Today, whoever controls the Internet controls the world. And, apparently, the world is now ruled by the Chinese.

It took only a few years for them to become a real danger to Internet users around the world. They hack mail, work with the world's traffic, and even steal military secrets from other developed countries. The latter, by the way, are constantly in suspense, because the Chinese are attacking not ordinary citizens, but defense enterprises that produce equipment and weapons. At the same time, local authorities are quite resolute. They claim that they are even ready to protect their hackers with physical forces. Information is so important to them that they will actively defend their right to own it.

Chinese hackers have been active since 2006. They began to attack various large servers. At different times, such countries as France, India, South Korea, etc. were subjected to attacks. The United States showed the most outrage in response to attempts to invade personal space. The Americans began to be actively attacked in 2009. At that time, ordinary residents of the United States of America and high-ranking officials were exposed to virus attacks and other effects of cyber spies. Also, quite actively hackers attacked Japan. Perhaps the point is that this is a competitor country that really has something to “borrow”, or perhaps the point is the eternal competition and struggle with this country.

Now Chinese hackers have grown significantly in professional terms. They have mastered new technologies and are able to extract almost any information and cope with hacking even the most complex and secure devices.

By the way, here's another interesting fact about China: you can work as a hacker here absolutely officially. Some talented young people who are well versed in modern technologies, can go to the service of the local government. In this case, they will do their favorite thing, without fear that they will be punished for it. As a rule, these people are engaged in hacking serious corporations.

Biggest scandals

Quite a lot of international conflicts are connected with Chinese hackers, which have been repeatedly voiced in the media. To make sure that they are really cool, it is enough to mention their most striking achievements from those recent years.

One of the biggest scandals of 2017 is Siemens data theft by Chinese hackers . Three Chinese hackers stole over 400 gigabytes of data. All of them were marked with the phrase "trade secret".

In 2018, the Chinese succeeded access Moody's Analytics service . Although the process of gaining access to the company's internal mail service proved to be difficult and lengthy, it was not in vain, because they managed to get the best practices of this company. For a while, all the information sent by mail to Moody's Analytics came to the Chinese. This helped Trimble create the same product, but without spending as much time and money on it as competitors did.

Another big smartphone scandal on which malware was installed to spy on users. A wave of indignation rose when one of the employees of Kryptowire noticed during his vacation that his new Chinese phone generates traffic even in rest mode. As it turned out later, things seem to be the same with other android-based smartphones produced in the territory of the People's Republic of China. Phones independently collected personal data about their owners and sent them to third-party servers. Moreover, everything was done without the permission of the owners themselves. That is, none of them gave their consent to the fact that their personal information was in the public domain. It was possible to buy such smartphones that leak information about their owners in almost all major internet stores. It has been claimed in major American media that more than seven hundred million dollars worth of such smartphones were created in China.

All this led to the "cloud war". American and Chinese manufacturers began to clash. Companies involved in this scandal were banned from buying American processors. The ban is to last seven years. American companies, on the contrary, benefit from this, because in this way they actually removed their competitors. Therefore, many netizens tend to believe that American companies do not really care if someone collects personal data. Everyone thinks only about their own profit and how to destroy competitors as successfully as possible.

Another rather large scandal is connected with the kidnapping of the rocket project by Chinese hackers . This year, they succeeded in hacking into America's navy network. In a short time, it turned out to steal a complex project of an anti-ship missile. By 2020, such specimens should have supplemented the majority of American submarines and made them more reliable and prepared for an enemy attack. Now, the project, tentatively named "Sea Dragon", is under threat. So far, no one knows how much the work of Chinese hackers will change the balance of power.

Before the summit of Trump and Kim Jong-un, Chinese hackers also stepped up. It is difficult to determine their exact purpose. Presumably, the cyber spies just wanted to get more secret data from Korea while everyone is focused on the political hype.

household espionage

However, not all hackers are interested in political games and stealing some secret information. At the same time, even the simplest household hackers in China work at a very high level.

So, for example, they managed to learn how to quickly bypass the lock of iPhones, which seemed invulnerable to many. They even posted a tutorial video on YouTube. In addition, hackers have even started selling special devices that help in a matter of seconds to hack three iPhones at once. The advantage is that they immediately offered a protection scheme. To prevent your iPhone from being hacked by Chinese craftsmen, it is enough just to set a security password of six, not four digits. In addition, it is important that there are not only numbers, but also letters of the Latin alphabet.

