A Wuhan-based school that claims to offer aspiring hackers professional information security training has grown into an apparent headhunting hub for Chinese government hacking groups, according to a new investigation.
The Wuhan Kerui Cracking Academy is likely training hackers and funneling them into Chinese intelligence hacking shops at the Ministry of State Security (MSS), according to a Thursday report from “Intrusion Truth,” a mysterious persona bent on exposing Chinese government hacking groups.
The Daily Beast can reveal that the man at the helm of the Kerui Cracking Academy training operation—identified in the report as Qian Linsong—once lived in St. Petersburg, Florida while working for American tech company Thinking Systems Corporation. The company offers software developments services for medical imaging, including for customers in China, according to its website.
A biography of Qian posted on Wuhan University’s website indicates that he moved to the U.S. in the early 2000s, and photos published in the report show him attending events with the Thinking Systems Corporation logo visible in the backdrop.
Just a few years later, Qian moved back to China and founded the alleged spy school, according to Intrusion Truth.
“Established in 2007, the Kerui Cracking Academy prides itself on providing its students the best information security training in the industry, including the ‘most professional reverse security course’ as part of its curriculum,” the report says. “So confident is the school of its teaching abilities that it tells prospective students not to worry about finding a job—in fact ‘almost 100% of students get a job within one month.’ Impressive!”
The Wuhan Kerui Cracking Academy did not immediately respond to a request for comment from The Daily Beast about the school and its founder. The head of Thinking Systems Corporation did not respond to The Daily Beast by time of publication.
The so-called “Professor X” appears to be leading somewhat of a double life, according to Intrusion Truth. On the one hand, he works as a part-time teacher at the National Cyber Security College of Wuhan University, a tutor at the Huazhong University of Science and Technology, and the Vice Chairman of Quanzhou Artificial Intelligence Society, according to the investigation.
On the other, he also moonlights at an intelligence-linked company, according to Intrusion Truth, running a company called Kerui Reverse Technology Company. The company says on its website that it has been providing “technical services for many projects of the Ministry of Public Security and the Ministry of State Security,” according to Intrusion Truth.
“It is safe to assume that Qian is no stranger to working with Chinese intelligence services,” the Intrusion Truth blog states.“We couldn’t help but wonder whether Qian’s cooperation with the MSS runs a little deeper. Is Qian supplying the MSS with freshly trained hackers? Or even up-skilling hackers the MSS have found?”
“Wuhan Kerui is very famous in the circle and is very professional in reverse engineering.”
The MSS often relies on contractors for its hacking operations, which opens them up to some exposure since those contractors like to boast that they work for the Chinese government, John Hultquist, who has been tracking similar Chinese hacking operations for years, told The Daily Beast.
“One of the interesting things that we see again and again is MSS relying on contractors who oftentimes openly advertise they’re working with them,” said Hultquist, the Vice President of Intelligence Analysis at cybersecurity firm Mandiant.
Kerui Cracking Academy appears to keep track of where its graduates go to work, according to its website, revealing that many of their places of work must be kept secret. Some of their graduates are marked as “confidential,” according to pages reviewed by The Daily Beast.
Reviews posted on the suspected Kerui Cracking Academy website show students are grateful to have attended, and found the work “not as difficult as you think.”
One student said they began studying at Kerui with very little understanding of computers and programming, but now thinks they have lived up to their family’s expectations.
Another student, whose graduation destination is listed as “confidential,” said a “big guy” in Beijing told them that Kerui is well-known, which prompted them to attend.
“A big guy came back from Beijing. His annual salary is one million. I chatted with him about participating in the training,” the student said, according to a student review seen by The Daily Beast. “He said that Wuhan Kerui is very famous in the circle and is very professional in reverse engineering.”
Mystery group
The cheeky investigation is just the latest from the mysterious Intrusion Truth, which has been publishing blogs working to undermine and expose the most prominent Chinese government hacking entities since 2017.
In some cases, it has revealed names, photos, and other details about individuals allegedly hacking at the behest of the Chinese government. One 2020 investigation exposed front companies for Chinese government hacking operations.
Some blog reports have aligned with or appeared to inform U.S. government investigations into the most prolific hacking from China.
Two individuals exposed in one investigation in 2017, including Wu Yingzhuo—who went by the alias “Christ Wu”—and Dong Hao, for instance, were later charged by U.S. authorities for hacks against U.S. businesses in Pennsylvania and in the financial, engineering, and technology industries.
This latest investigation appears to expose hackers working for a Chinese cyber-espionage group known as APT31, which goes after government entities, international financial organizations, and aerospace and defense organizations, according to cybersecurity firm Mandiant. The hackers typically focus on collecting information that can provide Chinese state companies with political, economic, or military advantages.
While Intrusion Truth doesn’t explicitly say it is exposing APT31, the blog tags the post as an APT31 investigation. The U.K. government accused the MSS of supporting APT31 in 2021.
In the report, Intrusion Truth noted that Qian had spent time in the United States working for an American company in his 20s, without mentioning the state he was living in or his employer at the time.
The group did, however, post a photo of Qian allegedly taken when he visited Disney World. It sussed out his interest in starting the apparent MSS hacker feeder school, claiming that at a young age he began downloading hacking software to experiment with at home—just as China-U.S. hacking began surging.
