Josh Murray iSIGHT Partners
In February 2007, a Chinese hacking group made headlines by compromising the Dolphin Stadium homepage and inserting malicious code to infect visitors. The website was the home of the upcoming Super Bowl and the group made similar compromises of numerous other high-profile websites during the same timeframe, at one point employing a zero-day ANI exploit as part of the campaign. The attacks were as high-profile as they get and were surprisingly centered on monetizing stolen credentials for online games such as World of Warcraft (WoW).
During the winter of 2007/2008, several more mass website compromises were reported with similar characteristics. These website compromises were from SQL injection-based attacks. Careful analysis of these attacks over time began to reveal a discrete entity behind them. This group has continued to operate to this day with a (sometimes) high-profile and ever evolving series of attacks. While the group's activity has frequently attracted media attention and at times composed some of the most prolific drive-by exploitation, little has been said about the group itself. This paper is intended to establish the profile of a unified group and document its methods.