There are also some smaller scandals related to the fact that cyber spies hack into local providers and get information about their successful compatriots.

Concerning military technologies, testing of the degree of vulnerability of the entire system was launched.

Washington. Chinese hackers have been attacking the systems of US Navy contractors to steal everything from ship maintenance data to information about the missiles installed on them, officials and experts said, prompting a thorough review of cyber vulnerabilities in the systems of these companies.

A series of cyberattacks over the past year and a half have highlighted weaknesses in these systems, becoming what some officials say is one of the most damaging cyber campaigns linked to Beijing.

These cyberattacks affected all branches of the US military, but Navy and US Air Force contractors apparently caused special interest from hackers seeking advanced military technology.

According to one US official, last year US Navy contractors were the hardest hit.

Data allegedly stolen from contractors and subcontractors of the US Navy is often extremely valuable classified information regarding modern military technology. The victims of hackers were not only large, but also small companies that simply do not have enough resources to invest in protecting their computer systems.

In one of the biggest hacks, which came to light in June, secret plans were stolen for a supersonic anti-ship missile that US officials said was planned to be installed on US submarines. Hackers attacked an unnamed company that worked under a contract for the US Navy's Naval Undersea Warfare Center in Newport.

Hackers have also attacked those universities that have special laboratories for the development of new technologies that can be used by the Navy and other troops. This is evidenced by data from audits conducted by firms specializing in cybersecurity issues.

U.S. Secretary of the Navy Richard Spencer has ordered an audit of weaknesses in his branch's systems that could help adversaries gain access to critical information. Officials said the secret results of the initial assessment of the issue, which were given to Mr. Spencer a few days ago, confirm the validity of the alarm and set the stage for a US Navy response.

Navy officials declined to say exactly how many attacks were carried out in the past year and a half, but they did say there were "quite a few" attacks, adding that the attacks were unacceptable.

“Attacks on our systems are not new, but attempts to steal sensitive information are getting more active and sophisticated,” Mr. Spencer wrote in a memo that fell into the hands of reporters from the Wall-Street Journal in October. "We must act decisively to fully understand the nature of these attacks and how further loss of key information can be prevented."

Mr. Spencer's memo does not mention China. But according to officials, the victims of hacker attacks were those companies that China is interested in. In addition, the hackers left traces that point to Beijing's involvement.

On Friday, Dec. 14, U.S. Navy officials said that Mr. Spencer's memo "reflects [the Navy's] seriousness in prioritizing cybersecurity in an era of renewed power struggles so that our fleets and Marines can maintain and increase our military advantage over any adversary."

Chinese officials did not respond to our request for comment, but they deny any involvement in the cyberattacks.

While hackers attempted to steal sensitive data in most of the attacks, Navy officials say China also wants to show that it could pose a different kind of threat, despite the fact that the Chinese navy and air force are inferior to the US.

“They targeted our weak underbelly,” said one defense official. "This is an asymmetric way to strike at the US without having to open fire."

Signs pointing to Chinese hackers include remote control of malware from a computer address located on Hainan Island, as well as the documented use of a number of tools that are typical of Chinese hacker groups.

Tom Bossert, who until April was President Trump's homeland security adviser, said the Chinese are hacking the systems of the US military and other organizations for a variety of reasons - sometimes to sabotage American systems, sometimes to steal information, sometimes to get competitive advantage through intellectual property theft. U.S. officials say they have secret sources and methods to determine for sure that China is responsible for the hacks.

"It's extremely difficult for the Department of Defense to protect its own systems," Mr. Bossert said. "It's a matter of trust and hope - protecting the systems of his contractors and subcontractors."

Mr. Spencer's analysis comes just as the Department of Defense is trying to turn its gigantic bureaucracy toward more responsible cybersecurity practices and convince subcontractors to protect their systems.

Subcontractors working for different branches of the military often lag far behind in cybersecurity issues and are often the victims of hacker attacks that affect other branches, one official said.

Senior Pentagon officials believe that the process of securing projects carried out in the interests of the military does not allow contractors and subcontractors to be responsible for cybersecurity.

Mr. Spencer's analysis coincided with the Trump administration's push to hold China accountable for its relentless attempts to steal information from US companies through cyberattacks and recruit employees of those companies for economic profit and military development.

