Chinese hackers who entered Singapore on fraudulent work permits were found with data of foreign governments

SINGAPORE: Three men from Henan, China, came to Singapore for a job offer posed by a Ni-Vanuatu citizen and were later housed in a bungalow to perform hacking work into gambling websites and obtain illicit access to a Chinese SMS service company.

The men were later paid US$3 million (S$3.9 million) in cryptocurrency for their work.

A police raid of the Mount Sinai bungalow they were living in uncovered malware-related files on their devices, including remote access trojans (RATs) associated with plugX and a known hacking group, Shadow Brokers.

plugX is a sophisticated RAT associated with known advanced persistent threat or state-sponsored hacker groups, while the Shadow Brokers are a hacker group that has stolen and leaked tools and zero-day vulnerabilities from the United States' National Security Agency.

The leaking of one such zero-day vulnerability enabled the subsequent WannaCry ransomware attacks from 2017 onwards.

While the hackers attempted to avoid government sites, one of their laptops contained messages discussing vulnerable domains, including five Australian, Argentine and Vietnamese government domains, while another contained a confidential email between officers of Kazakhstan's Ministry of Foreign Affairs and Ministry of Industry and Infrastructure Development.

The three Chinese criminals are Yan Peijian, 39, Huang Qin Zheng, 36, and Liu Yuqi, 33.

On Wednesday (Nov 5), Yan and Huang were sentenced to 28 months and one week in prison, and Liu got 28 months and four weeks' jail.

When a prison sentence is imposed that combines months with four weeks or more, CNA reports the sentences as spelt out by the court as months vary in length.

THE CASE

Yan had a background in information technology, previously running a business creating websites for companies, while Liu taught himself web design.

In 2022, there were bad economic prospects in China as a result of the COVID-19 pandemic.

The trio, who knew each other, knew a 38-year-old Ni-Vanuatu citizen called Xu Liangbiao.

He made an offer for them to come to Singapore to work for him, and they agreed to it.

Xu arranged for false applications for work permits to be made for the trio through companies that they did not know about. Yan was to be a sales representative, and Huang and Liu were to be construction workers.

They entered Singapore on fraudulently obtained work permits, which they did not know at the time were false, as they assumed Xu would handle their administrative requirements.

In early September 2022, the trio came to Singapore and were taken to the premises of their supposed employers and briefed on the business for the purpose of being able to provide a cover story if they were ever asked about their employment.

They never worked at those companies. Instead, between September 2022 and May 2023, they were put up in accommodation at Xu's expense and did no work.

They returned to China for Chinese New Year in 2023 and returned to Singapore in May 2023.

This time, Xu asked them to work for him. He later tasked his subordinate Chen Yiren to rent a property to house the trio. Chen arranged for a bungalow in the Mount Sinai area to be rented for them, and the trio moved in.

Chen took charge of the logistics, including arranging for rental payments of S$33,000 in cash and getting moonlighting foreign workers to cook and clean at the home.

Through Chen, Xu also gave the trio money for day-to-day expenses, such as a sum of about S$52,000 seized from Yan during his arrest.

The trio were paid about S$2,000 in monthly salaries from early 2024 to maintain their false employment front.

Initially, Xu was interested in obtaining unfair advantages on gambling websites, as well as operating his own gambling sites.

He needed personal data from existing users of such sites so he could advertise to these users and lure them to use his website.

Later, he developed an interest in obtaining illicit access to SMS service companies, with a view to hijacking two-factor authentication systems. He set his eyes on an SMS service company in China, Yi Mei, which was serving two major gambling site operators.

Xu tasked the men to probe sites of interest for system vulnerabilities, conduct penetration attacks and exfiltrate personal information from the exploited systems.

The trio split up their roles, with Yan focusing on Linux-based systems, Huang on web systems and Liu on Windows systems.

They gathered information on domain and sub-domain names associated with target organisations or websites and used open-source tools to scan for vulnerabilities on these domains.

They would next categorise the vulnerabilities found according to their severity, ease of exploitation and usefulness to Xu's objectives.

They would then set about exploiting these vulnerabilities either through direct data extraction or by deploying RATs.

On discovering vulnerabilities, the men reported them to Xu. They would also download compromised data, including information such as names, emails, phone numbers, IP addresses and site account credentials.

In one instance, a document discovered on Huang's computer contained names, addresses, phone numbers and billing information from a Philippine regional power company. They also succeeded in downloading traffic data from Yi Mei that revealed the volume of SMSes it sent out.

