On May 18, various cyber news sources began reporting that a data set containing 200 million rows of personally identifiable information (PII) has been made available on an underground Chinese marketplace. Articles surfaced on Security Week, and Dark Reading, amongst others. All reported that the source of the information of the exposed data came directly from cybersecurity firm FireEye’s iSight Intelligence division. What is considered PII can vary widely from country to country and is dependent on the regions privacy and information security laws; in general PII can be seen as information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. FireEye has stated that the leaked data, in this case, does not contain incredibly sensitive information but it can be used to facilitate identity theft, spam, malware propagation, and fraud.
Details Surrounding the Data Leak
FireEye has yet to publish an official statement or report concerning the matter and all the public has to go on is information they have provided to the press. To that extent the firm has stated that they first noticed the hacker advertising the dataset in December 2017. This actor has sold site databases on Chinese underground forums since at least 2013 and is likely connected to someone living in China's Zhejiang province. This information gathered by tracking the hacker’s QQ social network ID that is also linked to another actor’s online persona.
From the online persona, researchers were able to determine that the hacker in question seems to have been active since 2013 and that the person has been linked to selling data on multiple Chinese hacking forums —data belonging to companies in many other countries such as China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries. In this instance, the hacker is selling the entire data set for roughly 150 USD. FireEye has further stated that they believe the information to be authentic as it contains data on users whose personal info had been leaked in other breaches and the data of newer users. The source of the stolen data is a matter of contention but is believed to be from a variety of Japanese websites. The data set seems to contain information pertaining to real names, email addresses, dates of birth, phone numbers, and home addresses.
Not as Advertised
In FireEye’s analysis, they took a sample of 200,000 leaked email addresses, with a large percentage of those sampled seeming to come from previous links. This meant that most of the leaked data didn't come from one specific leak or public website thus researchers do not think the actor scraped the info from other data leaks and resold it as a new product. This meant that the number of real and unique credentials is lower than the hacker claims. Added to that in a sample analyzed of 190,000 credentials researchers noticed more than 36% contained duplicate values and there is a significant number of fake email addresses.
Not only was it the researchers who noticed this but those looking to buy the data set from the underground forum. Several other individuals looking to use the data for nefarious purposes commented on the ad to express interest in buying the data. However, the same individuals later posted negative feedback, claiming they did not receive the product advertised. With some even bemoaning the fact that they had paid for the data set and not received it. Funnily enough, a quick search as to the population of Japan would have shown that the population currently sits at just over 127 million people. Meaning that there would surely be duplicates and fakes within the 200 million rows of data. You would think that the discerning hacker would have picked up that fact before buying the set.
Growth in the Chinese Underground
Often the media attention regarding Chinese hackers seems to center around those groups with alleged links to the government. These groups are suspected to conduct cyber espionage campaigns as well as numerous other tasks for the benefit of the Chinese government. While much attention has been given to finding and identifying those behind such campaigns, the Chinese criminal underground has seen a massive growth in activity. In 2014, TrendMicro published a report stating that cybercrime activity within the Chinese underground doubled between 2012 and 2013. The report went further to state:
“The barriers to launching cybercrime have decreased. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries. Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.”
It was also concluded that while Chinese authorities are focused on high profile cyber operations against foreign governments and are increasing their cyber capabilities to present national infrastructure from attack by foreign states, internal underground is growing as never before motivated only by the money and by the fact that cybercrime is difficult to persecute. It is also not only foreign companies who are a target but Chinese capitalists are a favorite target for Chinese hackers. Given that the entry point into cybercrime is continually decreasing one can expect more current statistics to be far higher. Unfortunately, the Chinese government does not publish such statistics so it is very difficult to gauge where the problem is sitting currently