Chinese hackers have been accused of stealing billions of dollars worth of intellectual property from American companies a year, and over the past few weeks the US Department of Justice has launched a string of allegations blaming Beijing. More charges were expected to be filed against the Chinese hackers this week, but they had to be postponed due to the fact that classified data could be released as a result. In addition, investigators are convinced that the hacker attack, which was recently reported by Marriott International Corporation, is the work of the Chinese.

Cybersecurity experts have determined that the hacking attacks on US Navy contractors and subcontractors were carried out by members of an alleged Chinese government hacking squad called Temp.Periscope or Leviathan, which often uses phishing scams to hack into computer networks.

This group has been active since at least 2013, and its activities are primarily directed against American and European companies.

Temp.Periscope activity dropped markedly in 2015, around the same time that then-US President Barack Obama and Chinese leader Xi Jinping signed a bilateral agreement in which they promised to refrain from economic espionage, and also against the backdrop of the Chinese military's reorganization process, reportedly the American firm FireEye, which closely monitors the activities of this group of hackers. In mid-2017, Temp.Periscope got back to work.

In the past few weeks, US officials have said that China has stopped honoring the terms of that agreement.

Ben Read, senior analyst at FireEye, noted that Temp.Periscope was one of the most active Chinese hacking groups his company has monitored over the past year. The group's activities were primarily aimed at companies associated with the Navy, but it also carried out attacks against other organizations that could be related to China's strategic interests in the South China Sea, including some political organizations in Cambodia.

“While they have focused primarily on companies that do business with the Navy, they are in a certain sense a full-fledged intelligence service,” Mr. Reed said.

The traces of most targeted attacks in recent years lead to Asia, where Shanghai servers stand out as a bright spot. In the process of investigations, experts note such markers as Chinese IP addresses, timestamps, language settings and software specific to China. In this article, we will try to figure out who is organizing these hacker attacks and which hacker groups are behind this.

The investigation of large-scale targeted attacks sometimes takes many years, so the details of their implementation are not immediately known. As a rule, by the time they are published, all exploited vulnerabilities have been patched, malicious components have been added to anti-virus databases, and C&C servers have been blocked. However, in such reports, methods are interesting, which, with minor changes, continue to be used in new attacks.

Chinese hacker group APT1 (aka Comment Crew)

This hacker group received identifier number one and largely contributed to the popularization of the term APT attack - Advanced Persistent Threat. She set a kind of record for the amount of data stolen from one organization: in ten months, APT1 downloaded 6.5 TB of documents from hacked servers.

There is a lot of evidence that APT1 was created by the PRC Ministry of Defense on the basis of Unit 61398 of the People's Liberation Army of China (PLA). According to FireEye experts, it has been operating since 2006 as a separate structure of the Third Directorate of the PLA General Staff. During this time, APT1 performed at least 141 targeted attacks. It is difficult to name the exact number, since some information security incidents are hushed up, and for known attacks it is not always possible to prove their belonging to a specific group.

APT1 activity by region, image: fireeye.com

In line with the doctrine of the country's political leadership to "win the information wars", APT1 was reformed and strengthened in 2016.

Now it has several thousand people in its state. Mainly consists of graduates of Zhejiang University and Harbin Polytechnic University with good knowledge of English.

Geographically, APT1 is headquartered in Pudong (Shanghai New Area), where it owns a large complex of buildings. The entrances to them are guarded, and there is a checkpoint regime on the entire perimeter, like at a military base.

To speed up the active phase of the attack and cover their tracks, APT1 used "jump airfields" - infected computers controlled via RDP, and FTP servers that hosted the payload. All of them were geographically located in the same region where the targets were located.

Over a two-year observation period, FireEye detected 1,905 instances of using such intermediate nodes from 832 different IP addresses, with 817 of them leading to the Shanghai networks of China Unicom and China Telecom, and Whois records directly pointing to Pudong, where, in addition to the headquarters of APT1 , there are no organizations of comparable scale.

These intermediate nodes were usually controlled by HTRAN proxy (HUC Packet Transmit Tool) from 937 different servers controlled by APT1.

