Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.
State-sponsored theft - intrustion-truth
Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.
There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage. And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.
Home-grown hēikè
The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.
The APT side hustle
An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.
A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.
The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.
So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?
We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.
Chain of command
As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?
We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.
So, who is leading the Chinese Cyber Programme?
Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.
One person giving the direction.
One person overseeing the Chinese cyber programme.
That person?
Chen Wenqing (陈文清).
Cyber karma
Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.
The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.
Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?
Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.
Conclusion
There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):
- Does Xi know what the MSS are doing in cyber space?
- Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
- Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?
Happy Birthday CCP
生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.
Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.
