Written by Jeff Stone

Intrusion Truth is back.

The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are recruiting attackers working on Beijing’s behalf.

By identifying job postings seeking offensive cybersecurity skills, the group wrote, they found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting to Intrusion Truth that employers actually are trying to recruit hackers for advanced persistent threat groups.

“We know that these companies are a front for APT activity,” states the blog post published Thursday.

This blog post is the first from Intrusion Truth since July 2019, when the group reported that a Chinese APT had offered to sell stolen data. Intrusion Truth emerged in April 2017 and, since then, intermittently has gone public with information purportedly exposing Chinese state-sponsored hacking efforts.

Two years ago, the group identified two employees of the Chinese company Boyusec who U.S. prosecutors later indicted for alleged involvement in breaches at Siemens and Moody’s Analytics.

If anyone knows who is behind the effort, though, no one is saying: the identities of the Intrusion Truth members have been the subject of ongoing speculation in the security community.

In the post published Thursday, the group argues “it is possible to take a [Chinese] province and identify front companies, from those companies identify individuals who work there, and the connect those companies and individuals to an APT and the State.”

The group explains further by highlighting advertisements for jobs at five Chinese companies.

The ads typically are seeking personnel capable of carrying out penetration tests or network security development engineering. In one case, the Hainan Xiandun Technology Development Company, a “fast-growing high-tech information security company,” according to Intrusion Truth’s translation, posted a bulletin seeking female English translators, preferably members of the Communist Party.

Job postings alone don’t prove that the companies are involved in nation-state hacking activity, as Intrusion Truth notes. Companies in the U.S. and abroad frequently hire penetration testers in order to test their own defenses. Bringing on penetration testers can help companies like Bloomberg and Amazon, both of which have active listings for pen-testers in New York.

Yet one posting from Hainan Tengyuan, the group noticed, seeks professionals “with a track record of sharing hacking exploits as well as specific experience with Windows Trojan shell code development and PE encryption.”

“The question we should be asking is: who develops their own encrypted executable files?, ” the blog post notes.

Neither Xiandun Technology Development nor Tengyuan could immediately be reached for comment.

Meanwhile, the phone numbers and addresses in many of the advertisements overlap, according to the anonymous blog post. From there, Intrusion Truth extrapolated their findings to larger internet searches, finding eight more companies (for a total of 13) that seemed to be connected in a kind of web.

“Hainan Xinhuaheng Technology Company shares a telephone number (19808984**) with Hainan Tengyuan, Hainan Dingwei, Haikou Fengshang, Hainan Hualian Anshi, and Hainan Jiaxi and and is co-located in the same building,” the blog post states, including the typo.

Security researchers suggested on Thursday that the data Intrusion Truth dumped was associated with APT40, a Chinese espionage group that FireEye says stole information from the U.S. Navy, among other targets. The group’s hacking victims are consistent with China’s geopolitical interests and “there are multiple technical artifacts” indicating its based in China FireEye noted in a March 2019 report. For instance, researchers uncovered a file that included an IP address based in Hainan, China that “had been used to administer the command and control node that was communicating with malware on victim machines.”

FireEye also observed APT40 using the archival tool rar.exe to compress and encrypt data it intended to steal.

APT40, also known as Leviathan, TEMP.Periscope and TEMP.Jumper, is the main suspect in attacks aimed at Cambodia’s elections and the U.S. maritime industry.

The Chinese government consistently has denied any involvement in hacking activity.

Update, Jan. 9, 2:20pm ET: This story has been updated to include mention of APT40.