Tag: #cyberthreat

No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia

No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia
#2023lifegoals

As we near the end of 2022 we wanted to finish with our opinion related to the Chinese hacker paradise. Not the beaches on Hainan island, but the networks of Ukraine and Russia…

This is something we have taken an interest in since we Tweeted on 15 March 2022 so wanted to pull together some fantastic work that is out there for our community as a little ‘night cap’ before we get back to shining a light on the Chinese cyber machine, exposing their villainous activity and to enable them to ditch their state sponsored computer and escape to Hainan island in 2023.

So pull up a chair, grab a drink and snack of your choice and let’s dive in together.

Russian invasion of Ukraine

For a while we have been researching and reporting on Chinese state cyber activity around the globe. Their malcontent for the rules-based order is evident as is their disregard for intellectual property with all the hard work that goes into this.

24 February 2022 is a date that will forever be etched in the minds of the Ukrainian people and the world as the day the Russians decided to invade Ukraine. The images of the atrocities carried out in Bucha by the Russian army is just one example of the horror show being conducted by the Russian military. The world in unison condemned this activity, but the Chinese Community Party (CCP) was somewhat absent coming just weeks after President Vladimir Putin and President Xi Jinping declared their “no-limits” partnership. Which makes us question: Did the CCP know? Actions speak louder than words.

The Chinese state’s reaction was initially one of neutrality before rolling back as the relationship became an embarrassment to China. Most evident of all was President Xi Jinping signing the final declaration at the G20 summit in Bali, condemning the Russian invasion of Ukraine. Was the partnership ever anything more than a ruse by the CCP?

Now, as we have all seen through the year, it’s not going well. So is the public image of the “no-limits” relationship the full story?

“wait, you are going to invade where?”

Chinese state hackers get involved

In March 2022 the Ukrainian ‘computer emergency response team (CERT-UA)’ issued a warning about cyberattacks on the countries police agencies. The activity was via phishing emails with HeaderTip malware included inside weaponized documents. The message when translated stated “on the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which also included an executable with the same name. All of this could easily point back to Russian state hackers. They are invading Ukraine and as such would want to know what is going on in the country. However, an investigation by SentinelOne identified the link between the HeaderTip malware and “scarab” which has links to the Chinese government. This is a fantastic bit of work by SentinelOne exposing a clear link to the Chinese state. This activity is reported within a couple of weeks of the Russian invasion of Ukraine, with Check Point Research (CPR) also flagging that the “frequency of cyberattacks from Chinese IP addresses around the world jumped 72% in the week from March 14 to March 20, compared with the seven-day period before the Russian invasion of Ukraine began”. Why such an interest from Chinese state hackers in Ukraine? Our next stop is to what was happening before the Russian invasion.

On Friday April 1st, 2022, The Times UK released an exclusive outlining the Chinese state’s hacking activity. According to this article, this activity had occurred during the Beijing winter Olympics up to 23 February 2022 (the day before the Russian invasion of Ukraine). What is interesting is that the source stated the hack was widespread, across “600 websites belonging to the Ukrainian defense ministry” but also “Ukrainian government, medical and education networks”.

Chinese state relationship with Russia

So, are we seeing the “no-limits” relationship at work behind the scenes? Having reviewed other avenues there is a mixed picture. Where we see hacking in Ukraine by Chinese state hackers, we also see reporting of Chinese state hackers targeting Russia itself. Of note, SentinelOne state that the Chinese hacker group Scarab mentioned above has previously targeted Russia in a quest to hack, interpreting the “no-limits” relationship tagline in a different way to the Xi Jinping of early February 2022…

As outlined in the National Interest, the CCP is vying to become a “cyber superpower”. It has the numbers, not necessarily the talent, but is a highly capable thief (just ask all the companies who have lost intellectual property over the years). Is this just the Chinese state stealing all the data for themselves? As Tim Starks and AJ Vincens wrote in July 2022 “the Ukraine war could provide a cyberwarfare manual for Chinese generals eying Taiwan” but you could argue it is more than that. China is surpassing its Russian ‘comrade’ and will take advantage of any opportunity to acquire all the information it can get.

@remonwangxt

Not so much a relationship….

On this note, we move to the Chinese state’s targeting of Russia. We start with a piece by CPR in May 2022. Another phishing attempt, another set of emails, another Chinese state cyber hack but this time the target was Russian military research and development institutes (with Belarus thrown in for good measure). What is that saying, ‘all is fair in love and war’? Well, we have love between Xi and Putin, but when Putin’s eyes are on Ukraine, Xi is stabbing his comrade in the back. CPR also flagged that this targeting had overlaps with Stone Panda and Mustang Panda. This seems like a homerun to us.

In a friendship of equals some are more equal than others…and the Russians seemed to know the Chinese state are hacking them to their hearts content. Kaspersky identified Chinese state sponsored hacking activity as early as January 2022. Reported in August by Spiceworks, “Kaspersky blamed Chinese state sponsored hacking group TA428 for a number of phishing attacks targeting industrial plants, research institutes, government agencies and ministries across Russia, Belarus, Ukraine and Afghanistan”. The use of a 17-year-old memory corruption (CVE-2017-11882) was ‘in’ before utilising TTP’s distinct to TA428 with sensitive searches being conducted. Now I don’t know about you but does the above look like an ally you want in a “no-limits” relationship? What were these Chinese state hackers looking for? If you ask us, the Russians clearly are aware of the Chinese state’s hacking campaign against them. They aren’t exactly covering their tracks. The Russian government is desperate, along and weaker than ever.

Dragonbridge and fighting back

Yet all hope is not lost. We are aware we are swimming against the tide here; it appears the CCP is relentless and cannot be stopped. But during a Wikipedia edit war which the hacktivist collective Anonymous state is part of a Chinese influence operation to remove information from Wikipedia, Anonymous hacked the Chinese Ministry of Emergency Management among other websites. It highlights that China’s ‘Great Firewall’ is prone to attacks and exploitation.

The message was on a number of Chinese sites, including on government sites

And on something we haven’t commented on but wanted to wind up with. It would be rude not to mention the botnet menace from Dragonbridge. First flagged by Mandiant in September 2021, not only are the Chinese state hackers stealing intellectual property but they are shifting to the influence game. We see Dragonbridge target events in the US and clearly, we are hitting them where it hurts as they turned their attention to us recently in an attempt to shadowban our content. Now – don’t get us wrong. It is nice to be noticed by the Chinese state hackers. I means we are getting under their skin. But it’s a global redline when they are targeting the Ukrainians with disinformation. Now Dragonbridge hasn’t really been that effective. In our case, having the community identify and flag these accounts has ensured it didn’t really make much of a splash. Thank you to everyone who contributed to spotting Brandi, Monique and the rest of the botnet bandits!

Now both examples demonstrate that although the CCP want to be seen as a “cyber superpower”; they really aren’t. As a community we can continue to expose Chinese state hacking activity, the actors behind the keys and the hypocrisy of the Chinese state. All it takes is that continued vision from the community to flag this hostile activity, keep running down those leads and continue to help us in our quest for the truth.

And finally…..

So alas, the Chinese state hackers are not sunning themselves on a beach, enjoying some time away from the keys and considering a more productive and fulfilling life away from their CCP puppet masters. Instead, they continue to look for any opportunity to target people, companies or countries. Even when those countries are simply fighting for their independent survival….

We hope that these Chinese state hackers walk away from their keyboards in 2023. However, our New Year’s prediction is that they will continue and as such this community needs to stay the course in exposing malign cyber activity: for our loved ones, for our brothers and sisters in Ukraine and for the hard-working people across the globe whom the CCP steal and hack at will.

As always, you know how to get in touch.

Wherever you may be, we wish all our readers a happy holiday. We will be back in 2023. See you for the fireworks.

An (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

FeaturedAn (in)Competent Cyber Program – A brief cyber history of the ‘CCP’

Every so often, we like to take the opportunity to step back from our regular OSINT sleuthing and take stock about why we spend our time doing what we do.

So, we thought we would honour the 100-year anniversary of the Chinese Communist Party (CCP) by pulling together a brief history of how the Chinese cyber programme developed into what it is today and our musings on this trajectory.

