly leak the details of Anxun’s operations with the Chinese government, for fear of incurring notoriously severe government punishment. And a foreign government would have more likely used the exfiltrated information to determine whether there are any APT groups present in their networks, rather than disclose it publicly and risk Beijing’s retaliation. Moreover, hacktivists typically claim responsibility for their attacks to boost their reputation and promote their cause, which did not happen in Anxun’s case; it is unlikely that the data leak was ideologically motivated.
Incorporated in September 2010 in Shanghai, Anxun describes itself as a technology-based enterprise that provides InfoSec solutions for various industries. The company has branches and subsidiaries across China and an APT Defense and Research Laboratory in Shanghai. Its role as a hacker-for-hire company is described in the following revelations found in the leaked documents.
Anxun has advertised offensive and defensive APT capabilities, listing dozens of Chinese government security agencies as its customers. (Anxun’s website and its Weibo and WeChat accounts have been taken offline since the leak and remain unavailable at the time of writing.)
Anxun’s CEO and main investor, Wu Haibo (whose alias in the leaked chats is shutd0wn), is a prominent, pioneering Chinese hacker and an early member of China’s first hacktivist group, the Green Army. Wu remains actively involved in Anxun’s operations and cyber activity in China, giving talks and interviews with Chinese media and universities.
Evidence points to a working relationship between Anxun and Chinese APT groups based in Chengdu, Sichuan, where Anxun has a branch. Chengdu is an established hub of Chinese APT activity—“RedHotel” and “APT41” are among the state-sponsored hacking groups based there, and multiple APT groups have set up front companies in Chengdu to hide illicit cyber operations.
According to a 2020 US Department of Justice indictment, Chengdu Silingsi Network Technology Company (aka Chengdu 404) is a front company to hide APT41 cyber-threat activity, which has affected more than 100 US companies. In October 2023, Chengdu 404 sued Anxun in a software development partnership contract dispute. Details of the partnership are not publicly available but, based on Anxun’s service offerings, Chengdu 404 probably engaged Anxun to develop a platform or tool to aid cyber-threat campaigns.
Anxun is highly active in developing cyber-operational capabilities in Chengdu. Since 2018, the company has sponsored and/or organized the annual Anxun Cup event (most recently in December 2023): a training “bootcamp” to cultivate network security talents. The event focuses on discovering new techniques, vulnerabilities, and in-depth knowledge about an application or a coding language (see Figure 1). Similarly, Chengdu 404 has displayed an interest in nurturing talent; that company maintains close relations with Sichuan University, likely for recruitment.
Figure 1: Anxun’s Weibo post about the Anxun Cup
Chengdu 404 and Anxun encourage cyber-threat capabilities through hacking competitions and training programs, are based in Chengdu, and have known ties to the Chinese government or APT groups. Although we cannot ascertain whether Anxun is an APT group or a front company for an APT group, its many operational similarities to Chengdu 404 suggest either option is a realistic possibility.
Anxun’s white paper on remote-control management systems, leaked on GitHub, refers to an IP address that was used as a ShadowPad command-and-control (C2) server in August 2021. ShadowPad is a modular backdoor that multiple Chinese threat groups have used since at least 2017. The malware has been attributed to the “Winnti Group,” a collective of several Chinese APT groups, including APT41, whose activities occasionally overlap.
Figure 2: Screenshot of leaked Anxun white paper, showing the redacted IP address used as a ShadowPad C2 server (Source: GitHub)
In September 2022, threat actors used a trojanized installer of Comm100, a chat-based customer engagement application, for a supply-chain attack campaign. A leaked transcript of a conversation between Anxun employees (see Figure 3) confirmed an IP address that is one of the campaign’s indicators of compromise (IoCs)—is an Anxun server, cementing the company’s involvement. Since August 2022, Comm100 had been unknowingly loading backdoor scripts from the threat actors’ infrastructure. In some of the attacks, advanced malware was delivered to the employees of several online gambling platforms; the employees had administrative privileges for their employers’ websites, indicating a likely campaign goal of securing administrative access.
Figure 3: Screenshot of conversation between Anxun employees, with translation shown to right of original text
As the leaked documents indicate, Anxun’s cyber-threat activity seems politically oriented, focusing on espionage and surveillance across Asia, followed by Europe, then the US. The company seems to dedicate many of its resources to targeting foreign governments to gain valuable information, which aligns with the general direction and goals of Chinese APT groups and of Chengdu 404.
The data leak has provided rare insight into how the Chinese government outsources parts of its cyber operations to private third-party companies, and how these companies work with one another to fulfill these demands. Screenshots of employee conversations hint at infighting among these third-party contractors despite their collaborations, but the maturity of the Chinese hacker-for-hire industry is evident: Numerous companies like Anxun and Chengdu 404 offer a broad range of hacking services to the Chinese government and APT groups. Anxun will very likely continue to operate without major disruptions.
APT41: A Real and Active Threat
The APT41 group primarily wages financially and politically motivated attacks against the following sectors in North America, Europe, and Asia: public administration; professional, scientific, and technical services; and arts, entertainment, and recreation. However, APT41 attacks have spanned more than 20 countries, and also compromised entities in the information; health care and social assistance; finance and insurance; manufacturing; and utilities sectors. The group remains active, despite the US indictment of several of its members; we most recently reported on APT41’s activity in December and September 2023.
We offer the following resources and recommendations to mitigate the risks associated with general APT activity and insider threats.
GreyMatter includes an intelligence content library of threat profiles and intelligence updates to keep our customers abreast of the latest APT activity. Topics include threat-actor tactics, techniques, and procedures; IoCs; tools; and attacks/campaign details. In addition, consider the following practices to guard against common APT activity.
Although we cannot confirm that an insider was responsible for the leak of Anxun’s data, it is the most likely option, based on our analysis. The following content offers tips to protect against potential data leaks and insider threats.
Customers specifically concerned about insider threats should:
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.