"Once again, in tracking SH we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit. com account “SuperHard_M” was originally registered from the IP address 126.96.36.199, within one of the known APT1 egress ranges, and using the email address “firstname.lastname@example.org”. We have observed the DOTA persona emailing someone with the username mei_qiang_82. The name “Mei Qiang” (梅强) is a reasonably common Chinese last/first name combination. Additionally, it is a common practice for Chinese netizens to append the last two digits of their birth year, suggesting that SuperHard is in fact Mei Qiang and was born in 1982. Unfortunately, there are several “Mei Qiang” identities online that claim a birth year of 1982, making attribution to an individual difficult."
One of the threat actor identified by Mandiant is "SuperHard_M". His name is Mei Qiang and email is "email@example.com"
IP Address 188.8.131.52 - CHINA, SHANGHAI, SHANGHAI
This email is the registrant email at kaixin001 social network
Full Name - Mei Xiao Qiang ( 梅小强 ), Living in Shanghai
Tianya Chinese Board
firstname.lastname@example.org is also the registrant email at Tianya chinese board but the name linked to this email address is "2005_9_24" and profile information says he is a Male, living in city of ZhengZhou, Henan Province with Date of Birth September 12th 1982, Virgo and this profile is registered on 24 Sep 2005 suggesting that he was in Zhengzhou at this time.
Interesting enough, there is another account on Tianya with the handle "SuperHard_M" which is registered with email address "email@example.com"
"firstname.lastname@example.org" is also the registrant email at kaixin social network but the profile is deleted now and we know why :)
Search on email@example.com reveals he is aged 24 in 2005, that means he is 31 years old now.
He was living in Zhengzhou, Henan province during 2005. In a Job profile, he mentions that his interests are network security and developing hacking tools.
Contact Address: Henan Zhengzhou 1001 mailbox 774
Date: 2005-11-28 08:50:40
Published Username: SuperHard_M
The mailbox address 1001 mailbox 774, Zhengzhou city, Henan Province belongs to the famous PLA Information Engineering University that implies he was a student at PLAIEU.
Mei Qiang published two journals along with Zhu Yue-Fei related to HTTP Session Hijacking on Switch LAN, Man In The Middle (MITM), ARP Spoof. It is important to note that Zhu Yue-Fei also published articles with Zhang Chang-he
(Credit goes to Tommy for the Journal link)
SuperHard_M profiles on chinese boards
Lives in Shanghai Pudong area
T QQ Profile
Lives in Shanghai Pudong area and Virgo
One of the other possible email of SuperHard is firstname.lastname@example.org
After few hours of this blog post, Mei Qiang's Kaixin profile is deleted and sxsoft profile details are changed.