Chinese Cyber Espionage Evolves to Support Higher Level Missions

Share

Summary

This video discusses changes in Chinese cyber espionage activities, from a high volume of IP theft to a more refined and stealthy approach, focusing on specific strategic goals aligned with China's economic and military policies. The presentation covers domestic context, military reforms, and the evolving tactics, targets, and tools used by Chinese cyber espionage groups.

Highlights

Introduction to Evolving Chinese Cyber Espionage
00:00:06

The presentation introduces Kelly Vanderley and Elani Fraser, discussing how conventional wisdom on Chinese cyber espionage, characterized by high volume and IP theft, has changed. Research from FireEye in 2016 documented a significant decline in activity from 2014 to 2015, leading to an investigation into new prevailing trends in 2019. The speakers emphasize the importance of tracking these changes to effectively counter the evolving threat.

Domestic Context: Economic and Military Reforms
00:01:40

In 2015, China adopted an innovation-focused agenda, exemplified by 'Made in China 2025,' aiming for higher-value goods and reduced foreign components. The 'Belt and Road Initiative' (BRI) supports this by connecting China to global trade networks through extensive infrastructure projects, including telecommunications and 5G. These policies inform the geographic and sector distribution of observed Chinese espionage. Additionally, Chinese military reforms since 2012, including the establishment of the Strategic Support Force (SSF) in 2015, have centralized operations and integrated space, cyberspace, and electromagnetic capabilities, affecting the structure and operations of cyber units.

Impact of Military Reorganization on Cyber Groups
00:06:00

The Central Military Commission, including the SSF's network systems department, is believed to house former PLA units like the Third Department, which had 12 operational bureaus with distinct missions. Groups like APT81 and APT61486, previously associated with the PLA, have shown no confirmed activity since the reorganization. However, Technical Reconnaissance Bureaus (TRBs) seem to have been transferred to the new structure, with groups like Nikon Team and Tanto Team continuing similar targeting patterns in Asia, South Korea, Russia, and Japan, suggesting ongoing missions. The Ministry of State Security (MSS), responsible for counterintelligence and non-military intelligence, is perceived to have taken on a more robust role post-reorganization, with groups like APT3, APT10, and APT26 publicly associated with it, though their activity has paused since US DOJ indictments.

Evolving Tactics and Notable Threat Groups
00:11:01

Post-reorganization, Chinese cyber espionage operations are characterized by lower volume but increased efficiency and stealthiness. Key groups include APT41, known for both cyber espionage and financial gain in the video game sector; APT40, targeting naval interests; and APT19, targeting international law firms with topical lures. Unnamed groups are also using malware previously associated with Chinese espionage, like Toy Snake and Warp, raising questions about re-emergence or shared toolsets within the new SSF structure.

Geographic and Industry Targeting Shifts
00:13:49

Asia has become the primary target for Chinese cyber espionage, making up the majority of post-transitional activity. While the US remains the single most targeted country, its share has significantly decreased from nearly 70% to about 20%. Telecommunications now tops the industry spread list, with long-lasting compromises enabling extensive network mapping and potential traffic interception. The media sector, particularly in East Asia (especially Hong Kong), is targeted to monitor public reactions to events and for economic programs. In Europe and the Americas, common trends include targeting governments for security and diplomatic information, military IP theft, and setting up third-party compromises. PII collection is a unique focus in the Americas.

Changes in Malware and Infection Vectors
00:23:34

Chinese cyber espionage actors have shifted from common Chinese-specific malware and Poison Ivy to more broadly used, publicly available malware like Warer Rat, both B, and Empire, to blend into network traffic. There's also an increased use of Linux and Mac OS malware, with some developed in-house. Modular malware, particularly favored by APT41, allows for extended functionality and reduced initial footprint. In-memory execution (fileless persistence) is also increasingly used, making detection harder. While spear-phishing remains common, the use of zero-days has decreased significantly. A notable trend is the combination of supply chain operations with execution guardrails, as seen in the ASUS utility compromise, which limited payload execution to specific targets and made attribution more difficult.

Types of Data Stolen and Economic Implications
00:30:06

The most commonly observed data stolen is PII, affecting government, healthcare, and travel sectors. IT data is also stolen for network mapping and credential harvesting. Military IP theft continues, focusing on aviation, maritime technologies, semiconductors, and satellites, targeting innovation centers globally. Importantly, there's no direct evidence of commercial application IP theft via cyber espionage, suggesting that while the capability exists, the cost-benefit analysis has changed, possibly due to bilateral agreements or the use of easier, non-cyber means (e.g., M&A, talent recruitment, forced technology transfer). Chinese cyber espionage still supports economic goals by monitoring investments and collecting information for negotiations, but the approach has shifted from direct IP acquisition to a more traditional intelligence-gathering role.

Summary and Future Outlook
00:35:38

Chinese cyber espionage has reached a 'new normal' with a shifted focus to Asia and telecommunications, employing more efficient, stealthy, and sophisticated tactics. Their missions align with traditional intelligence organizations, supporting state security, political, and economic priorities. Looking ahead, China's vast PII repository and advancements in quantum computing, data science, machine learning, and 5G could facilitate global surveillance tactics similar to those used domestically (e.g., social credit system). The presentation concludes with a question about private contractors, confirming that some groups believed to be contractors for the MSS conduct operations, though definitive attribution remains challenging.

Recently Summarized Articles

Loading...