Mei Danowski

Beyond the Aliases: Decoding Chinese Threat Group Attribution and the Human Factor Examining the overlap between APT27, HAFNIUM, and Silk Typhoon through recent U.S. government disclosures, and why understanding the humans behind the keyboard is important for cyber defenders

The Natto Team explores how APT27, HAFNIUM, and Silk Typhoon highlight the complexities of tracking threat actors and their real-world identities and why understanding the humans behind the keyboard matters.

nattothoughts.substack.com/p/beyond-the...

Salt Typhoon: New Joint Advisory Offers a Beacon Through the Storm but Stirs Up New Questions Analysis of newly identified Salt Typhoon-linked companies casts light on the complex ecosystem of front companies and real businesses supporting Chinese state cyber operations

Our latest analysis digs into newly identified Salt Typhoon-linked companies, revealing the murky ecosystem of front firms and legitimate businesses that prop up Chinese state cyber operations.

A beacon of clarity? Or just more questions in the storm?

nattothoughts.substack.com/p/salt-typho...

Few and Far Between: During China’s Red Hacker Era, Patriotic Hacktivism Was Widespread—Talent Was Not Inside the small, elite circles that powered China’s massive hacker communities in the late 1990s and 2000s.

@euben.bsky.social Eugenio’s research explains the elite cyber talent paradox in China - “all people are soldiers” vs “extremely lean.”

#Cybersecurity #TalentPipeline #CyberOperations

nattothoughts.substack.com/p/few-and-fa...

Microsoft is probing whether a MAPP leak let Chinese hackers exploit a SharePoint vuln pre-patch.

In this new piece for Natto,
@dakotaindc.bsky.social, @meidanowski.bsky.social & I dig into:
🏛️ China's vuln reporting rules
📉 Which firms joined/left MAPP since 2018
⚠️ The risks today’s members pose

HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem How one man’s career reveals the interconnected web of China’s state security apparatus, cybersecurity firms, and strategic industries

Natto Thoughts examines HAFNIUM-linked hacker Xu Zewei and reveals ties between China’s state security agencies, cybersecurity firm and strategic industries.
nattothoughts.substack.com/p/hafnium-li...

Butian Vulnerability Platform: Forging China's Next Generation of White Hat Hackers From 'Trouser Belt Project' to 'Patching the Sky': Qi An Xin’s Butian platform serves as cradle for nurturing new talent and smelter for refining seasoned hackers’ skills

What does China’s top vulnerability mining platform’s white hat elite growth system like? What are the capabilities needed to be an expert white hat hacker?

nattothoughts.substack.com/p/butian-vul...

Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry The belief that offense enables defense in cyberspace, first rooted in China’s 1990s hacker culture, has since permeated the country’s cyber ecosystem

To defend, one must first know how to attack” (未知攻，焉知防). This mindset, popularized by a Taiwanese hacker Lin in the 1990s, spread from China's red hackers to CTF teams. Today, it powers China's cyber industry.

New piece for @nattothoughts.bsky.social

nattothoughts.substack.com/p/defense-th...

From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse Qingyuan Polytechnic's focus on vulnerability studies highlights China's continued efforts in gathering vulnerability resources

The Natto Team explores the development of China's vulnerability research and discovery skills, starting from the vocational college level.

Thanks to @euben.bsky.social @dakotaindc.bsky.social Kristin Del Rosso for their previous research on the topic

nattothoughts.substack.com/p/when-a-voc...

From the World of “Hacker X Files” to the Whitewashed Business Sphere Jiang Jintao’s journey from hacker to infosec entrepreneur illustrates the blend of ambition, skill, and changes in China's cybersecurity industry

The Natto Team continues finding stories of Chinese hackers fascinating as they reveal the motivations behind cyber operations and the evolution of China's information security industry.

nattothoughts.substack.com/p/stories-of...

Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous.

This Natto Thoughts analysis was originally published last October. With new notes and updates added, we thought it is still relevant today to understand Russian ransomware actors and Russian political culture.

nattothoughts.substack.com/p/ransom-war...

