Leaked internal documents show Knownsec operates as a state-aligned cyber contractor supplying a vertically integrated espionage stack—ZoomEye/TargetDB reconnaissance, o_data_* identity correlation, GhostX/Un‑Mail exploitation and mailbox takeover, and Passive Radar PCAP-based internal mapping—to Chinese public‑security, military, and regulator customers. The corpus includes organizational charts, employee emails, high‑confidence IOCs targeting Taiwanese critical infrastructure, and detailed tradecraft emphasizing persistence, anti‑forensics, and APT‑style operational workflows. #Knownsec #GhostX
Keypoints
- Knownsec’s leak reveals a contractor that integrates reconnaissance (ZoomEye), target prioritization (TargetDB), human‑layer identity datasets (o_data_*), exploitation suites (GhostX), webmail takeover (Un‑Mail), and PCAP analysis (Passive Radar) into a single operational pipeline.
- TargetDB contains 24,241 organizations, 378,942,040 classified IPs, and 3,482,468 domains tagged by sector and geography, enabling state‑grade foreign targeting and prioritization.
- o_data_* is a massive data lake of breach dumps and subscriber records used for deanonymization, credential replay, and highly tailored social‑engineering operations across regions including Taiwan, India, Brazil, and Russia.
- GhostX, Un‑Mail, and Passive Radar provide exploitation, persistent mailbox replication/exfiltration, and passive internal network reconstruction respectively, supporting long‑term, low‑noise operations and lateral movement.
- Organizational materials and WBS sheets tie Knownsec’s products and teams to state customers (MPS/Beijing PSB, MIIT, CNCERT/CC, State Grid) and show formalized funding, procurement, and program governance consistent with defense‑industrial contractors.
- The leak includes explicit IOCs and examples of targeting (e.g., Fortinet and Sophos devices at Taiwanese banks and telecoms), internal employee emails, and 60+ screenshots/PDFs that document tradecraft, supply‑chain hosting, and OPSEC measures such as proxy chains and signatureless execution.
MITRE Techniques
- [T1203 ] Exploitation for Client Execution – Browser exploitation used to gain initial access and deliver implants. [‘GhostX delivers browser exploitation, routing manipulation, credential theft, and endpoint monitoring.’]
- [T1555.001 ] Credentials from Web Browsers – Extraction of stored browser passwords to obtain credentials for lateral movement and account takeover. [‘extracting browser-stored passwords’]
- [T1056.001 ] Keylogging – Capturing typed credentials and other sensitive input for credential access and monitoring. [‘deploying keylogging modules that capture input in real time’]
- [T1539 ] Steal Web Session Cookie – Siphoning and replaying session tokens/cookies to maintain or regain access without passwords. [‘siphoning cookies and session tokens, and cookie replay’]
- [T1114 ] Email Collection – IMAP/POP replication and full inbox exfiltration to enable persistent COMINT and historical message harvesting. [‘IMAP/POP mailbox replication, silently downloading the entire mailbox including archived, deleted, or years-old communications’]
- [T1040 ] Network Sniffing – Passive ingestion and analysis of PCAPs to reconstruct internal network topology and identify critical hosts and flows. [‘Passive Radar relies exclusively on the ingestion and analysis of packet capture (PCAP) data.’]
- [T1090 ] Proxy – Use of proxy chain deployment to obscure command-and-control origins and frustrate attribution. [‘proxy chain deployment, allowing operators to route traffic through multilayered, frequently shifting intermediaries’]
- [T1027 ] Obfuscated Files or Information – Code mixing, behavior shaping, and signatureless execution used to evade detection and complicate analysis. [‘code mixing, behavior shaping, and signatureless execution explicitly described in internal product briefs.’]
- [T1136 ] Create Account – Creation of admin accounts on routers and internal services to establish durable infrastructure-level persistence. [‘ability to create new admin accounts on routers or internal services turns a momentary foothold into a durable position within the victim’s infrastructure’]
Indicators of Compromise
- [IP Address ] Taiwan critical-infrastructure targets – 210.242.194.198 (Nan Shan Life Insurance), 219.80.43.14 (Hua Nan Commercial Bank)
- [IP Address ] Telecom and energy devices – 220.130.186.202 (Chunghwa Telecom, Sophos XG), 61.65.236.240 (Taipower, Check Point service)
- [Email Address ] Internal employee accounts recovered from leak – [email protected], [email protected]
- [Dataset name ] Data‑lake HDFS entries and credential dumps – o_data_taiwanahooemailpwd_tw, o_data_telecom_info_india, and 15+ additional o_data_* datasets
- [File names / screenshots ] Leak artifacts and master file list – 1.png, 64.png, and numerous PDFs/spreadsheets such as 关基目标库说明文档_V202309.pdf and 无源雷达–产品文档
- [Service / Device Banner ] Identified device/service fingerprints used for targeting – Fortinet FortiGate (firewall), Sophos XG (telecom gateway), Check Point SVN (energy sector firewall)