24 November 2023

Charting China’s Climb as a Leading Global Cyber Power


Executive Summary 

Over the past half-decade, Chinese state-sponsored cyber operations have transformed, emerging as a more mature, stealthy, and coordinated threat than in previous years. This new paradigm is exemplified by the widespread exploitation of zero-day and known vulnerabilities in public-facing security and network appliances. It is coupled with a heightened emphasis on operational security, minimizing evidence of intrusion activity, and impeding adversary tracking tradecraft, including through the use of extensive anonymization networks and "living-off-the-land" techniques. 

These observed shifts have likely been influenced by both internal factors, such as major restructuring within China's military and changes in domestic vulnerability regulations, and external factors, including public reporting and exposures by Western governments and the cyber threat intelligence community. This evolution of Chinese state-sponsored cyber operations toward greater stealth and operational security has created a more complex and challenging landscape for target organizations, governments, and the cybersecurity community. 

Chinese cyber-enabled economic espionage activity has evolved from earlier practices characterized by the theft of a very broad range of commercial intellectual property (IP) to a focused strategy geared toward supporting more specific strategic, economic, and geopolitical goals, including those associated with foreign investment projects under the Belt and Road Initiative (BRI) and critical technologies. Consequently, in the context of both cooperative foreign investment and economic competition, governments and corporations may face compromised negotiating positions and unfair competition enabled through cyber espionage. Such targets of persistent Chinese state-sponsored cyber activity must reevaluate risk assessments, recognizing that cyber risk extends beyond data breaches to encompass potential implications for negotiations, competitiveness, and strategic positioning. 

Due to the focus on developing novel exploits for public-facing devices, a vulnerability-centric approach to network defense is insufficient for organizations likely to be persistently targeted by Chinese state-sponsored activity. This emphasizes the importance of improving defense-in-depth measures focusing on detecting post-exploitation persistence, discovery, and lateral movement activity. A large proportion of the targeted public-facing appliances have limited visibility, logging capabilities, and support for traditional security solutions; organizations should consider these factors when initially procuring network appliances in order to enhance the ability to detect and respond to threats. 

Key Findings 

● Chinese state-sponsored cyber operations focus on targets that align with China's military, political, economic, and domestic security priorities. In particular, Chinese state-sponsored groups have regularly demonstrated an adaptability often influenced by geopolitical developments, including the Russia-Ukraine conflict or regional geopolitical flashpoints within the Asia-Pacific region. 

● As China continues to assert its influence and pursue objectives in the Asia-Pacific region, particularly in Taiwan and the South China Sea, public and private sector entities operating in this region are likely to face an elevated risk of both traditional espionage activities by Chinese cyber threat actors in addition to more subversive cyber and information operations. 

● Chinese threat activity groups have shifted heavily toward the exploitation of public-facing appliances since at least 2021. Over 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups during this subsequent period were in public-facing appliances such as firewalls, enterprise VPN products, hypervisors, load balancers, and email security products. 

● This focus on exploiting zero-days in public-facing appliances and the rapid weaponization of known vulnerabilities in these products has proved an effective tactic in scaling initial access against a wide range of global targets. With organizations continuing to move to the cloud, a similar heightened emphasis on the targeting of these environments is likely in the near future. 

● The observed sharing of malware and exploit capabilities across Chinese state-sponsored actors is likely enabled by both upstream capability developers and wider domestic policy around software vulnerability discovery and weaponization. 

China’s Evolution into a Leading Global Cyber Power 

In the late 2010s, a new wave of Chinese state-sponsored activity began to emerge that placed a much greater emphasis on hindering detection, attribution, and tracking efforts from governments, security companies, and targeted organizations than in previous years. This evolved approach to cyber operations began to emerge in the aftermath of a period of transition following the Obama-Xi cyber agreement and internal restructuring within China’s military, including the formation of the People’s Liberation Army Strategic Support Force (SSF). This evolution is characterized by multiple overarching factors, including: 

● More purposeful, strategic targeting at a comparatively lower volume than that seen throughout the 2000s to mid-2010s. Despite this, it is not uncommon to identify multiple Chinese state-sponsored groups active within the same network, particularly high-value intelligence targets within the Asia-Pacific and Central Asia regions. 

● A shift away from traditional initial access vectors toward exploitation of zero-day and known vulnerabilities in public-facing appliances such as firewalls, enterprise virtual private networks (VPN), and mail server software. Many of these devices have limited visibility and logging capabilities and often do not support traditional endpoint security solutions. 

● Mass adoption of large-scale anonymization networks for reconnaissance, exploitation, and command-and-control (C2) infrastructure. These networks have often used compromised internet-exposed internet of things (IoT) and network devices such as small office/home office (SOHO) routers, as well as virtual private server (VPS) infrastructure. 

● Adoption of open-source malware families and exploits, which allow for the rapid weaponization of recently disclosed vulnerabilities, preservation of higher-end custom capabilities, and hindering of attribution efforts. 

● Continued use of shared-capability supply chains through custom malware and exploit developers that supply multiple Chinese state-sponsored groups associated with both the People’s Liberation Army (PLA) and the Ministry of State Security (MSS). 

These changes have likely been driven by several factors, including overall improvements in defensive cybersecurity posture coupled with threat intelligence reporting detailing adversary tactics, techniques, and procedures (TTPs). Western governments and third parties, such as Intrusion Truth, have also increasingly engaged in a policy of publicly disclosing the identities of MSS contractor organizations and personnel. This increased scrutiny has likely led to a greater emphasis on operational security measures from these entities. Finally, internal developments such as the aforementioned intelligence agency restructuring and major developments in China’s efforts to co-opt domestic software vulnerability research for use in offensive operations have likely been additional drivers in the observed changes to Chinese cyber-espionage activity in recent years. Insikt Group has also identified PLA procurement of open-source intelligence (OSINT) services analyzing foreign cyber defenses, cyberattack and defense training systems, and foreign anti-virus products in recent years, all in a likely effort to bolster People’s Liberation Army Strategic Support Force (PLASSF; 人民解放军战略支援部队) and wider PLA offensive cyber operations.

No comments: