Beijing adopting supply chain tactics and greater sharing of resources between spying groups, experts warn
ANALYSIS China’s long-established cyber-threat groups have been building up a huge arsenal of resources, comprising both publicly available and customized tools, and diversifying their repertoire amid the coronavirus pandemic.
Threat intelligence experts quizzed by The Daily Swig said that Chinese state-sponsored attackers are at the forefront of developing new or novel hacking techniques.
For example, supply chain attacks have long been a method of compromise by China-linked advanced persistent threat (APT) groups on different targets, predating the now-infamous SolarWinds attacks supposedly pulled off by Russian threat actors last year.
The latest annual threat assessment (PDF) from the US intelligence community, presented to Congress this week, warns that “China presents a prolific and effective cyber-espionage threat, possesses substantial cyber-attack capabilities, and presents a growing influence threat”.
“China’s cyber-espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations,” the intel agencies warn.
What kind of organizations are being targeted?
Chinese government-backed threat groups are said to be among some of the most prolific and well-resourced in the world.
The country’s cyber-espionage operations historically had a reputation for “preferring smash-and-grab over sophistication”, but this has changed over recent years, according to Marc Burnard, senior information security researcher at Secureworks.
Paul Prudhomme, head of threat intelligence advisory at IntSights, agreed that China had become a top-tier cyber adversary for Western businesses and governments.
“Chinese cyber-espionage groups are among the most sophisticated in the world, but are not as sophisticated as their Russian counterparts,” Prudhomme told The Daily Swig.
“Advanced features of Chinese cyber-espionage attacks have included the exploitation of zero-day vulnerabilities, the execution of supply chain and third-party attacks, and the use of proprietary or custom malware and other tools.”
“Chinese cyber-attacks have nonetheless often had weaknesses in their operational security that have enabled security researchers to attribute them to Chinese actors,” Prudhomme added.
Morgan Wright, chief security advisor at SentinelOne, and a former US State Department special advisor, told The Daily Swig that China is far more deliberate than Russia in its execution of cyber-attacks.
“Russia has moved from being more covert to more overt in the last few years,” Wright explained. “China, on the other hand, takes time to evaluate progress, identify follow-up tasks, and even develop specific modules depending on the type of machine being attacked.”
Beijing goes beyond technical measures, for example by using social networks and other OSINT channels for early-stage reconnaissance.
“[Chinese] intelligence services routinely use LinkedIn and conferences as means to establish relationships that are later exploited in spear-phishing attacks used to gain an initial foothold inside targeted entities,” Wright said.
Chinese APT groups are employing the gamut of tactics, techniques, and procedures against their targets
Why is China involved in cyber-espionage?
Chinese-associated threat actors typically conduct cyber-espionage operations to gather information in support of wider economic goals such as the Belt and Road Initiative and the ‘Made in China 2025’ program. Part of this involves spying on foreign governments.
They also seek competitive intelligence on the foreign business rivals of Chinese companies in many different industries, according to threat intel experts quizzed by The Daily Swig.
Other geopolitical developments also influence China-linked cyber-espionage operations. These include China’s trade war with the US, its dispute in the South China Sea with other ASEAN countries, and most recently the coronavirus pandemic.
For initial infiltration, spear-phishing is the current favored tactic amongst these groups.
Chinese threat actors employ the gamut of tactics, techniques, and procedures (TTPs), but the most common campaigns include spear-phishing, carrying out watering hole attacks and strategic web compromise operations, compromising shared services (such as managed service providers and telecommunications networks), and using supply chain compromises.
Chinese attacks have become more focused and targeted over recent years, moving away from the high volume, unfocused pattern of older attacks.
“Ten years ago, Chinese espionage operators were not as specific about their desired targets and would compromise the websites of major news sites and high-profile industry-focused organizations in an attempt to distribute malware to all visitors to these pages,” according to Frederick Plan, senior analyst of cyber-espionage at Mandiant Intelligence.
“More recently, however, Chinese groups are generally more nuanced and more choosey with their targets so they will rely on whitelisting or spear-phishing of specific individuals in a targeted organization.”
The use of software security vulnerabilities is also popular with Chinese APTs.
Natalie Page, threat intelligence analyst at Talion, said: “In October 2020, the National Security Agency published a report detailing 25 publicly known high severity vulnerabilities being utilised by Chinese state-sponsored hackers, way after patches had been made publicly available.”
“For initial infiltration, highly targeted spear-phishing is seemingly the current favoured tactic amongst these groups,” Page added.
The Chinese government has been linked to some of the most infamous cyber-threat groups
What attacks have been linked to Chinese spying groups?
Chinese APT groups have been blamed for some of the most infamous cybercrime campaigns ever witnessed.
Prolific threat groups with alleged links to Beijing include Axiom (APT72), Deep Panda (APT19), Elderwood (APT17), Ke3chang (APT15), Mustang Panda, menuPass (APT10), PalmerWorm, and Winnti (APT41).
The overriding motivation of these group is heavily tied to the Chinese government and espionage activities, though some have also been linked to financial crimes.
How are Chinese APT groups organized?
Historically, the People’s Liberation Army (PLA) spearheaded Chinese cyber-espionage, but over more recent years the Ministry of State Security (MSS) has become more important than the country’s armed forces.
Charity Wright, a former NSA Chinese espionage expert turned threat researcher at Recorded Future, told The Daily Swig: “I would say post-2015, MSS is dominating the cyber-espionage game.
“PLA reformed in 2015 to focus on warfighting. 2016, MSS split into two agencies with more defined objectives.”
A growing body of evidence points to greater knowledge sharing between Chinese groups.
Mandiant Intelligence’s Plan explained: “Shifts in their TTPs include an increasing reliance on publicly available tools (such as CobaltStrike BEACON) and more frequent use of malware that is shared among multiple groups.”
“We believe that increased sharing between groups is indicative of a kind of standardization of operations across distinct actors,” Plan concluded.
Threat intel firm Talion agreed with this assessment, adding that custom malware strains such as Poison Ivy, Cobalt Strike, and PlugX are often shared amongst Chinese groups.
The number of Chinese threat groups “concurrently exploiting the recent Exchange Server vulnerabilities prior to Microsoft releasing patches appears to be evidence of this greater knowledge sharing”, according to Secureworks’ Burnard.
Burnard added. “We’ve observed increased crossover in malware and TTPs used by Chinese threat groups.
“This likely reflects organisational restructuring in China’s military and security apparatus, increased knowledge sharing among threat groups, and attempts to minimize the risk of public attribution back to China.”
How has the Covid-19 pandemic changed the threat posed by China?
Industrial espionage remains one of the biggest threats posed by Chinese threat groups.
Chinese cyber-attacks have targeted all industries and verticals, but areas of special interest have included government and defense, and technology and telecommunications.
Chinese threat actors engaging in industrial espionage often target the intellectual property of foreign competitors in many different industries in order to produce lower-cost imitations of their products.
The acquisition of the Covid-19 vaccine’s intellectual property has become a high priority for cyber espionage groups around the world, including those in China, in response to the ongoing Covid-19 pandemic.
IntSights’ Prudhomme commented: “Chinese cyber-espionage groups previously targeted foreign healthcare and pharmaceutical companies for their intellectual property.
“The pandemic merely made this industry a higher priority and narrowed the focus of their attacks to Covid-19 vaccine research.”