Eagle vs. Dragon: The Escalation of Transpacific Cyber Espionage

-

“Cyber espionage is a form of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity.” 
- VMWare Carbon Black

Recent news surrounding cyber espionage acts attributed to the US and China have reinvigorated my interest in the state of cyber relations between the two superpowers. 

It all started with APT1’s disclosure by Mandiant back in 2004. Ever since Chinese cyber espionage campaigns have been waged against the US and Western world. It is now well-documented that the Chinese government has state-sponsored hacking groups to infiltrate companies with some of the most valuable intellectual property out there. China may justify this how it chooses, the fact remains the government is still targeting private enterprises to steal sensitive information and industrial secrets.

However, the US has also partaken in its fair share of cyber espionage directly against Chinese government entities and state owned enterprises. The NSA’s Tailored Access Operations (TAO) Unit and the CIA’s malware arsenal exists for a reason. 

Back in 2015, the Chinese Premier Xi Jinping met with then POTUS Barack Obama, in the United States, to discuss many things, with cyber espionage being one of them. Obama was able to win a commitment from his counterpart Xi that China would not conduct commercial cyber espionage - after the US warned against severe sanctions.  

“Let your plans be dark and as impenetrable as night, and when you move, fall like a thunderbolt.” – Sun Tzu

Cut to two years later and we now know China was responsible for one of the largest, most valuable and cunning data breaches in history - the Equifax hack. In 2017, credit reporting giant Equifax came clean: It had been hacked, and the sensitive personal information of around 150 million US citizens had been compromised. The credit rating firm held data on more than 820 million consumers as well as information on 91 million businesses. Names, birth dates, and Social Security numbers all gone in an unprecedented heist the world has never seen before. 

On 11 February 2020, the US Department of Justice (DOJ) indicted four Chinese military officers over the Equifax hack. Upon announcing the indictments, Attorney General William Barr called the hack "one of the largest data breaches in history" and that the evidence shows these attackers spent weeks in the company's system, breaking into security networks and siphoning of Terabytes of personal data. 

“Appear weak when you are strong, and strong when you are weak.” – Sun Tzu

Chinese foreign ministry spokesman Geng Shuang denied the allegations the next day and said China's government, military and their personnel "never engage in cyber theft of trade secrets". He said China was itself a victim of cyber-crime, surveillance and monitoring by the US.


On 3 March 2020, a Chinese antivirus vendor Qihoo 360 (also known as 360 Total Security) published its report into a group of CIA hackers which spent 11 years breaking into several Chinese industry sectors including aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies. This group of CIA hackers, dubbed APT-C-39, was publicly disclosed initially via Joshua Adam Schulte, a whistleblower who was responsible for the research, development and production of cyber weapons. Schulte is currently being tried after he gave 8716 classified documents to WikiLeaks, now known as the Vault 7 leak (also known as zero-year due to the vast amount of 0day vulnerabilities).

Qihoo 360’s Advanced Intelligence Center analysed these hacking tools and found that indicators of compromise from prior attacks - dating back years - were all attributed to Vault 7 and the CIA. These leaks cemented the fact that the US was behind this decade-long campaign of cyber espionage against China. 

Analysis:
The United States - like China and other world powers - rarely comments when accused of cyber espionage. Former NSA contractor Edward Snowden, helped the world learn more about secret US campaigns abroad. Whilst US prosecutors and private cybersecurity firms have uncovered what China does. Both countries hack their opponents.

The Equifax hack was not the first nor last state-sponsored data breach, but what is concerning for the US and its allies is that its main competitor has stolen one of the largest databases of personal information ever. What some security experts have suggested is that China could create “targeting packages” whereby its intelligence agency, the Ministry of State Security (MSS), could calculate which sets of individuals are members of which sectors, industries, organisations, enterprises or departments. This dataset will likely be used as the first reference point before any of China’s next cyber espionage campaigns. It has a potential foothold in nearly every organisation in America and many others across the world.

References

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more