Our take on the history of the Chinese Cyber Programme

The First World Hacker War

Cyber is entwined with the real-world. Not a particularly ground-breaking statement. But an important one to make. Real world tensions can spill into the cyber realm, and vice versa. Remember the 2001 China-US tension? To refresh your memory, a US EP-3 aircraft collided with the Chinese F-8 fighter jet and the Chinese pilot was killed. What followed was a sustained DDoS attack against US servers including defacement of the White House and military from Chinese hacktivists. US hacktivists retaliated and it became a cyber graffiti war of sorts. What we found interesting is that it wasn’t until the Chinese called out this behaviour as ‘web terrorism’ that the attacks stopped. 

China: No longer hiding its strength

Former leader Deng Xiaoping touted the mantra of ‘hide your strength and bide your time’ (韬光隐晦). Well, it seems that time has passed, and with Xi Jinping now at the helm, China is certainly showing its strength on the world stage. China is no longer hiding from the world. 

China has aggressively and consistently built its national cyber program, prioritising education in computer science and technology and creating a recruitment pipeline of graduates from within its universities. Its focus seemingly being on offensive capabilities rather than security or intelligence analysis.  

As evidenced in our bottom-heavy timeline (seen above), the CCP have increased their scope for hacking and stealing. What is obvious to any observer is that they hack indiscriminately – friends and enemies are fair game. China’s BRI initiative is even considered a driver of cyber activity, which this graphic from Security Affairs neatly highlights.

Tsinghua university IP traffic aligning with BRI initiatives

And their activity is at an industrial scale. This uptick reflects the CCP’s priorities targeting intellectual property (IP) that have coincided with China’s Five-Year Plans. It is now so common that barely a day goes by without another article reporting Chinese cyber theft. Provides us with lots of rich content though!

Disgruntled Hackers and ties to Academia

Back in 2013, a disgruntled hacker from the PLA (given the name Wang) wrote about his time in the PLA hacking for his country. “My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation,” he wrote on his blog. Few incentives and minimal benefits can lead some to defect and leave. Who knew. We wonder if conditions have changed in China since.

What hasn’t changed however are the links between Chinese hackers and academia. Wang himself co-authored two academic papers whilst at the PLA university. And interestingly, it was this same year that Cyb3rSleuth outed Zhang Changhe. His 9-5 job was as an assistant professor at the PLA Engineering University. Cyb3rSleuth was one of the first public uses of OSINT to attribute Chinese cyber-attacks to named individuals within the Chinese system (having named 10 Chinese hackers in total). Kudos – an inspiration to our platform.

Cyb3rSleuth identifying Zhang Changhe from Chinese social media as a PLA hacker

Further, it was a Tsinghua university (清华大学) IP (self-proclaimed state-owned technological institution) that engaged in network reconnaissance targeting a number of countries actively working with China on their Belt and Road Initiative (BRI) – see image above.

The PLA led the way with cyber hacking back in the 90’s and early 00’s. However, in 2015 there appeared to be a shift within the Chinese government, with the PLA transferring the bulk of cyber operations over to the MSS. After all, when the PLA hack – it’s very clear the direction of activity is coming from within the Party itself. This transfer (at least in the mind of the CCP) enabled plausible deniability following the public indictments of PLA unit 61398 a year earlier. After all, signing cyber agreements with a number for Western countries meant the Chinese military needed to ‘hide their strength’ and fade into the shadows.

Enter the MSS

As dedicated readers will know by now, it is the MSS that we at Intrusion Truth have focussed on for some time. And we do so given their continued support and engagement with criminal hackers. The MSS get something out of this relationship: deniability on the world stage (supposedly). But what do the criminal hackers get out of this? I’m sure some would say ‘security’. After all, the relationship between citizen and the state is deliberately murky. In recent years, there is evidence that China will not prosecute hackers within its borders unless they attack China. However, as indictments have shown, the Chinese state cannot, and do not, protect their own.

China is a vast surveillance state. They monitor everything and everyone. Thus, one could say that their continued denial of Chinese APTs, or cries of rouge actors… is laughable. Chinese APTs leave traces of their activity on the internet. Whether this is due to their naivety, thinking the state will cover their activities, or their inability to understand that the Great Firewall does not actually prevent others connecting to Chinese infrastructure and seeing their mistakes – only they know. Perhaps they have started believing their own propaganda: ‘We are world-leading, stealthy, and advanced threat actors’. Or perhaps they simply do not care? What is evident though is their sloppiness, which is something we are more than willing to highlight, evidence and make public.

