Functionality Employees of Chinese tech companies and government officials are siphoning off user data and selling it online – and even the sensitive information of top Chinese Communist Party officials and hackers wanted by the FBI is being peddled through the thriving illegal data ecosystem of the Middle Kingdom.

“While Western cybercrime research focuses heavily on criminals from the English-speaking and Russian-speaking worlds, there is also a large community of Chinese-speaking cybercriminals who engage in fraudulent, low-level, and money-motivated cybercrime,” Kyla Cardona, principal security researcher at SpyCloud. said during a talk at last month's Cyberwarcon in Arlington, Virginia.

It's no secret that President Xi Jinping's government uses tech companies to help maintain the country's massive surveillance apparatus.

But in addition to forcing companies operating in China to store and transmit information about their users for purposes of state censorship and espionage, a black market for sensitive personal data is also thriving. Companies and governments have access to this collected private information and the financial incentives to sell the data to fraudsters and scammers for exploitation.

“It’s a double-edged sword,” Cardona said The register during an interview alongside Aurora Johnson, computer security researcher at SpyCloud.

“The data is collected by rich and powerful people who control tech companies and work in government, but it can also be used against them in all these scams, frauds and other petty crimes,” Johnson added.

Data black market flourishing in China

To get their hands on personal information, Chinese data brokers often recruit shady insiders with wanted ads looking for “friends” working in the government and promise a daily income of 20,000 to 70,000 yuan (2,700 and 9,700 dollars) in exchange for the information collected. This data is then used to carry out scams, frauds, etc.

Some of these data brokers also claim to have “signed formal contracts” with China’s big three telecommunications companies: China Mobile, China Unicom and China Telecom. Brokers' marketing materials tout that they are able to legally obtain and sell people's Internet information. habits via Chinese telecom operators' deep packet inspection systems, which monitor, manage and store network traffic. (The West has seen this sort of thing too.)

Basically, this level of surveillance by telecommunications companies allows their employees to access user browsing data and other information, which the workers can then view and then resell themselves through various brokers, Cardona and Johnson said.

Fraudsters and other criminals purchase copies of this personal information, obtained illicitly or otherwise, for their scams, but it is also purchased by legitimate businesses for sale. sell car insurance to people when theirs is about to expire, for example.

Information acquired through DPI also appears to be a major source of stolen personal data that enters so-called “social engineering databases,” or SGKs (short for shegong ku), according to the researchers.

This poses risks to the privacy of all Chinese people, regardless of group. And then it also gives us Western cybersecurity researchers a really interesting source to track down some of these actors.

In addition to accumulating information collected from the DPI, these databases contain personal information provided by software development kits (SDKs) hidden in applications and other programs, which spy on users in real time, as well as recordings stolen during computer security breaches.

SGK records include personal profiles (names, genders, addresses, dates of birth, telephone numbers, email and social media account details, zodiac signs), bank accounts and other financial information, health records, property and vehicle information, facial recognition scans and photos. , details of a criminal case, and more. Some SGK platforms allow users to perform reverse searches on potential targets, allowing an individual to be identified from their otherwise unidentifiable information.

This data is advertised and sold, or sometimes distributed for free, on more well-known places like Telegram announcement channels and also on dark web souks. Subscribers can purchase access to a basic search service, which is inexpensive ($1 to $5) and allows a buyer to query a database of information obtained through a security breach. They may also spend more on private or premium research that typically involves digging through a database of information stolen by a dishonest insider from their workplace.

What you can find through “social engineering databases”

An SGK that has since been deleted had over 3 million users. Currently, one of the largest databases of stolen information has 317,000 subscribers, we're told, while most search services each see around 90,000 users per month.

“If you don't find something in one, you'll probably find it in another, or you'll find it in a Chinese data leak channel,” Cardona said. “This is a very important part of the whole cybercrime ecosystem, and the Western side hasn't figured it out.”

During the Cyberwarcon presentation, the duo showed a series of case study slides highlighting the types of information anyone can find in SGKs. Some of them contained personal information about ethnic minorities living in China. One also displayed a ton of sensitive details belonging to a high-ranking CCP member.

A free SGK search query on this person yielded the person's name, physical address, mobile number, national identification number, date of birth, gender and issuing authority , which, according to the researcher, is the authority issuing the identity card.

An additional query produced even more: the person's WeChat ID, vehicle, hobby and industry information, marital status and monthly salary, and the person's International Mobile Equipment Identity (IMEI) number. their phone with a link to click for more information about the device.

Researchers found similar information about a member of the People's Liberation Army using SGKs, as well as details about suspected state-backed criminals wanted by the FBI.

Fugitives wanted by the FBI are not safe either

They started with a fugitive living in China, Fu Qiang, aka StandNY, who was charged in 2020 by the federal government with hacking more than 100 computers around the world. According to the US government, he is a member of China's APT41, aka Wicked Panda, and employed by Chengdu 404 Network Technology, which infiltrates organizations around the world on behalf of the Chinese government.

US-based SpyCloud collects and aggregates stolen and leaked data not for nefarious purposes, but to help customers prevent account takeovers and identity theft. Researchers used this data collected during a security breach to connect a random person's phone number to their name and online handle. .

Searching for this phone number in a few SGKs produced IMEI, Tencent QQ information, address, password hash from e-commerce company JD.com breach, passwords multiple accounts and an IP address.

The duo has had similar success with Zhu Hua, who is also wanted by the FBI for allegedly compromising cloud giants, aerospace and defense companies, chip designers, and U.S. government and military agencies on behalf of Beijing.

And then they turned their attention to Wu Haibo, aka Shutd0wn, founder and CEO of I-Soon, who suffered his own data breach earlier this year, exposing China's massive data theft efforts.

A few SGK queries revealed his email addresses and several passwords, his WeChat and QQ account credentials, his physical address, his date of birth, his national identification number and a hotel check-in he a few years ago.

“This could be a very powerful tool for tracking advanced threat actors and moving away from whatever selector you have to find more data about an individual and get a complete picture of the user,” Johnson said.

“There is a huge ecosystem of breached and leaked Chinese data, and I don't know if many Western cybersecurity researchers are looking at that,” Johnson continued. “This presents risks to the privacy of all Chinese people, all groups. And it also gives us Western cybersecurity researchers a very interesting source to track some of these actors who are targeting critical infrastructure.”