Chinese security researchers claim to have identified ‘Against The West’ hackers - The Record from Recorded Future News
Chinese security researchers claim to have identified ‘Against The West’ hackers
Researchers from the Chinese cybersecurity company Qi An Pangu Lab believe they have identified six members of the “Against The West” hacking group, according to a report published Sunday by state-controlled media.
The report implicitly alleges without evidence that the hackers are connected to or sponsored by Western nation-states. The six display “a clear pro-US and pro-West slant,” the Global Times tabloid newspaper wrote. Members of Against The West (ATW) indeed have described themselves as pro-Western and claim to have targeted organizations that are “against the West.”
Of the six individuals Pangu Lab purportedly identified, the Global Times reported that three are from France and one is from Canada. Only one is named: Tillie Kottmann, a Swiss national who now goes by maia arson crimew and was charged in March 2021 by the U.S. Department of Justice for hacking into more than 100 companies and leaking proprietary data online through a personal website.
The tabloid newspaper said crimew’s case was “abruptly suspended at the end of March,” and that “since then, China has been one of Kottmann’s main targets, according to the lab report.”
The Global Times report did not contain any evidence supporting Pangu Lab’s identification of crimew. Crimew did not immediately respond to The Record’s request for a response sent via a direct message on Twitter.
The Pangu Lab analysis showed that ATW’s “active members … are mainly engaged in programming and network engineer-related occupations and they are mainly located in Switzerland, France, Poland, Canada and other countries,” the tabloid said.
In an interview with DataBreaches.net in April 2022, ATW claimed to be “ex-intelligence.”
Members have published “several statements claiming that the organization’s targets are Russia, Belarus, China, Iran and North Korea and it is willing to share files with the US and the EU or hired [sic] by their related agencies,” the Global Times reported.
The group emerged in October 2021, first releasing data it said was taken from the People’s Bank of China. Another dataset from the Chinese Ministry of Public Security was released later that month, and the group has become best known for releasing source code belonging to Chinese organizations.
Pangu’s research describes ATW’s activities as mainly involving “large-scale scanning and attacks against technical vulnerabilities on SonarQube, Gogs, Gitblit and other open-source network systems. They would then steal related source code and data, which can be used to further exploit and penetrate the network information system.”
Dubious claims
As described by the Global Times, the identification of ATW members is “the second time that the lab revealed the true face of a hacker organization that has been carrying out data theft and network attacks on China, following the exposure of the complete technical details of Equation, an elite hacking group affiliated with the NSA, in February 2022.”
Chinese cybersecurity companies have raised eyebrows in recent years for claims — often published by the Global Times under the auspices of the Chinese Communist Party — regarding Western hacking activities.
Last September, China denounced the U.S. Embassy in Beijing following a joint report from two of the country’s most prominent cyber authorities accusing the National Security Agency of stealing “sensitive information” from Chinese institutions.
But the substance of the joint report from China’s National Computer Virus Emergency Response Center (CVERC) alongside the company 360 — which claimed the U.S. accessed the networks of Northwestern Polytechnical University — was questioned by Western experts, who noted it made extensive reference to malware that had previously been publicly linked to the NSA, most notably through the Shadow Brokers leaks in 2016.
Additionally, Northwestern Polytechnical University is “a Chinese military university that is heavily involved in military research,” according to the U.S. Department of Justice — and thus is likely to be seen as a legitimate target for espionage under international law.
The attempt to criticize the United States on the basis of this targeting was seen by geopolitics and cybersecurity experts as China’s latest diplomatic response to long-running accusations from the U.S. and allies about Beijing’s own alleged aggressive cyber espionage activity.
China was roundly criticized by dozens of Western states in July 2021 for failing to adhere to international cyber norms regarding the Microsoft Exchange attacks of that year, which exposed hundreds of thousands of companies around the world to attacks from cybercriminals. The country’s diplomatic response to that attribution and criticism — which included detailed indictments unsealed by the U.S. Department of Justice — was vituperative. A day after, Zhao Lijian, one of the MFA’s most outspoken spokespeople, accused the U.S. of being “the world’s largest source of cyber attacks” alongside a litany of other misdeeds.
Researchers from the Chinese cybersecurity company Qi An Pangu Lab believe they have identified six members of the “Against The West” hacking group, according to a report published Sunday by state-controlled media.
The report implicitly alleges without evidence that the hackers are connected to or sponsored by Western nation-states. The six display “a clear pro-US and pro-West slant,” the Global Times tabloid newspaper wrote. Members of Against The West (ATW) indeed have described themselves as pro-Western and claim to have targeted organizations that are “against the West.”
Of the six individuals Pangu Lab purportedly identified, the Global Times reported that three are from France and one is from Canada. Only one is named: Tillie Kottmann, a Swiss national who now goes by maia arson crimew and was charged in March 2021 by the U.S. Department of Justice for hacking into more than 100 companies and leaking proprietary data online through a personal website.
The tabloid newspaper said crimew’s case was “abruptly suspended at the end of March,” and that “since then, China has been one of Kottmann’s main targets, according to the lab report.”
The Global Times report did not contain any evidence supporting Pangu Lab’s identification of crimew. Crimew did not immediately respond to The Record’s request for a response sent via a direct message on Twitter.
The Pangu Lab analysis showed that ATW’s “active members … are mainly engaged in programming and network engineer-related occupations and they are mainly located in Switzerland, France, Poland, Canada and other countries,” the tabloid said.
In an interview with DataBreaches.net in April 2022, ATW claimed to be “ex-intelligence.”
Members have published “several statements claiming that the organization’s targets are Russia, Belarus, China, Iran and North Korea and it is willing to share files with the US and the EU or hired [sic] by their related agencies,” the Global Times reported.
The group emerged in October 2021, first releasing data it said was taken from the People’s Bank of China. Another dataset from the Chinese Ministry of Public Security was released later that month, and the group has become best known for releasing source code belonging to Chinese organizations.
Pangu’s research describes ATW’s activities as mainly involving “large-scale scanning and attacks against technical vulnerabilities on SonarQube, Gogs, Gitblit and other open-source network systems. They would then steal related source code and data, which can be used to further exploit and penetrate the network information system.”
Dubious claims
As described by the Global Times, the identification of ATW members is “the second time that the lab revealed the true face of a hacker organization that has been carrying out data theft and network attacks on China, following the exposure of the complete technical details of Equation, an elite hacking group affiliated with the NSA, in February 2022.”
Chinese cybersecurity companies have raised eyebrows in recent years for claims — often published by the Global Times under the auspices of the Chinese Communist Party — regarding Western hacking activities.
Last September, China denounced the U.S. Embassy in Beijing following a joint report from two of the country’s most prominent cyber authorities accusing the National Security Agency of stealing “sensitive information” from Chinese institutions.
But the substance of the joint report from China’s National Computer Virus Emergency Response Center (CVERC) alongside the company 360 — which claimed the U.S. accessed the networks of Northwestern Polytechnical University — was questioned by Western experts, who noted it made extensive reference to malware that had previously been publicly linked to the NSA, most notably through the Shadow Brokers leaks in 2016.
Additionally, Northwestern Polytechnical University is “a Chinese military university that is heavily involved in military research,” according to the U.S. Department of Justice — and thus is likely to be seen as a legitimate target for espionage under international law.
The attempt to criticize the United States on the basis of this targeting was seen by geopolitics and cybersecurity experts as China’s latest diplomatic response to long-running accusations from the U.S. and allies about Beijing’s own alleged aggressive cyber espionage activity.
China was roundly criticized by dozens of Western states in July 2021 for failing to adhere to international cyber norms regarding the Microsoft Exchange attacks of that year, which exposed hundreds of thousands of companies around the world to attacks from cybercriminals. The country’s diplomatic response to that attribution and criticism — which included detailed indictments unsealed by the U.S. Department of Justice — was vituperative. A day after, Zhao Lijian, one of the MFA’s most outspoken spokespeople, accused the U.S. of being “the world’s largest source of cyber attacks” alongside a litany of other misdeeds.