State-sponsored theft

Chinese IP theft represents one of the largest transfers of wealth in human history. And their targeting is indiscriminate – from innovation and R&D (rice and corn seeds, software for wind turbines, naval engineering and medical research), to personally identifiable information (PII) and sensitive government documents. Ultimately, anything that provides China an edge is fair game. The methods China uses rely less on physically stealing data, and more on MSS contract hackers being tasked to steal it from within China’s borders.

There is a distinction made between a hacker and a criminal. Some might say one man’s hacker is another’s freedom fighter. Yet there are ethical and moral boundaries which the Chinese continue to violate. Utilising criminals to hack for the state’s bidding, and to do so to steal IP from hard-working companies provides an unfair advantage to prop up Chinese businesses. They can’t be pioneering or forerunners in their own right and seem to have concluded that they need to steal to gain a competitive advantage.  And this is theft condoned and actively encouraged by the Chinese state. A state which is rapidly emerging into a global superpower. It is a powerful message to be sending the world.

Home-grown hēikè

The Wooyun.org shutdown appears to be one of the first events which highlights the CCP’s direction of travel to essentially hoard offensive cyber capabilities by restricting the publication of 0-day vulnerabilities. In a statement on Sina, founder of Qihoo 360 Zhou Hongyi (周鸿祎) stated that it was only ‘imaginary success’ when competing in overseas competitions. Rather, Chinese hackers and their knowledge should ‘stay within China’ so they could recognize the true importance and “strategic value” of the software vulnerabilities. Following this, China restricted travel for Chinese hackers, instead inviting them to compete in the home-grown Tianfu competition. The very same event where the winning vulnerability (Chaos) has been aggressively used to target Uyghurs.

The APT side hustle

An increasing number of reports highlight activity from Chinese APTs deploying ransomware on their victims and hacking for-profit, using the same tactics, tools and occasionally time as their MSS campaigns to conduct this side business. This has included the repurposing of state-sponsored malware in the gaming industry, stealing virtual currencies and selling malicious apps.

A really interesting article on China’s Sina Games portal details an interview with a Chinese hacker. He comments that online games are the most valuable part of the Chinese hacking industry. His reasoning? That China’s internet’s security consciousness is weak. Granted this article is old. But what is interesting is the openness to which a Chinese hacker talks of hacking Chinese netizens for profit. Yet it seems this focus might have changed over the years, with China’s hackers now focusing outside of the Firewall.

The Chinese government is permitting cyber criminals to conduct this activity within its borders. We have evidenced direct involvement of criminal hackers with the MSS, whilst others in the InfoSec community have proven clear Chinese state links to APT intrusion activity.

So, is it tactical toleration on behalf of the MSS to allow these hackers to conduct cybercrime outside of its borders for self-profit? Do the MSS pay their hackers so poorly that they have to let them make money on the side to keep them sweet? Or have the MSS lost control of the criminals it employs to do its dirty work?

We are also seeing greater sharing of tools, techniques and knowledge across Chinese APT groups. This is most evident with Hafnium, where a large number of Chinese APT groups were concurrently and recklessly using the MES vulnerability. Increased crossover in malware and TTPs points to greater knowledge sharing and a higher level of organisation than what China would have us believe.

Chain of command

As we know, Chinese APTs take direction from the Chinese state. This is a pattern starting with front companies, leading back to MSS contract hackers and ultimately to local and regional MSS bureaus. It is becoming increasingly obvious that there is something more at play here. A cyber campaign of sorts; coordinated, run and tasked by seniors within the MSS?

We have evidenced multiple Chinese APTs which have relationships with MSS officers and are behind global campaigns of cyber hacking. Yet China keeps denying responsibility, crying that claims of their APT activity is ‘baseless with no evidence’… we would recommend our blog as some light reading in this regard.

So, who is leading the Chinese Cyber Programme?

