Wednesday, 20 February 2013

Chinese Threat Actor Part 5

Follow up on Mandiant report

Mandiant Report

"Once again, in tracking SH we are fortunate to have access to the accounts disclosed from The rootkit. com account “SuperHard_M” was originally registered from the IP address, within one of the known APT1 egress ranges, and using the email address “”. We have observed the DOTA persona emailing someone with the username mei_qiang_82. The name “Mei Qiang” (梅强) is a reasonably common Chinese last/first name combination. Additionally, it is a common practice for Chinese netizens to append the last two digits of their birth year, suggesting that SuperHard is in fact Mei Qiang and was born in 1982. Unfortunately, there are several “Mei Qiang” identities online that claim a birth year of 1982, making attribution to an individual difficult."

One of the threat actor identified by Mandiant is "SuperHard_M". His name is Mei Qiang and email is ""


Rootkit database



This email is the registrant email at kaixin001 social network

Full Name -  Mei Xiao Qiang ( 梅小强 ), Living in Shanghai

Tianya Chinese Board is also the registrant email at Tianya chinese board but the name linked to this email address is "2005_9_24" and profile information says he is a Male, living in city of ZhengZhou, Henan Province with Date of Birth September 12th 1982, Virgo and this profile is registered on 24 Sep 2005 suggesting that he was in Zhengzhou at this time.

Interesting enough, there is another account on Tianya with the handle "SuperHard_M" which is registered with email address ""

"" is also the registrant email at kaixin social network but the profile is deleted now and we know why :)

Search on reveals he is aged 24 in 2005, that means he is 31 years old now.
He was living in Zhengzhou, Henan province during 2005. In a Job profile, he mentions that his interests are network security and developing hacking tools.

Name: SuperHard_M
Gender: Male
Age: 24
Education: Masters
Tel: 13503456644
Contact Address: Henan Zhengzhou 1001 mailbox 774
PostalCode: 450002
Date: 2005-11-28 08:50:40
Published Username:  SuperHard_M

The mailbox address 1001 mailbox 774, Zhengzhou city, Henan Province belongs to the famous PLA Information Engineering University that implies he was a student at PLAIEU.

Mei Qiang published two journals along with Zhu Yue-Fei related to HTTP Session Hijacking on Switch LAN, Man In The Middle (MITM), ARP Spoof. It is important to note that Zhu Yue-Fei also published articles with Zhang Chang-he

(Credit goes to Tommy for the Journal link)

Read online

SuperHard_M profiles on chinese boards

Weibo Profile 

Lives in Shanghai Pudong area

T QQ Profile

Lives in Shanghai Pudong area and Virgo

Wolf's World

One of the other possible email of SuperHard is


After few hours of this blog post, Mei Qiang's Kaixin profile is deleted and sxsoft profile details are changed.

No comments:

Post a Comment