How did security firm Mandiant put names to two previously unknown Chinese hackers who, it says, steal American corporate secrets for the Chinese government? With a little inadvertent help from Anonymous.

Mandiant's 74-page report covers a particular hacking group referred to as "APT1" and contends that the group works for or under the direction of the Chinese government as part of the military's secretive "Unit 61398." The report ties a huge string of hacks over the last few years to Unit 61398 and goes on to show the building where the hacks might be hatched. The report is stuffed with detail uncommon in these types of stories, and even includes a translated Chinese document showing a local telecom company agreeing to Unit 61398's request for additional fiber optic connections in the name of state security.

The Mandiant researchers then tried to go one step further, putting at least a few real names to the coders involved. (BusinessWeek recently did something similar, with fascinating results.) Mandiant began with a malware coder who goes by the name "UglyGorilla"—a name which is left repeatedly in code tied to the APT1 group.

Back in 2007, for instance, Mandiant says that UglyGorilla "authored the first known sample of the MANITSME family of malware and, like any good artist, left his clearly identifiable signature in the code: 'v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007'[sic]." But despite all the uses of the name "UglyGorilla" buried in code samples, leads to the person's actual identity were hard to come by—until Anonymous hacked security firm HBGary Federal in early 2011.

Slip-ups?

When we spoke to the hackers involved in the 2011 attack, they explained how they had penetrated HBGary Federal e-mail accounts and moved from those to other systems. One of these was rootkit.com, a project run by HBGary's top technical mind, Greg Hoglund, an expert in the rootkit technology that lets malware evade easy detection on compromised computers. The Anonymous hackers used Hoglund's e-mail account to convince another rootkit.com administrator to reset the root password on the site's server to "changeme123." Once done, they entered the server and—among other things—dumped the entire list of user account and password hashes for rootkit.com, which had been hashed with the MD5 algorithm and proved susceptible to third-party password cracking tools. The cracked list was then publicly released.

This list was a boon to Mandiant because UglyGorilla was on it; he had signed up as "uglygorilla" and had used the password uglygorilla@163.com during registration. The password matched one that had been used by someone to register for a People's Liberation Army event back in 2004 and to register hugesoft.org, a domain long associated with the APT1 hacks.

The rootkit.com leak also included some IP address information on each account, and it showed that UglyGorilla had registered from 58.246.255.28, which came "directly" from the APT1 home range that Mandiant linked to Unit 61398 and to its base in the Pudong New Area of Shanghai. Further sleuthing of code uploaded to Chinese developer sites by UglyGorilla suggested that the man's name might be "Wang Dong" and that he might go as "Jack Wang" to English speakers.

The rootkit.com leak also played a role in naming a second man who goes by the handle SuperHard_M. "Once again, in tracking SH [SuperHard] we are fortunate to have access to the accounts disclosed from rootkit.com," say the Mandiant authors. SuperHard_M had also setup an account on rootkit.com, and his IP had also come from one of the "known APT1 egress ranges" used by the attackers. Even better, he had signed up with the e-mail address "mei_qiang_82@sohu.com." Mandiant researchers then searched Chinese sites for this address and found that it had been used to create various forum accounts in which Mei Qiang—the man's presumed name—described how he would "write Trojans for money" and discussed "his involvement with malicious Windows kernel research, and more recently, being local to Shanghai’s Pudong New Area."

None of this amounts to proof; at best, these are good educated guesses (and some onlookers remain skeptical). But if true, they're a reminder that even talented hackers slip up all the time in little ways that can eventually give them away. Indeed, this whole story is rife with slip-ups at HBGary Federal, at rootkit.com, and even among Anonymous. A year after the rootkit.com hack, nearly everyone involved had been arrested, with ringleader Sabu turned into a snitch by the FBI.

By leaving traces in their code and on sites like rootkit.com, hackers like UglyGorilla and SuperHard_M may have slipped up as well. Or not—one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.