Let’s look upwards. Someone is leading the coordination of China’s cyber campaign. The multiple APTs, appearing across various provinces within China, are all linked by the MSS bureaus sitting behind these groups. And there is one person in charge of the MSS.

One person giving the direction.

One person overseeing the Chinese cyber programme.

That person?

Chen Wenqing (陈文清).

Cyber karma

Beijing come across as powerful within the offensive cyber space. After all, their state is actively, aggressively and successfully sponsoring malign cyber activity against fellow states, private companies, industry and individual people. Yet Beijing also see themselves as vulnerable.

The Cyberspace Administration of China (CAC) is the country’s internet regulator and official body for enacting censorship. Recently, it stepped into the controversy around Didi (the ride-hailing app), ordering it to undergo a cybersecurity review ahead of its IPO in New York. The CAC later released a security-review revision in which it said companies holding personal data on at least one million users must apply for a cybersecurity review before any foreign listings.

Are China’s actions causing reactions? It’s almost as if the Chinese government know that their bulk collection of data on Chinese citizens is contentious. They lead the way in stealing PII from foreign governments and organisations – and the CAC know how powerful this data can be. Did they read our article outing APT10 using Uber receipts and are understandably worried about the vast data personal data holdings Didi might reveal on some of their senior officials?

Cyber karma – It is the guilty party that assumes everyone else is doing the same thing as them.

Conclusion

There has been 100 years of the CCP but only 38 years of the MSS. Yet there are a number of questions which remain unanswered (ie, we’d like more evidence to help answer, might we say):

  1. Does Xi know what the MSS are doing in cyber space?
  2. Do the CCP understand how their actions undermine the positive narrative China would like the world to believe?
  3. Does the benefit of the Chinese cyber programme outweigh the costs to the Chinese leadership?

Happy Birthday CCP

生日快乐. As our present to you for reaching this auspicious milestone, we promise to stick with you and keep a close eye on what the MSS cyber programme is up to. We will continue to pen more attribution pieces as long as you support your APTs and deny they are working for you.

Psst. Chinese cyber hackers: If you are reading this, please do enjoy our fun quiz we put together. We feel the flowchart neatly leads to the right outcome.

Is there a pattern?

Is there a pattern?

Readers of this blog will know that our investigations into APT3 and APT10 started with well-known intrusions and ended with the identities of the perpetrators and the identification of a front company connected to the Chinese Ministry of State Security (MSS).

As we pointed out on Twitter in December, there seems to be a pattern developing – a regional office of the MSS creates a company, hires a team of hackers and attacks Western targets. Why the MSS insists on using sloppy contracted hackers is beyond us here at Intrusion Truth, but the pattern is undeniable.

Continue reading “Is there a pattern?”

APT3 is Boyusec, a Chinese Intelligence Contractor

APT3 is Boyusec, a Chinese Intelligence Contractor

In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.

Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?

Continue reading “APT3 is Boyusec, a Chinese Intelligence Contractor”

Who is Mr Dong?

Who is Mr Dong?

In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.

The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.

Continue reading “Who is Mr Dong?”

Who is behind this Chinese espionage group stealing our intellectual property?

Who is behind this Chinese espionage group stealing our intellectual property?

APT3 – also known as Gothic Panda, Buckeye, UPS Team and TG-0110 – was first reported in 2010 by FireEye in their report Hupigon Joins The Party. It is blamed for using a Remote Access Trojan named Pirpi in attacks against the US and UK. The Trojan is usually delivered through malicious attachments or links in spear-phishing e-mails and the group have a history of innovating new browser-based zero-day exploits. FireEye claim that it is one of the most sophisticated threat groups tracked by their Threat Intelligence arm.

Continue reading “Who is behind this Chinese espionage group stealing our intellectual property?”

Coming Soon…

Coming Soon…

In the month that APT10 rocked the world, we believe it is finally time to get to the truth behind “Advanced Persistent Threats” – large-scale Cyber attacks stealing intellectual property from Western companies.

apt10
APT10 targets Managed Service Provider (MSP) networks

We are busy investigating the largest APTs and will soon reveal the truth behind some of these intrusions. Meanwhile, you can read about APT10’s recent activity in PwC’s report, and their historical tools and techniques in FireEye’s report.

Continue reading “Coming Soon…”