Meet the 3 Chinese Hackers Pwned by Mandiant

Retired PLA rear admiral Zhang Zhaozong, who inspired UglyGorilla.<a href="http://www.chinamil.com.cn/">People's Liberation Army</a>/Mandiant

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


In case you missed it, the cybersecurity firm Mandiant just released a bombshell report (pdf) on how nearly 150 sophisticated hacking attempts against American corporations and government agencies over the past decade almost certainly originated from a single Shanghai office building controlled by People’s Liberation Army (PLA). The hacking group, dubbed APT1 in the report, launches its attacks from roughly the same address in the city’s Pudong New Area as the one used by the PLA’s Unit 61398, a probable cyberwar division. But the excellent New York Times exclusive on Mandiant’s findings omits some colorful details about the hackers themselves. One of them, for instance, is apparently a Harry Potter fan. Here are profiles of the three Chinese hackers Mandiant outed in its report.

Jack Wang, a.k.a. Wang Dong, a.k.a. UglyGorilla

A profile photo used by UglyGorilla

Back in 2004, the cyberwarfare expert Zhang Zhaozhong was participating in an online Q&A hosted by the website China Military Online. A retired PLA rear admiral, professor at China’s National Defense University, and strong advocate of the “informationization” of military units, Zhang had written several works on military tech strategy, including “Network Warfare” and “Winning the Information War.” One question for Zhang came from a site user with the handle “Greenfield,” who brought up the United States’ cyberwar capabilities. “Does China have a similar force?” he asked. “Does China have cyber troops?”

Greenfield would soon become one of those troops, according to Mandiant. When he registered for the China Military site, he gave his real name as “Jack Wang” and the email address uglygorilla@163.com—details that would later be associated with the hacker known as UglyGorilla. That October, UglyGorilla registered the hacker zone HugeSoft.org, a name that, as Bloomberg has reported, “combines two common descriptors of a gorilla, along with sub-domains like ‘tree’ and ‘man.'”

In 2007, UglyGorilla authored the first known sample of a widely used family of Chinese malware and brazenly left his signature in the code: “v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007.”

DOTA, a.k.a. Rodney, a.k.a. Raith

DOTA may have taken his or her name from the video game “Defense of the Ancients,” commonly abbreviated DotA. The name shows up in dozens of email accounts that DOTA created for social engineering and phishing attacks, according to Mandiant. It appears Mandiant was able to hack some of these accounts, allowing them to get DOTA’s phone number (a mobile phone in Shanghai) and the username of DOTA’s (blank) US-based Facebook account, where DOTA registered as female. Mandiant published a screen-grab of one of DOTA’s Gmail accounts:

DOTA appears to speak fluent English and may be a fan of American and British pop culture. The answers to security questions associated with his or her internet accounts—such as, “Who is your favorite teacher?” or “Who is your best childhood friend?”—are often some variation of “Harry” and “Poter.”

Mandiant linked some of DOTA’s other passwords to a pattern that seems to be associated with Unit 61398, the PLA’s cyberwar division.

Mei Qiang, a.k.a. SuperHard

Similar to UglyGorilla, Mei Qiang signs much of his work by embedding his name into the code. His malware is often signed “SuperHard” and his Microsoft hacking tools are altered from “Microsoft corp.” to “superhard corp.”

SuperHard primarily works on tools used by other Chinese hackers; he’s probably employed in APT1’s research and development arm, according to Mandiant. He has also volunteered to write Trojan software for money. Mandiant researchers gained access to some of the hacker’s internet accounts. They believe he (or she; it’s hard to know) used the email address mei_quiang_82@sohu.com, which, based on Chinese habit, suggests that the user is named Mei Quiang and born in 1982. They also traced SuperHard to Shanghai’s Pudong New Area—information that should give US security experts plenty of leads, assuming the hacker hasn’t been fired yet.

 

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate