Craig Jones
π€ SpeakerAppearances Over Time
Podcast Appearances
We found this trial license and they were also recited to a 163 address and a moniker that we called GBigMau.
We found that he actually started to experiment with this database or SQLI injection like our mother SoCo.
And we kind of found then looking at his IP address, again, we had phenomenal telemetry here.
He was looking at different knowledge base articles around our kind of previous CVEs issues.
He was looking through our forum system to look at maybe other potential issues or places that he could maybe pivot and work on.
And we find that he was an actual firewall researcher.
And he published a number of different vulnerabilities.
We could see him on Linux boards everywhere.
publishing various different router vulnerabilities up until about 2018, and then he went silent.
He'd been really, really busy up until like 2018.
Now, we kind of found out that he was working for a company called Xizhuan Silence Information Security Technology.
Mostly because doing some extra OSINT, we found that his username appeared in many Chinese hacking groups and lots of CTFs, so like capture the flag type events, where he'd been registered towards this company as well.
So we found corroborating evidence from a couple of different places that this was the same guy in the same company, you know?
Again, located in Chengdao in China.
So we found a really clear picture of who this person was.
Now, his external OPSEC was pretty good.
You would not have been able to find him that easily, but because we could see the internal telemetry and get the license information, kind of connect the dots, we could actually pin these devices to him and his usage.