In its attacks, APT1 used 42 backdoors from different families. Some of them were written a long time ago, distributed on the darknet or modified to order (Poison Ivy, Gh0st RAT and others), but Backdoor.Wualess and its later modifications stand out among this set. It appears to be APT1's own development.

As in other targeted attacks, in the APT1 scenarios, the payload was delivered to the computers of the victims using social engineering methods (in particular, spear phishing). The main functionality of the Wualess backdoor was contained in the wuauclt.dll library, which the Trojan-dropper from the infected email placed on the target computers running Windows in the system directory (%SYSTEMROOT%\wuauclt.dll).

Then the backdoor performed a check for a previous infection and, if necessary, registered itself in the registry as a service:

• NameLess.3322.org, TCP port 5202;
• sb.hugesoft.org, TCP port 443.

The latter port is used by browsers for HTTPS connections by default, so it is usually not blocked by firewalls.

Upon receiving the command, the backdoor would do one of the following:

• checked the connection speed;
• collected and sent data about the system and users;
• took a screenshot and sent it;
• cleared the DNS cache and changed entries in it;
• downloaded and launched yet another malware;
• ended the specified processes in memory;
• searched for and sent files matching the specified criteria (mainly office format documents and archives);
• updated its version;
• saved a copy to a restore point (System Volume Information)

The latter feature made it difficult to completely remove the backdoor, since the OS usually blocked access to the \System Volume Information\ directory.

Later modifications (eg Wualess.D) used random filenames, a large set of port numbers to connect to C&C servers, and ran as a blind copy of the iexplore.exe process.

Another characteristic feature of APT1 was the use of WEBC2 backdoors. They possess minimum set functions (mainly used to collect information) and connect to management servers by browser type. The backdoor receives a web page from the server, the tags of which contain control commands. Such traffic looks like a user's network activity and usually does not arouse suspicion from behavioral analyzers of security systems.

Among other traffic obfuscation techniques used by APT1, the backdoors MaCroMaIL (simulates the operation of MSN Messenger), GLooxMaIL (simulates the Jabber/XMPP client) and CaLenDar (its data exchange is similar to Google calendar synchronization) stand out.

To collect information about infected computers, APT1 used built-in Windows tools that were called through a batch file (.bat) created by the backdoor on command. Let me remind you that the > sign indicates that the output is redirected to a file instead of being displayed on the screen, and the extension of the file with the log does not matter, since inside it is a plain-text format encoded in ASCII / DOS.

Also, using the appropriate commands like net group a list of domain administrators, domain controllers, MS Exchange servers and other information about corporate network.

It was thanks to its primitiveness that this method of collecting information worked flawlessly. Built-in diagnostic tools are available on any computer with any version of Windows. The %TEMP% variable eliminates the need to look for a folder to save the logs. Any user (and a backdoor running with his rights) can write to the directory for temporary files. Not a single antivirus swears at text format files (especially logs of a standard type), and for the user they look completely harmless - something like collecting telemetry from Microsoft or routine admin checks.

The only difference was that the collected logs were then packaged into a .rar archive and sent to the APT1 servers to select further targets. To complicate the analysis of data leakage, the .rar archive containing logs was created with the -hp key (indicates the need to encrypt not only the contents, but also the file names themselves).

After collecting reports about the system, the next stage of the attack began to obtain user passwords. Basically, this step also used public utilities that the backdoor launched at the command of the C&C server:

• Windows NTLM hash collection tool fgdump ;
• password hash dumper pwdump7 ;
• gsecdump and other utilities from TrueSec ;
• pass-the-hash toolkit and other tools from .

All of them are recognized as not-a-virus or hacktool and do not trigger antiviruses with the appropriate settings (ignore password audit utilities).

Having picked up a pair of hash - password (most often - with the simplest dictionary attacks), APT1 got the opportunity to remotely perform any action on behalf of a real employee of the company. Including sending new phishing emails from his address and through his account on the corporate network (as well as through his VPN account) to attack the computers of management and partner organizations. It was they and the data stored on them that became the ultimate goal. In total, APT1 is responsible for stealing information about high-tech developments from more than a hundred large international companies and their associated universities. Many targets were successfully attacked several times.

Chinese hacker group APT3 (UPS Team)

Allegedly associated with MSS - the Ministry of State Security of the People's Republic of China. Operates through the China Information Technology Assessment Center (CNITSEC) and the ITSEC Security Center in Guangdong.

