The truth about the Chinese Dark web: dark activity on Github

Jun 26, 2018
The truth about the Chinese Dark web: Dark activity on Github OG

The truth about the Chinese Dark web is a series uncovering the findings we have made in the course of monitoring Chinese dark activity. There are lots of preconceptions surrounding Chinese threat actors, often involving industrial espionage, cyber-warfare and the so-called cyber-dragon. However we have built up a slightly different picture. 

In our first post, we spoke about the Chinese threat actors seeking to hide in the crowd on the Clear web. Today we are talking about the Chinese threat actors who are leveraging American code-sharing sites like Github in order to carry out malevolent acts. 


The truth about the Chinese Dark web: dark activity on Github 


If there’s one thing we have learned while following Chinese threat actors, it’s that their movements are by no means restricted to the Dark net. Apparently Chinese threat actors are not above turning to the Clear web to trade and distribute illicit material, and they are certainly not above using code-sharing sites like Github to promote dark activity. 

At first glance, it is perhaps surprising that Chinese hackers would turn to an American site in order to weaponize their attacks, no less so after the platform was recently acquired by the American technology giant Microsoft. Yet Chinese threat actors are clearly undeterred. 


Chinese threat actors on Github 


Throughout the course of our research, we found evidence of a good dozen Chinese threat actors using Github to develop hacking tools and malware. We found one user in particular who has created 44 repositories as of March 2015. This included a tutorial and all the files needed to develop malware for bypassing software protection, generating backdoors and carrying out attacks following exploitation. 


The truth about the Chinese Dark web: dark activity on Github Black hole


Through this user, we found another of their associates who had developed a scraping script to detect vulnerable URLs. 


The truth about the Chinese Dark web: dark activity on Github Hackadou


Yet another hacker we detected was posing as an American, although obviously Chinese. Their repositories - all in Mandarin - included such titles as “PenTestKit”, “SimpleBackdoor”, “Hackig-Database” and “Richkware”. This last one is dedicated to the development of a Windows malware framework. 


The truth about the Chinese Dark web: dark activity on Github Programmer and hacker


Hiding in the crowd: a signature characteristic of Chinese dark 


Just like the examples we saw in our post on dark activity on the Clear web, Chinese threat actors operating on Github are using the same principle of hiding in a crowd. Github is an open tool accessible through Google. 

We even found a Google-indexed website describing the various uses that Github is being put to by Chinese developers. It contains some statistics, as well as a star list to reference the most active Chinese developers on GitHub. A search option is also available to find Github requests and explicitly bypass Baidu. 


The truth about the Chinese Dark web: dark activity on Github githuber


Why does it matter? 


We have already learned from the first post in the series that when it comes to Chinese dark activities, you need to think further afield than the Dark net. The evidence that we have gathered on Github only serves to support this claim. Businesses limit the focus of their threat intelligence on the Dark net will miss threat actors weaponizing their attacks on platforms like Github. 

When it comes to dark activity, we need to face the facts that the threat landscape is complexifying and diversifying well beyond the traditional cybercrime setting of the Dark net. And we need to adapt our monitoring strategies accordingly to remain one step ahead of threat actors. 


What are the other surprises we have found about Chinese dark? We will continue to post on The truth about the Chinese Dark web over the next few weeks. Follow the rest of our series to find out more.