Cybercrime exposed: Once a grad student in China, now an international hacker-spy

A targeted and sustained cyber attack that ended up compromising hundreds of computers belonging to military personnel, aerospace engineers, activists and others has been traced back to a Chinese hacker.

The cyber criminal in question is Gu Kaiyuan, once a graduate student at a Chinese university that receives government financial support for its computer security program and currently an employee at Chinese portal Tencent. Before Kaiyuan initiated the exploits, collectively called the Luckycat campaign, he was involved in recruiting students for his school’s computer security and defense research. In short, he was the perfect person to conduct a campaign of this importance.

A report on the campaign from cloud security company Trend Micro shows that the Luckycat perpetrators began around June 2011, targeting military research in India and “sensitive entities” in Japan, as well as heavily focusing on Tibetan activists. The attacked computers were also tracked with unique codes to measure the success of the campaign. All told, 233 computers were hacked.

“The attackers behind this campaign maintain a variety of command-and-control infrastructures and leverage anonymity tools to obfuscate their operations,” wrote the Trend Micro team, which finally reported, “Careful monitoring allowed us to capitalize on some mistakes made by the attackers, and give us a glimpse of their identities and capabilities. We were able to track elements of this campaign to hackers based in China.”

Kaiyuan used a particular email address to register one of the Luckycat command and control servers. Based on that address, Trend Micro was able to deduce more and more about his identity. The email address led them to an IM account number, which in turn led them to the hacker forums where Kaiyuan had posted, the research university where he had studied, even magazine articles he had written about computer security.

Also, Trend Micro was able to find a set of campaign codes used to monitor compromised systems. “The campaign codes often contain dates that indicate when each malware attack was launched. This demonstrates how actively and frequently the attackers launched attacks,” the report reads. “The campaign codes also reveal the attackers’ intent, as some of these referenced the intended targets.”

Finally, Trend Micro wrote in the report’s conclusion that the Luckycat campaign, a sophisticated and highly targeted attack on important individuals, is also linked to similar attacks around the world. “The people behind it used or provided infrastructure for other campaigns that have also been linked to past targeted attacks such as the previously documented ShadowNet campaign,” the report reads.

To reduce risk of attack — especially in the enterprise, where high-profile targets abound — Trend Micro recommends good intelligence on threats, a set strategy for threat mitigation and attack cleanup, a data-centric security strategy, and educating employees about the danger of socially engineered cyber crime.