Short History of the CCP Cyber

  Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.

State-sponsored theft - intrustion-truth

Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.

There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage.  And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.

Home-grown hēikè

The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.

The APT side hustle

An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.

A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.

The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.

So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?

We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.

Chain of command

As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?

We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.

So, who is leading the Chinese Cyber Programme?

Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.

One person giving the direction.

One person overseeing the Chinese cyber programme.

That person?

Chen Wenqing (陈文清).

Cyber karma

Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.

The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.

Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?

Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.

Conclusion

There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):

1. Does Xi know what the MSS are doing in cyber space?
2. Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
3. Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?

Happy Birthday CCP

生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.

Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.

Russia & CCP No Limits Relationship

 Russian invasion of Ukraine - intrusion-truth

For a while we have been researching and reporting on Chinese state cyber activity around the globe. Their malcontent for the rules-based order is evident as is their disregard for intellectual property with all the hard work that goes into this.

24 February 2022 is a date that will forever be etched in the minds of the Ukrainian people and the world as the day the Russians decided to invade Ukraine. The images of the atrocities carried out in Bucha by the Russian army is just one example of the horror show being conducted by the Russian military. The world in unison condemned this activity, but the Chinese Community Party (CCP) was somewhat absent coming just weeks after President Vladimir Putin and President Xi Jinping declared their “no-limits” partnership. Which makes us question: Did the CCP know? Actions speak louder than words.

The Chinese state’s reaction was initially one of neutrality before rolling back as the relationship became an embarrassment to China. Most evident of all was President Xi Jinping signing the final declaration at the G20 summit in Bali, condemning the Russian invasion of Ukraine. Was the partnership ever anything more than a ruse by the CCP?

Now, as we have all seen through the year, it’s not going well. So is the public image of the “no-limits” relationship the full story?

“wait, you are going to invade where?”

Chinese state hackers get involved

In March 2022 the Ukrainian ‘computer emergency response team (CERT-UA)’ issued a warning about cyberattacks on the countries police agencies. The activity was via phishing emails with HeaderTip malware included inside weaponized documents. The message when translated stated “on the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which also included an executable with the same name. All of this could easily point back to Russian state hackers. They are invading Ukraine and as such would want to know what is going on in the country. However, an investigation by SentinelOne identified the link between the HeaderTip malware and “scarab” which has links to the Chinese government. This is a fantastic bit of work by SentinelOne exposing a clear link to the Chinese state. This activity is reported within a couple of weeks of the Russian invasion of Ukraine, with Check Point Research (CPR) also flagging that the “frequency of cyberattacks from Chinese IP addresses around the world jumped 72% in the week from March 14 to March 20, compared with the seven-day period before the Russian invasion of Ukraine began”. Why such an interest from Chinese state hackers in Ukraine? Our next stop is to what was happening before the Russian invasion.

On Friday April 1st, 2022, The Times UK released an exclusive outlining the Chinese state’s hacking activity. According to this article, this activity had occurred during the Beijing winter Olympics up to 23 February 2022 (the day before the Russian invasion of Ukraine). What is interesting is that the source stated the hack was widespread, across “600 websites belonging to the Ukrainian defense ministry” but also “Ukrainian government, medical and education networks”.

Chinese state relationship with Russia

So, are we seeing the “no-limits” relationship at work behind the scenes? Having reviewed other avenues there is a mixed picture. Where we see hacking in Ukraine by Chinese state hackers, we also see reporting of Chinese state hackers targeting Russia itself. Of note, SentinelOne state that the Chinese hacker group Scarab mentioned above has previously targeted Russia in a quest to hack, interpreting the “no-limits” relationship tagline in a different way to the Xi Jinping of early February 2022…

As outlined in the National Interest, the CCP is vying to become a “cyber superpower”. It has the numbers, not necessarily the talent, but is a highly capable thief (just ask all the companies who have lost intellectual property over the years). Is this just the Chinese state stealing all the data for themselves? As Tim Starks and AJ Vincens wrote in July 2022 “the Ukraine war could provide a cyberwarfare manual for Chinese generals eying Taiwan” but you could argue it is more than that. China is surpassing its Russian ‘comrade’ and will take advantage of any opportunity to acquire all the information it can get.

