OSCAR ROSENGREN
Chinese Advanced Persistent Threat (APT) actors constitute a substantial threat towards private and governmental entities from local to global levels. As contemporary geopolitical tensions in the Asia-Pacific region and beyond intensifies, so are the incentives for Chinese operations in cyberspace.
China’s APT network is a large web of intertwined actors capable of conducting sophisticated cyber operations against its opponents. While not every APT group is attributed to the Chinese government, Beijing is known to use APT actors to pursue its national interests. The United States (US) Office of the Director of National Intelligence 2021 Annual Threat Assessment states that China possesses substantial cyber capabilities and presents a considerable cyber threat towards digitised societies [source].
With target sectors primarily focusing on critical infrastructure objectives, hostile operations range from mere espionage activities to disruptions of high-developed systems with potential spillover to other actors in the supply chain. Hence, Chinese APT actors constitute a considerable threat to the ever-evolving digital attack surface.
While not an exhaustive list (at times, accessible information is very brief), this article aims to give a broad and, wherever possible, detailed description of known Chinese APT groups and how they correlate with China’s geostrategic aspirations.
1.1. Disclaimer
Attribution is a very complex issue. Groups often change their toolsets or exchange them with other groups. Therefore, be aware that information published here may quickly need to be updated or altered based on evolving information. Moreover, cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is difficult to keep track of the different terms and naming schemes, but below are additional lists of known alternative names for each group.
1.2. Terminology
APT: “An APT uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period, with potentially destructive consequences” [source].
Phishing: Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers [source].
Spear phishing: Spear phishing is an email or electronic communications scam targeting a specific individual, organisation or business [source].
Zero-day: A zero-day vulnerability is an unknown exploit that exposes a vulnerability in software or hardware and can create complicated problems before anyone realises something is wrong [source].
Supply chain: A digital supply chain is a set of processes that use advanced technologies and better insights into the functions of each stakeholder along the chain to let each participant make better decisions about the sources of materials they need, the demand for their products and all of the relationship in between [source].
Trojan: A Trojan is a malicious program downloaded and installed on a computer that appears harmless [source].
1.3. The Expanding Digital Attack Surface
The digital attack surface refers to “the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment” [source].
Increasing interconnectedness enhances potential entry points and vulnerabilities towards unauthorised access to protected systems. Developed countries depend on broad domestic and foreign networks of digital solutions that offer efficiency and comfort. But with comfort comes vulnerability; as critical infrastructure is more and more interconnected, the entry of a malicious actor in one system may have spillover effects to a wide range of sectors nationally and globally.
The digital attack surface is expanding at unprecedented levels, making preventive efforts extremely difficult. Today, any internet user makes up a potential entry and target for access to systems along complex supply chains. The gap between development and security is being utilised by hostile actors in cyberspace, ranging from lone actors to nations. China’s cyber groups are proving to use this gap, continuously conducting complex malicious cyber operations targeting international adversaries [source; source].
2.0. China’s Push for Global Power
China is pursuing a whole-of-government effort to spread its global influence. Through significant innovation and industrial policies, the country is increasingly trying to enable competitive military advances, seek independence from foreign technologies, and sustain economic growth. In its competitive relationship with the US, China is combining military, economic, technological, and diplomatic strategic goals pursuing intentional cooperation and securing what it perceives as a Chinese territory at the expense of US international influence.
China continuously expands its global influence through the Belt and Road Initiative (BRI). It almost explicitly targets Western research, technological, financial, and military sectors, utilising various tools from public investment to espionage and theft [source].
Offensive cyber capabilities constitute a crucial element in China’s push for global power. China’s ecosystem of APT actors, with substantial resources, presents prolific and influential espionage and is increasingly potentially a kinetic cyber threat. China’s APT network is launching cyber-attacks that could disrupt the opponent’s critical infrastructure. In addition, the country is coordinating large-scale cyber intrusions targeting civilian and non-civilian entities. Furthermore, cyber-espionage operations offer valuable opportunities for intelligence collection, attack, or influence operations. The country’s global intelligence footprint is expanding as China is utilising its cyber capabilities to support its growing global political, economic, and security interests.
Chinese President Xi Jinping with Russian President Vladimir Putin.
Chinese President Xi Jinping with Russian President Vladimir Putin.3.0. China’s Cyber Capabilities: An Introduction
3.1. History
China’s interest in offensive capabilities in the digital environment began shortly after the Gulf War in 1995. The US swift victory in Iraq laid the foundation for a revolution in military affairs and the beginning of modern digital warfare capabilities by integrating information technology into its military strategy.
In 2003, Chinese operations in the digital environment became apparent. Code-named “Titan Rain”, US investigators traced several cyber espionage operations to computers in southern China. Researchers soon tracked the actors to the Chinese army. From that point, further incidents followed, all with the same objectives: espionage and theft of intellectual property. In 2013, the American cyber-intelligence firm Mandiant released a report assessing that the China-linked group APT1 had stolen hundreds of terabytes of data from at least 141 organisations since 2006 [source].
China’s APT ecosystem poses a substantial contemporary threat by reorganising its cyber policymaking institutions, developing sophisticated cyber capabilities, and perpetrating industrial-scale cyber espionage. China’s activities in cyberspace are highly stealthy and agile and bring potential kinetic effects to the target systems [source].
3.2. Chinese Cyber Doctrine: Information Operations
By spending the last few decades integrating offensive cyber capabilities into the broader operational concept of information operations, units within the People’s Liberation Army (PLA) are the primary coordinators and strategists of China’s offensive operations in cyberspace. According to PLA strategy, information operations constitute an element in which information is a domain and the central means to wage war. Hence, cyber operations are a crucial part of the modern battlefield. Together with electronic, space, and psychological warfare, it contributes to the concept of information operations.
In Chinese doctrine, the elements in information operations are coordinated as strategic weapons to disturb and sabotage an opponent’s system of systems. Victory is achieved by superior information advantage. It is centred on defending China’s ability to collect, use, and share such resources and denying its opponents’ abilities. Thus, cyber capabilities are a crucial part of China’s push for global power.
As a part of China’s extensive military reforms, the country established the PLA’s Strategic Support Force (SSF) in December 2015. SSF’s primary responsibility is cyber operations. The entity consists of two divisions: a Space Systems Department (SSD) and a Network Systems Department (NSD). The SSD focuses on space-related communications, computers, intelligence, surveillance, and reconnaissance. The NSD primarily focuses on cyber operations, electronic warfare, and psychological operations. In addition, both divisions are responsible for strategic intelligence and counter-space operations [source].
3.3. Common Motives
China’s main focus in cyberspace is espionage activities and theft. With the US as a primary competitor, China’s cyber operations mainly target sectors assessed to give China a competitive advantage [source]. Furthermore, Chinese APT groups utilise cyberattacks below the threshold of war intending to coerce rivals targeting government entities, multinational corporations and even small businesses [source].
4.0. China’s APT Ecosystem
4.1. APT1
First detected in 2006, APT1 has systematically conducted espionage activities, stealing hundreds of terabytes from at least 141 organisations. The group primarily focuses on Western targets and has been attributed to the Chinese military, namely the People’s Liberation Army (PLA) Unit 61398 (formerly of the 2nd Bureau of the PLA General Staff Department’s (GSD) 3rd Department), commonly known as Unit 61398 [source].
No comments:
Post a Comment