For some time now the Cyberint Research Team has been witnessing attacks targeting China. While most campaigns related to OpChina are focusing on infrastructure and government data breaches, over the past weekend, a major breach of the popular social network TikTok occurred, revealing 1.7 billion records and relations to another popular Chinese app – WeChat.
The group taking full responsibility for this breach is none other than the notorious BlueHornet, aka AgainstTheWest, aka APT49.
Given that these types of ‘big names’ hunting campaigns are typical to this group, and after observing campaigns they’ve conducted in the past, evidence suggests that this incident might be real despite some claims by members of the cyber security community to the contrary.
The BlueHornet team is one of the most skilled groups we have witnessed since the start of the Russia-Ukraine war. The group has compromised several government entities in China, Iran, Russia, North Korea and Belarus, and is leaking highly sensitive data.
A short while after these major leaks, BlueHornet went off grid claiming they are being sponsored by a particular country. The original group was comprised of five individuals.
Just as BlueHornet left a mark, so does their rebrand, Aggressive Griffin. The group emerged over the past several months, claiming they have relations with the original group that ended up working for a government.
It seems that the new group continued with the agenda of the old group and is looking to be the vigilante APT that strikes fear in the heart of any country that is an enemy of the west, i.e., USA and NATO.
In conversations Cyberint’s Research Team had with the team’s leader, among other things, the agenda of the group was officially revealed and is pretty clear (Figure 1): establishing a clear threat to the countries like China and Russia, while money is not the main issue.
As BlueHornet seeks to harm and compromise as many Chinese assets as possible, what better target can there be than one of the most popular Chinese apps in the world?
On September 3, it came to our attention that the group was able to compromise several TikTok servers. The group claims the servers were poorly secured, which enabled them to infiltrate and gain access to a massive amount of TikTok data such as user information, architecture, source code, and much more (Figure 2, 3).
As expected, the breach incident has drawn the attention of many security researchers worldwide given the popularity of TikTok and the controversy around the application in the cyber security community.
A Question of Authenticity
Given the scale of this incident, many security researchers looked to authenticate the information and see if the data that has been leaked by the BlueHornet was real.
The opinion of many popular security figures and researchers are divided when it comes to the authenticity of the data. While some claim they have been able to recreate the breach on TikTok’s servers and found the same data, others are convinced that the whole story is fake.
The divided opinions also come due to the mixed messages from TikTok regarding this issue. First, the social media giant claimed they had never been breached and that there are no signs of intrusion, but then, another public announcement was made claiming that the stolen information was nothing but testing modules, leaving people wondering which one is it.
BlueHornet Went Missing
The story gets even more interesting when we look at BlueHornet after the breach.
Twitter, in an odd move, disabled BlueHornet’s account following the publication of the data, and most peculiarly, wiped out and deleted all private messages containing data regarding this issue.
The Cyberint Research Team reached BlueHornet after the leak and the short conversation that we had with the group was deleted by Twitter.
The harsh reaction by Twitter seems a bit odd, given the fact that BlueHornet has published breaches far more alarming than TikTok in the past. Furthermore, currently, there are Twitter accounts belonging to far more lethal threat groups that remain untouched by Twitter, even though they are more popular and have much more impact.
Mainstream social media isn’t the only place from which BlueHornet was banned and disappeared.
The underground popular leak site, BreachForums, which was the home of the group for publishing their leaks, banned the group and removed their account. This was done by Pompompurin, the founder of BreachForums (Figure 4).
Given the long-lasting relationship between BlueHornet and BreachForums over the past year, this move was also pretty peculiar, but might shed some light on Pompompurin’s position on the authenticity of the breach.
There is no doubt that the TikTok leak made an impact. The question is if it’s real or not. The issue raised many questions about the Chinese social network such as: What links do they have to other applications, what information do they share with other entities, why is American user information stored on Chinese cloud services, etc.
BlueHornet has been leading the crusade against Russia and China for some time now and is responsible for several major breaches, which give some credibility to the group and its actions.
The answer as to whether the breach was real or not will be revealed in time, as will the question regarding the disappearance of BlueHornet and if we are ever going to see them again.