It is in the business center of Guangdong - Huapu Square West Tower that traces of several large targeted attacks lead at once. It houses the headquarters of Boyusec, which, along with Huawei and ZTE, cooperates with Shanghai Adups Technology, a key partner of CNITSEC.

Anyway, APT3 is the most technically advanced group. It uses 0day vulnerabilities in attacks, custom backdoors, constantly changing the set of used C&C servers, tools and methods. Its approaches are well illustrated by three major targeted attacks, which will be discussed in more detail below.

Operation Underground Fox

The APT, called Operation Clandestine Fox, began in the spring of 2014. It affected IE from the sixth to the eleventh version, which according to NetMarketShare totaled about a third of all browsers at that time.

Clandestine Fox exploited the CVE-2014-1776 vulnerability leading to a Use-after-free heap attack.

Dynamic memory, or the heap, is designed in such a way that it is constantly overwritten in large blocks. Usually, when requesting the next free block, the heap manager gives the address of the one that was just freed by some object (especially if it is of the same size).

The essence of the Use-after-free attack is that after the object has freed the memory, the pointer ptr refers to the address of its block for some time when calling the methods of this object. If we first request the allocation of dynamic memory, and then try to call the method of the newly freed object, then the heap manager will most likely return the old address to us. If a pointer to malicious code is placed in the virtual method table (VMT, Virtual Method Table), and the VMT itself is written to the beginning of a new memory block, the malware will be launched when a method of an object stored there earlier is called.

To prevent such an attack scenario, the randomized memory allocation mechanism, ASLR, is called upon. However, the Clandestine Fox operation used simple methods to bypass it.

The simplest of them is to use modules that do not support ASLR. For example, the old libraries MSVCR71.DLL and HXDS.DLL that were compiled without the new /DYNAMICBASE option. They are loaded at the same addresses in memory and were present on most computers at the time of the attack. MSVCR71.DLL is loaded by IE on Windows 7 (particularly when trying to open a help page starting with ms-help://), and HXDS.DLL is loaded when running MS Office 2007 and 2010 applications.

Additionally, Clandestine Fox used a technique to bypass the Data Execution Prevention (DEP) system, the details of which became known only when analyzing the next attack of the APT3 group.

Operation Underground Wolf

The Clandestine Wolf phishing campaign was a continuation of the "underground fox" and was carried out by APT3 in 2015. It became one of the most effective because it exploited a buffer overflow bug in Adobe Flash Player, for which there was no patch at that time. Vulnerability CVE-2015-3113 affected all current versions of the player for Windows, OS X and Linux. It allowed arbitrary code to be executed with little to no user interaction and bypassing security systems.

In the mailing list, APT3 lured in with an offer to buy refurbished iMacs at a discounted price. The link in the email led to a web page containing the flv file and launching the exploit. Interestingly, the exploit bypassed the built-in DEP (Data Execution Prevention) protection by intercepting control of the stack (call stack) and performing a return-oriented programming (ROP) attack. During this attack, the VirtualAlloc function from Kernel32.dll was called and pointers to the injected shellcode were created, and it was marked as executable.

The exploit also overcame the second layer of protection by exploiting known flaws in address space randomization (ASLR) and injecting executable code into other processes (mainly the browser thread).

To hide the ROP attack, the exploit on the web page was encrypted (RC4), and the key to decrypt it was extracted by a script from an adjacent picture. Therefore, the anti-virus scan of the infected web page did not detect anything suspicious either.

As a result, the user only had to click on the link to install a backdoor on his computer. Neither the built-in protection methods in the OS and browser, nor individual antiviruses could protect against the 0day exploit.

Double tap operation

The Double Tap phishing campaign was carried out in the fall of 2014 using two recent vulnerabilities:

The first vulnerability allows you to change the size of the array, set by the VBScript engine, due to an error in the SafeArrayRedim function of the OleAut32.dll library. The second is related to the win32k.sys system driver and results in privilege escalation at the Windows kernel level.

The exploits were launched using the iframe element embedded in the pages of hacked sites and HTML emails. The bait this time around was the offer of a free monthly subscription to the Playboy Club, giving unlimited access to high resolution photos and Full HD clips. The link led to the fake playboysplus.com domain.