To obtain the objectives set out by Xu, the trio also obtained malware off the internet and interacted with other hackers, sourcing from them zero-day vulnerabilities in the network architectures of the websites they targeted.

These are previously unknown vulnerabilities in software so dubbed because they can be exploited or attacked when the vendor has had "zero days" to create a solution.

The men regularly consulted a hacker called Sun Jiao, who was also in Singapore but operated independently of Xu, conducting his own hacking and data broking operations.

The trio also enlisted an unknown developer to create custom, centralised web-based software for their operations, but they were arrested before this was completed.

The trio knew that their actions were wrong and refrained from targeting Singaporean websites as they felt it was "not right" to do so while in Singapore, the prosecutors said.

They also attempted to refrain from targeting the websites of governments, as they did not want to attract undue attention.

However, they had no objections to targeting overseas websites or illegal gambling websites.

Sometime before Sep 5, 2024, the trio asked Xu whether they would be paid for their work. Xu later transferred US$3 million worth of cryptocurrency to Liu, and the trio agreed to split the bulk of it among themselves and give Sun an equal fourth share.

On Sep 9, 2024, the police raided the Mount Sinai bungalow as part of an operation and seized the three men.

Xu left Singapore in August 2023, shortly before the police arrested 10 people involved in the billion-dollar money laundering case on Aug 15, 2023. His current whereabouts are unknown.

The police found malware-related files on the trio's devices, including source codes for RATs; open-source RATs such as Metasploit, Spark and Silver; IP addresses with credentials linked to a server containing plugX malware; and other hacking tools.

While plugX, which is associated with state-sponsored hacker groups, was found on their devices, the trio disclaimed knowledge of or association with such groups. None of them were cybersecurity researchers or legitimately concerned with cybersecurity, the court heard.

The three men later committed further offences by lying to the Ministry of Manpower about their false employment, claiming that they did work their purported jobs.

REPUTATIONAL DAMAGE TO SINGAPORE: DPP

The prosecutors sought 30 to 38 months and one to two weeks' jail for Yan and Huang, and 30 to 38 months and four weeks' jail for Liu.

Deputy Public Prosecutor Hon Yi said that while the organised crime group did not directly target Singapore, there was nonetheless reputational damage to the country from being the hub of the trio's illegal activities.

"This is not just amongst the general global public, but also on a government-to-government basis, given the foreign government-related data found on Yan and Liu's devices. This is despite the fact that the accused persons allegedly tried to avoid targeting government websites," said Mr Hon.

He said that while the three men were "foot soldiers" working for Xu, they possessed key skills and were the main engine of Xu's illicit cyber operations.

Mr Hon also stressed that it was significant that the men's operations were well-funded and that they were well-maintained and well-paid.

He said the sophistication of their operation can be seen in the fact that they were given specific targets to go for and were careful to avoid certain targets that would attract undue or unnecessary attention to them. The government data found on their devices also showed this, he added.

Even if they had a lack of success in their objectives, what they did was not simple and not something a layman can do, said Mr Hon.

He said hacking was an activity in which a lack of success does not mean a lack of effort, and where a negative result is still a result.

"An analogy is a burglar going down the street trying doors. Just because he can't open doors, doesn't mean he was completely unsuccessful," said Mr Hon.

"He now knows which doors he can't open with his level of skill."

"EPIC FAILURES": DEFENCE

Huang and Liu were defended by Mr Lee Teck Leng from Legal Clinic, while Yan was represented by Mr Kelvin Ong.

Mr Lee said his clients did not come to Singapore in 2022 with any intention to commit any crimes. To this, the judge said this might be so with their first entrance in Singapore, but that she was "more concerned" with their second entrance.

Mr Lee said that while Yan had some technology background, Liu and Huang did not, and they were "really not techies in that sense".

He said that hacking was "not for laypersons", and they did not manage to achieve any of their objectives.

"The three main hackers in this organised criminal group basically can't hack," said Mr Lee.

The judge then asked if the very act of hacking was not the very act of probing the sites. She asked the lawyer if any success in terms of obtaining the data they sought would instead be an aggravating factor.

Mr Lee said he had a slightly different view. He used the analogy Mr Hon had used about trying doors and said that if a person tried to "penetrate" one but did not manage to enter, that is not really hacking.

"To me, hacking is when you knock on the door, manage to go in and see what's inside," he said, adding that what the men did in his view was "try to hack" instead.

Mr Ong concurred, saying the three men in this case were "basically epic failures" who did not meet their key performance indicators.