An American computer security company released a report Tuesday linking a Chinese military unit to a growing number of cyber attacks against American companies, organizations and government agencies.
But some of those connections — including profiles of the individual hackers in China — could not have been made without the work of the hacker group Anonymous, according to the report by the security firm Mandiant.
Security researchers and government officials have long claimed that China is behind a growing number of cyber attacks against American computer networks, a charge that China has repeatedly denied. But Mandiant’s 73-page report was unusual in its level of detail, going so far as to profile the identities of three hackers who are believed to be working for the Chinese military. Mandiant said it was able to find connections between two of those hackers and China’s People’s Liberation Army by relying on public data first revealed by the hacker group Anonymous.
In February 2011, Anonymous gained access to the website rootkit.com — an online forum where hackers and researchers share information about hacking techniques — and published personal data of more than 40,000 registered users online. The data included email and IP addresses.
The breach was one of dozens by Anonymous over the past two years and gained relatively little media attention. But now, two years later, security researchers say the data was valuable in helping them find links between hackers and the Chinese military.
“We are fortunate to have access to the accounts disclosed from rootkit.com,” the Mandiant report said.
Anonymous’ disclosure of the rookit.com information included an email and IP address for the username “uglygorilla.” The IP information, which identifies the location from which the user is accessing the Internet, pinned the hacker to a place close to a 12-story office tower in Shanghai that researchers believe is the headquarters of P.L.A. Unit 61398 — cyber warriors for the Chinese military.
The email address linked to the “uglygorilla” username had been used to register for an online forum run by the Chinese military, in which the hacker asked: “It is said that the U.S. military has set up a dedicated network force referred to as a ‘cyber army.’ Does China have a similar force? Does China have cyber troops?” according to the report.
Another hacker profiled in the report, who went by the nickname “Superhard,” is believed to be part of a “smaller group of highly capable developers” who write malicious software for the Chinese military, Mandiant said in the report.
Anonymous’ disclosure also included an account called “SuperHard_M.” The name was registered from an email address that was also used to register for websites and forums in which the hacker offered to write malware for money and said he lived in an area of Shanghai near the building believed to be housing the P.L.A. Unit 61398 headquarters. An IP address from the hacker’s rootkit.com account also showed that he logged on to the Internet in an area near the building, according the report.
It’s not the first time that rootkit.com account information has helped researchers shed light on the identity of Chinese hackers.
A recent story in Businessweek detailed how Joe Stewart, a researcher for Dell SecureWorks, was able to link a hacker to the Chinese military in part by tracing the digital breadcrumbs he left behind. One piece of evidence came from an IP address on the website rootkit.com, according to the story.