@remonwangxt

Not so much a relationship….

On this note, we move to the Chinese state’s targeting of Russia. We start with a piece by CPR in May 2022. Another phishing attempt, another set of emails, another Chinese state cyber hack but this time the target was Russian military research and development institutes (with Belarus thrown in for good measure). What is that saying, ‘all is fair in love and war’? Well, we have love between Xi and Putin, but when Putin’s eyes are on Ukraine, Xi is stabbing his comrade in the back. CPR also flagged that this targeting had overlaps with Stone Panda and Mustang Panda. This seems like a homerun to us.

In a friendship of equals some are more equal than others…and the Russians seemed to know the Chinese state are hacking them to their hearts content. Kaspersky identified Chinese state sponsored hacking activity as early as January 2022. Reported in August by Spiceworks, “Kaspersky blamed Chinese state sponsored hacking group TA428 for a number of phishing attacks targeting industrial plants, research institutes, government agencies and ministries across Russia, Belarus, Ukraine and Afghanistan”. The use of a 17-year-old memory corruption (CVE-2017-11882) was ‘in’ before utilising TTP’s distinct to TA428 with sensitive searches being conducted. Now I don’t know about you but does the above look like an ally you want in a “no-limits” relationship? What were these Chinese state hackers looking for? If you ask us, the Russians clearly are aware of the Chinese state’s hacking campaign against them. They aren’t exactly covering their tracks. The Russian government is desperate, along and weaker than ever.

Dragonbridge and fighting back

Yet all hope is not lost. We are aware we are swimming against the tide here; it appears the CCP is relentless and cannot be stopped. But during a Wikipedia edit war which the hacktivist collective Anonymous state is part of a Chinese influence operation to remove information from Wikipedia, Anonymous hacked the Chinese Ministry of Emergency Management among other websites. It highlights that China’s ‘Great Firewall’ is prone to attacks and exploitation.

The message was on a number of Chinese sites, including on government sites

And on something we haven’t commented on but wanted to wind up with. It would be rude not to mention the botnet menace from Dragonbridge. First flagged by Mandiant in September 2021, not only are the Chinese state hackers stealing intellectual property but they are shifting to the influence game. We see Dragonbridge target events in the US and clearly, we are hitting them where it hurts as they turned their attention to us recently in an attempt to shadowban our content. Now – don’t get us wrong. It is nice to be noticed by the Chinese state hackers. I means we are getting under their skin. But it’s a global redline when they are targeting the Ukrainians with disinformation. Now Dragonbridge hasn’t really been that effective. In our case, having the community identify and flag these accounts has ensured it didn’t really make much of a splash. Thank you to everyone who contributed to spotting Brandi, Monique and the rest of the botnet bandits!

Now both examples demonstrate that although the CCP want to be seen as a “cyber superpower”; they really aren’t. As a community we can continue to expose Chinese state hacking activity, the actors behind the keys and the hypocrisy of the Chinese state. All it takes is that continued vision from the community to flag this hostile activity, keep running down those leads and continue to help us in our quest for the truth.

And finally…..

So alas, the Chinese state hackers are not sunning themselves on a beach, enjoying some time away from the keys and considering a more productive and fulfilling life away from their CCP puppet masters. Instead, they continue to look for any opportunity to target people, companies or countries. Even when those countries are simply fighting for their independent survival….

We hope that these Chinese state hackers walk away from their keyboards in 2023. However, our New Year’s prediction is that they will continue and as such this community needs to stay the course in exposing malign cyber activity: for our loved ones, for our brothers and sisters in Ukraine and for the hard-working people across the globe whom the CCP steal and hack at will.

As always, you know how to get in touch.

Wherever you may be, we wish all our readers a happy holiday. We will be back in 2023. See you for the fireworks.