Wars without Gun Smoke: China Plays the Cyber Name-and-Shame Game on Taiwan and the U.S. China’s security services have called out hackers of an alleged “Internet Army of Taiwan Independence” and of the U.S. National Security Agency, signaling an increasingly confrontational approach

In this piece with @nattothoughts.bsky.social's @meidanowski.bsky.social, we dug into China’s two naming-and-shaming campaigns over the past 30 days—targeting alleged Taiwanese and U.S. hackers amid escalating geopolitical tensions.

nattothoughts.substack.com/p/wars-witho...

Indictments and Leaks: Different but Complementary Sources A case study of the i-SOON indictment and leaks reveals that source information may vary but it is important to compare and evaluate information for unique insights.

A case study of the i-SOON indictment and leaks reveals that source information may vary but it is important to compare and evaluate information for unique insights.

nattothoughts.substack.com/p/indictment...

Zhou Shuai: A Hacker’s Road to APT27 US-sanctioned, allegedly APT27-associated actor Zhou Shuai represents a group of Chinese elite hackers who have become an important resource for Chinese state cyber operations.

A recent research from Natto Thoughts about US-sanctioned, allegedly APT27-associated actor. #apt27

nattothoughts.substack.com/p/zhou-shuai...

Where is i-SOON Now? i-SOON’s business struggles after the leak reflect the cruel reality of China’s hacker-for-hire industry

As the Natto Team was going to publish this piece, US Department of Justice unsealed an indictment charging eight i-SOON employees and highlighting the importance of companies like i-SOON in China's cyberthreat landscape.

nattothoughts.substack.com/p/where-is-i...

We appreciate that more and more threat intelligence researchers value the importance of cultural component in APT research. @techy.detectionengineering.net

The Pangu Team—iOS Jailbreak and Vulnerability Research Giant: A Member of i-SOON’s Exploit-Sharing Network A year after the i-SOON leaks, a deep dive into the Pangu Team reveals new insight into the relationships between elite vulnerability researchers and government-contracted hackers

One year after the I-SOON leaks, we still found more things that were not clear to us before. @euben.bsky.social ‘s Pangu team analysis gives more insights into China’s cyber operations.

nattothoughts.substack.com/p/the-pangu-...

Chasing Chengdu404, Sichuan Silence....and NoSugar Technology !? On the ground research on US sanctioned cyber security companies in China.

We are glad to see that some curious minds like us want to find out more about Chinese APTs associated companies in reality. They actually paid a visit to them.

substack.com/home/post/p-...

Sichuan Silence Information Technology and Guan Tianfeng: Your Criminal Our Hero Even before DeepSeek's debut sparked pride among Chinese netizens, US sanctions on Sichuan Silence developer Guan Tianfeng triggered online vows to "march forward" in cyberpower competition

Even before DeepSeek's debut sparked pride among Chinese netizens, US sanctions on Sichuan Silence developer Guan Tianfeng triggered online vows to "march forward" in cyberpower competition.

nattothoughts.substack.com/p/sichuan-si...

Salt Typhoon: the Other Shoe Has Dropped, but Consternation Continues Sichuan Juxinhe, directly involved in the Salt Typhoon cyber operations, resembles a front company of the Chinese Ministry of State Security

The other shoe has finally dropped, but we still need more intrusion details to defend against the threats.
#salttyphoon #apt

nattothoughts.substack.com/p/salt-typho...

No, it doesn’t look like

Can I have some rest on the weekend? 😊

It is Sichuan not Chengdu

Chengdu: Teahouses, Hotpots, Universities and … Hackers Chengdu’s leisure lifestyle, education and talent resources have contributed to the city becoming a hacking hub

Kick off 2025 with a spicy hotpot - why has Chengdu become a hub for hacking?

nattothoughts.substack.com/p/chengdu-te...

1000 subscribers. You did it. Natto Thoughts has its first thousand subscribers. Nattothoughts.substack.com

Thank you for your support. The Natto Team appreciates it.

Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is sanctioning cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan Silence), and one of its employees, Guan Tianfeng (Guan), both based in People’s Republic of China (PRC), for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were U.S. critical infrastructure companies. Malicious cyber actors, including those operating in China, continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the 2024 Annual Threat Assessment released by the Office of the Director of National Intelligence.“Today’s action underscores our commitment to exposing these malicious cyber activities—many of which pose significant risk to our communities and our citizens—and to holding the actors behind them accountable for their schemes,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”Today, the Department of Justice (DOJ) unsealed an indictment on Guan for the same activity. Additionally, the U.S. Department of State announced a Rewards for Justice reward offer of up to $10 million for information about Sichuan Silence or Guan.April 2020 Firewall compromiseGuan Tianfeng discovered a zero-day exploit in a firewall product. A zero-day exploit is a previously unknown vulnerability in a computer software or hardware product that can be used in a cyberattack. Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide. The purpose of the exploit was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the Ragnarok ransomware variant. This ransomware disables anti-virus software and encrypts the computers on a victim’s network if they attempt to remedy the compromise. More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems. If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.Guan Tianfeng and sichuan silenceGuan is a Chinese national and was a security researcher at Sichuan Silence at the time of the compromise. Guan competed on behalf of Sichuan Silence in cybersecurity tournaments and posted recently discovered zero-day exploits on vulnerability and exploit forums, including under his moniker GbigMao. Guan was responsible for the April 2020 firewall compromise.Sichuan Silence is a Chengdu-based cybersecurity government contractor whose core clients are PRC intelligence services. Sichuan Silence provides these clients with computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services. Additionally, Sichuan Silence provides these clients with equipment designed to probe and exploit target network routers. A pre-positioning device used by Guan in the April 2020 firewall compromise was in fact owned by his employer, Sichuan Silence.OFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector. SANCTIONS IMPLICATIONSAs a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or the control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the Specially Designated Nationals and Blocked Persons (SDN) List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.Click here for more information on the individuals and entities designated today.###

home.treasury.gov/news/press-r...

Sichuan Silence Information Technology: Great Sounds are Often Inaudible Formerly very public, Sichuan Silence has gone quiet since 2020; but as part of a circle of Chengdu-based jack-of-all-trades infosec companies, it serves the state in cyber-enabled operations

Today the US has sanctioned Chinese company Sichuan Silence for role in 2020 compromise of tens of thousands of firewalls, including US critical infrastructure victims. Natto Thoughts published a profile of Sichuan Silence last week.

nattothoughts.substack.com/p/sichuan-si...

Today the US has sanctioned Chinese company Sichuan Silence for role in 2020 compromise of tens of thousands of firewalls, including US critical infrastructure victims. Natto Thoughts published a profile of Sichuan Silence last week.

This was a fun one to record, based on @nattothoughts.bsky.social's recent article on Chinese cyber range exercises - at nattothoughts.substack.com/p/business-p.... Thanks @euben.bsky.social and @meidanowski.bsky.social

Hopefully we'll get a chance to do more soon! #cybersecurity #china

Sichuan Silence Information Technology: Great Sounds are Often Inaudible Formerly very public, Sichuan Silence has gone quiet since 2020; but as part of a circle of Chengdu-based jack-of-all-trades infosec companies, it serves the state in cyber-enabled operations

The Natto Team follows up on the findings of Sophos' Pacific Rim reports and provides a deep dive into Sichuan Silence Information Technology company - a Chengdu-based jack-of-all-trades infosec company.

nattothoughts.substack.com/p/sichuan-si...

Salt Typhoon: Churning Up a Storm of Consternation Public knowledge of the Salt Typhoon intrusions has been driven by the media, while the government and private-sector cybersecurity companies appear to have agreed on keeping mum

As many CTI analysts in the cybersecurity industry look for Salt Typhoon intrusion details, such as IoC, after the Wall Street Journal broke the news, they discovered no industry reports on the described intrusions could be found. Why is that?

nattothoughts.substack.com/p/salt-typho...