After clicking on it, a 46 KB install.exe file was downloaded to the computer. This is a dropper trojan that does not contain any malicious functions and was not detected by antiviruses either by signature or heuristic analysis at the time of the attack. It created two files: doc.exe and test.exe in the public user directory C:\Users\Public\ . This hard-coded path was missing on some computers, which saved them from infection. It was enough to use a variable instead (for example, %USERPROFILE% or %TEMP%) so that such a complex attack would not stall at the very beginning due to a misunderstanding with absolute paths.

The doc.exe file supported 64-bit architecture and contained an exploit for the CVE-2014-4113 vulnerability. It was needed in order to try to run the test.exe backdoor with system rights. A successful launch check was performed console command whoami.

In turn, test.exe contained code for exploiting the CVE-2014-6332 vulnerability, which was a modification of another popular exploit that is part of Metasploit.

If successful, the backdoor set up a SOCKS5 proxy and sent a short request (05 01 00) to the first level C&C server at 192.157.198.103, TCP port 1913. If it responded with 05 00 , the backdoor connected to the second level C&C server at 192.184. 60.229, TCP port 81. It then listened to his three-byte commands and executed them.

During the development of the attack, the backdoor received an upgrade, and later antiviruses began to detect it as Backdoor.APT.CookieCutter , aka Pirpi .rundll32 . exe "%USERPROFILE%\Application Data\mt.dat" UpdvaMt

Rundll32 is a utility console program that allows you to call explicitly defined functions exported from dynamic libraries (DLLs). It was originally created for internal use at Microsoft, but then became part of Windows (starting with 95). If by other means it is possible to access the library only with the correct extension, then Rundll32 ignores file extensions.

conclusions

Judging by the emerging facts, large teams of professional hackers work for the Chinese government in the field of cybersecurity. Some of them are officially considered army units - they are issued with access to state secrets and guarded on a par with headquarters signalmen. Others operate through commercial firms and carry out attacks directly from the business center. Still others are civilian groups that change frequently. It seems that the last ones are assigned the dirtiest cases, after which some are handed over law enforcement to whitewash the reputation ruling party. In the event of a puncture, they are simply appointed to blame and the next ones are hired.

Chinese hackers, cooperating with the state intelligence of the PRC, have become more active and have again become frequent heroes of large-scale threats in the American media. They spy on the military from other countries and steal their strategic developments, spy on large business companies and take over the Internet networks. They have already been caught stealing American weapons technology and hacking into space satellite systems. How cybercriminals from China terrorize large countries - in the material.

Over the past year, Internet spies from China have been convicted of attacks on several US infrastructures at once. The space and telecommunications industries, as well as the computer networks of the naval forces, were hit. All evidence points to the fact that the attack was carried out not just by ordinary burglars, but by full-time military intelligence officers, whose existence the Chinese government continues to deny.

Bug in iron

In early October 2018, Bloomberg sources reported that Chinese military intelligence had been monitoring almost 30 American organizations for several years. Among the victims were commercial IT giants Apple and major financial institutions and government military contractors. Microchips that were not included in the package were built into the equipment of the companies. The material indicated that foreign devices the size of rice grains could be included in the boards during their production, able to communicate with external sources and prepare the device for recoding. The technology companies themselves denied this information.

It turned out that spyware was allegedly embedded in Supermicro's servers. The company is the main supplier of boards in the market. A former US intelligence official who wished to remain anonymous called the company "in the software world." "It's like an attack on the whole world," he concluded. Prior to this, anonymous sources reported on the plans of the PRC to infiltrate the hardware intended for American companies. Among the risky partners were Chinese giants Huawei and ZTE, who allegedly work closely with the Chinese military. However, in the absence of precedents, they could not bring any charges against anyone. The Chinese government responded by stating that it is a strong advocate for computer security.

Cybersecurity experts have noticed that they have already seen similar "bugs" in the hardware of other manufacturers. All this equipment was made in China. Such chips can quietly monitor the activities of the company for years and are invisible to virtual security systems. Later it turned out that corporate secrets were not the only interest of hackers: sensitive government networks were also attacked.

This revelation has complicated the already tense relationship between the US and China. On October 10, the US Department of Justice arrested a senior Chinese Ministry of State Security official, Xu Yanjun. He is accused of economic espionage. The man was detained in Belgium on April 1 and extradited at the request of the US authorities. China called the accusations against Xu trumped up.