QUICKLOOK: A Brief Analysis of 163.com: Navigating the Fine Line Between Utility and Exploitation
Unveiling the Legitimate Services and Illicit Exploitations of NetEase's Web Platform
Assessing the Role of NetEase's 163.com in Facilitating and Falling Victim to Cyber Espionage and Other Illegal Activities
NetEase, a leading Chinese technology company, operates the domain 163.com, a multifaceted web service platform that ranks among the largest in China. Established as a cornerstone of China's rapidly evolving digital landscape, 163.com offers a wide array of services including but not limited to email, online gaming, e-commerce, and digital content distribution. While the domain has been instrumental in providing millions of users with legitimate and often essential services, it has also been a subject of concern due to its exploitation for illegal activities. This report delves into an in-depth assessment of how 163.com has been used for illicit purposes, with a particular focus on its role in cyber espionage activities carried out by Chinese hackers. The objective is to provide a comprehensive understanding of the risks associated with the domain and to offer actionable recommendations for mitigating these risks.
NetEase, Inc. was founded in 1997 by entrepreneur Ding Lei, who envisioned a company that would play a pivotal role in China's burgeoning internet economy. The company is headquartered in Hangzhou, China, and has since its inception, evolved from a modest internet service provider into a behemoth that spans multiple sectors. Over the years, NetEase has diversified its portfolio to include online gaming, which has become one of its most profitable ventures, digital music distribution through its NetEase Cloud Music service, online education platforms, and even e-commerce through its Kaola and Yanxuan platforms.
The company has been a significant player in shaping the internet usage habits of the Chinese population. It has successfully tapped into the country's digital transformation, amassing a user base that primarily consists of Chinese nationals but also includes international users. One of the company's most enduring and popular services is its email service, which operates under the domain 163.com. This email service is not just one of the oldest but also one of the most widely used in China, boasting millions of active users and handling a substantial portion of the country's email traffic.
NetEase's 163.com has become synonymous with reliability and utility in the Chinese digital space. However, its widespread use has also made it a target and a tool for various forms of cybercrime and illegal activities, which this report aims to explore in detail.
Attribution to Cyber Espionage and Other Malicious Activities
Case 1: APT1 and People's Liberation Army Unit 61398
In 2013, cybersecurity firm Mandiant released a report on a hacker group it dubbed Advanced Persistent Threat One (APT1). Mandiant traced the group back to a Shanghai-based unit within China's military, the People's Liberation Army Unit 61398. The group was found to have compromised 141 companies across 20 industries. One of the hackers within APT1 was identified as Wang Dong, who used the email address uglygorilla@163.com. This email address was linked to an IP address within the range of APT1's Shanghai base, implicating 163.com in cyber espionage activities.
Case 2: ScarCruft and Malware Distribution
On March 22, 2023, a report was published detailing the evolving cyber-attack methods of ScarCruft, an APT group originating from North Korea. Various cybersecurity firms have noted that the group is increasingly using sophisticated techniques to distribute malware and evade detection. Active since 2012, ScarCruft has recently ramped up its activities, particularly against South Korean targets. The group employs a range of file formats for spear-phishing and has developed a new, advanced PowerShell-based implant called Chinotto.
ScarCruft's has been evolving their tactics, and is also known under aliases like APT37, Reaper, RedEyes, and Ricochet Chollima. The group's ability to adapt and innovate, using a variety of file formats in their spear-phishing campaigns, is alarming. This adaptability highlights the need for equally dynamic cybersecurity measures.
One notable aspect is ScarCruft's use of a GitHub repository to host malicious payloads, which went undetected for over two years. This raises serious questions about the efficacy of current cybersecurity monitoring systems. Additionally, the group's focus on South Korean entities suggests that their activities may be geopolitically motivated, adding another layer of complexity to the threat they pose.
Incorporating the use of @163.com email addresses in phishing campaigns, as seen in other cyber-espionage activities, could indicate a broader strategy to exploit popular email services for malicious purposes. This hints that China poss. allows the cyber activities of DPRK.
Case 3: Tetris Framework: A Sophisticated Cyber-Espionage Tool Likely Backed by the Chinese Government
A report by The Record dated August 16th, 2021, discusses the discovery of a web attack framework named Tetris, suspected to be developed by a Chinese government hacking group. The tool is designed to exploit vulnerabilities in 58 popular websites, 57 of which are Chinese portals, and the last one being the New York Times. The framework aims to collect a wide range of data, including keystrokes, geolocation, and even webcam snapshots. The tool was found on two websites focused on news critical of the Chinese government. It is suggested that the tool collects off 163.com for internal surveillance.
While analyzing the technical intricacies of cyber-espionage tools is all fine and dandy, knowing who uses these tools and against who is also of importance when it comes to warning and protecting their victims. On this front, the researcher assessed with high confidence that the group using the framework was working on behalf of the Chinese government. This assessment is backed by the threat actor's attempts to limit the attack to a very narrow category of users who use Chinese keyboards and are accustomed to reading news articles critical of the Chinese government—and most likely part of the Chinese opposition movement, activists, and dissidents.
The researcher also noted that the abuse of the JSONP hijacking technique to retrieve user details from third-party sites when a user visits a "watering hole" portal has also been seen before in 2015. During that campaign, a Chinese threat actor used what appears to be a simpler version of the Swid plugins against Chinese visitors of NGO, Uyghur, and Islamic websites.
The Tetris framework represents a significant advancement in cyber-espionage capabilities, likely backed by the Chinese government. Its focus on Chinese portals and the New York Times suggests a geopolitical motive, possibly aimed at collecting data on Chinese dissidents or critics. The tool's complexity, including its ability to scrape data silently from third-party websites, indicates a high level of sophistication.
The framework also employs JSONP hijacking techniques to collect public data about users, such as usernames and phone numbers. This data could potentially be used to link a visitor to one of their public personas. The tool is not only a cybersecurity threat but also poses significant human rights concerns, especially for activists and dissidents who could be targeted in real-world scenarios based on the collected data.
Case 4: Operation Aurora
In 2010, Google publicly disclosed that it had been the target of a highly sophisticated cyber-attack, later named "Operation Aurora." Some of the email accounts used in the attack were traced back to 163.com, implicating the domain in the operation. Conducted by the Beijing-based Elderwood Group with ties to the Chinese People’s Liberation Army, the attack aimed to steal trade secrets and potentially identify Chinese intelligence operatives in the U.S. The breach utilized a backdoor that masqueraded as an SSL connection to infiltrate targeted systems. The attack had significant geopolitical implications and led to Google pulling its search engine from mainland China.
Operation Aurora was a watershed moment in cybersecurity, highlighting the increasing sophistication of cyberattacks and the involvement of nation-states. It exposed vulnerabilities in even the most secure corporate infrastructures, emphasizing the need for advanced cybersecurity measures. The attack also revealed the geopolitical motives behind cyber-espionage, as it was aimed at a very specific set of targets, including human rights activists and intelligence operatives.
The event serves as a cautionary tale for both private corporations and governments. It underscores the need for robust cybersecurity protocols, continuous monitoring, and international cooperation to mitigate the risks associated with cyber-espionage and cyber warfare. Given the evolving nature of cyber threats, constant vigilance and adaptation are essential for cybersecurity in the modern world.
Case 5: The Anthem Hack: All Roads Lead to China
ThreatConnect's exhaustive analysis of the 2015 Anthem breach serves as a seminal document in understanding the complexities of state-sponsored cyberattacks. The report provides a meticulous breakdown of the technical elements involved in the breach, including the types of malware used—Derusbi and Sakula. These malware types have been previously linked to Chinese Advanced Persistent Threat (APT) groups. The report also highlights the digital signatures used to authenticate the malware, adding another layer of complexity to the attack. One particularly intriguing aspect is the mention of the use of 163.com, a Chinese email service, which was used for command and control communications. This detail adds another layer to the attribution puzzle, further implicating Chinese involvement.
The use of 163.com is not just a minor footnote; it's a significant piece of evidence that adds weight to ThreatConnect's attribution of the attack to Chinese APT groups. The email service is widely used in China and has been previously implicated in other cyber espionage activities. Its use in the Anthem breach suggests a level of comfort and familiarity that one would expect from actors operating within or close to China. This detail, combined with other indicators such as malware signatures and tactics, techniques, and procedures (TTPs), strengthens the report's claim of Chinese state-sponsored involvement. The report even goes as far as identifying key individuals and organizations, like Song Yubo and Beijing Topsec Technology Co., linking them to the broader landscape of Chinese cyber espionage.
Conclusion:
NetEase's 163.com stands as a paradox in the digital landscape. On one hand, it is a cornerstone of China's internet economy, offering a plethora of services from email to online gaming and e-commerce. On the other hand, its widespread use has made it a double-edged sword, serving both as a target and a facilitator for various forms of cybercrime, including state-sponsored cyber espionage. The cases examined in this report—ranging from APT1's association with the People's Liberation Army to ScarCruft's North Korean origins, and from the Tetris framework's likely Chinese government backing to the infamous Operation Aurora and Anthem Hack—all point to 163.com's recurring appearance in cyber espionage activities.