China Slapped for Hacking Campaign, but This Time It Isn’t IP Theft
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Sublime Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
On Monday this week, the US and UK denounced PRC cyber espionage activity that focused on interfering with democracies and their institutions, and announced sanctions and indictments.
The US Department of Justice (DoJ) indicted seven Chinese nationals it said were linked to the APT31 hacking group. The DoJ's indictment said the named individuals had been involved in cyber espionage campaigns on behalf of the Hubei province arm of the PRC's Ministry of State Security (MSS) since 2010.
The US and the UK also imposed sanctions on two of these individuals and the Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), which they said was a front company set up by the Hubei MSS office.
In addition to the 'standard' allegations of prolific IP theft, the indictment also contains a lot of information about the targeting of government and political officials. This is new — previous US indictments of Chinese state-sponsored hackers have (mostly) focused on the theft of IP from private enterprise, while cyber espionage focused on US government targets didn't usually result in indictments as this was, to some degree, considered 'fair game'.
In a public statement issued with the indictments, US Attorney General Merrick Garland also called out the PRC's use of cyber operations to pressure officials and activists. He said "the Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, [or] silence the dissidents who are protected by American laws.
"This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies."
UK officials also highlighted attempted foreign interference and the targeting of politicians and democratic institutions.
The UK's National Cyber Security Centre (NCSC) said it was "almost certain" that APT31 was responsible for the targeting of parliamentarians. This targeting is best described in the US DoJ's press release:
The defendants and others in the APT31 Group also sent malicious tracking-link emails to government officials across the world who expressed criticism of the PRC government. For example, in or about 2021, the conspirators targeted the email accounts of various foreign government individuals who were part of the Inter-Parliamentary Alliance on China (IPAC), a group founded in 2020 on the anniversary of the 1989 Tiananmen Square protests whose stated purpose was to counter the threats posed by the Chinese Communist Party to the international order and democratic principles. The targets included every European Union member of IPAC, and 43 United Kingdom parliamentary accounts, most of whom were members of IPAC or had been outspoken on topics relating to the PRC government.
The UK also thinks the late-2021 hack of the UK's Electoral Commission systems was "highly likely" caused by a Chinese state-affiliated entity.
The UK's Foreign Secretary called these incidents "attempts to interfere with UK democracy" and described them as "completely unacceptable".
The public statements don't spell out the role these Chinese government cyber operations had in foreign interference, although the indictment mentions "subsequent related malign influence operations".
The indictment says, however, that APT31 was responsible for wide ranging campaigns over 14 years that targeted "thousands of U.S. and foreign politicians, foreign policy experts, academics, journalists and democracy activists, as well as persons and companies operating in areas of national importance, including the defence, information technology, telecommunications, manufacturing and trade, finance, consulting, legal and research industries".
That's much the same as previous PRC hacking indictments, but there are some interesting new details here.
The indictment describes incidents in which APT31 responded relatively quickly to geopolitical events, suggesting the group could be being tasked to do so directly by the Chinese government.
In March 2018, for example, the US announced new tariffs on imported steel. The following day, the PRC Ministry of Commerce said the PRC would "immediately fight back with a major response". Within hours, APT31 registered malicious domains that were used to impersonate and hence target the US steel industry.
Similarly, in July 2020 the US Secretary of State described the PRC's territorial claims in the South China Sea as "completely unlawful". The indictment alleged that, in response, APT31 targeted "a variety of victims in the US and Asia, including the U.S. Naval Academy, the U.S. Naval War College’s China Maritime Studies Institute and an American think tank focused on U.S. national security issues".
This rapid turnaround from geopolitical event to hacking action contrasts with the looser approach to tasking seen at some other Chinese espionage outfits. This leak from Chinese cyber espionage contractor i-SOON, for example, indicated the company was at times hacking first, then trying to sell stolen information to PRC intelligence services.
Compared to i-SOON, this implies a more direct link between the indicted APT31 hackers and Chinese intelligence services. This is consistent with the DoJ's description of Wuhan XRZ, the sanctioned company, as a "front company" for the Hubei MSS office, rather than as a private company doing cyber espionage work.
The indictment also says that from 2017 to 2019 APT31 gained access to seven Managed Service Providers (companies that provide IT or network services to other companies) to target their customers. Access to one California MSP enabled the hackers to access seven customer networks, including "a financial company, a nuclear power engineering company, an enterprise-resources planning company and three additional IT managed service providers".
Another Chinese group, APT10, compromised MSPs to get to targets in what is known as the Cloud Hopper campaign. This campaign was the subject of a joint international attribution and condemnation in December 2018.
Did the international pushback to Cloud Hopper have anything to do with APT31's behaviour? It's not clear if they stopped targeting MSPs or if it is simply not mentioned in the indictment.
Regardless of the impact of the Cloud Hopper denunciation, gathering international support is now standard practice.
In this particular case, New Zealand attributed a 2021 compromise of its parliamentary network to a PRC state-sponsored group known as APT40, Australia issued a supporting statement. Curiously, there was no formal statement from the Canadian government, but they've been backfilled by the Finnish police, who announced APT31 was responsible for a 2020 hack of Finland's parliament.
Will these indictments have any impact? Chinese state-sponsored hacking of intellectual property hasn't stopped despite previous indictments.
James Lewis, Senior Vice President at the Center for Strategic and International Studies, told Seriously Risky Business the indictments were "symbolic actions" intended to warn the Chinese that they were going too far.
Despite that, Lewis thought indictments "are generally a good idea if only because the Russian and Chinese complain about them".
These sorts of public attributions and indictments also have what we call 'educational value'. They inform politicians and the public about how cyber operations are used by authoritarian governments and they also encourage stakeholders to improve security.
This is seen, for example, in public discussion of the threat posed by Volt Typhoon, a PRC group that appears to be preparing to disrupt US critical infrastructure. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, recently told Politico that publicising Volt Typhoon's activities hadn't caused the group to back off, saying that she'd not seen any significant changes and describing the group as "very aggressive… very intent".
However, Easterly also said that CISA had received "pretty extraordinary" engagement from the private sector when it came to tackling Volt Typhoon.
If we can't stop PRC cyber actors, the next best thing is to warn everyone about the risks.
I Feel the Need, The Need For a... Cyber Force?
A new report published this week by the Foundation for Defense of Democracies outlines the case for a US Cyber Force. It makes some compelling arguments.
From the first paragraph of the report:
In the U.S. military, an officer who had never fired a rifle would never command an infantry unit. Yet officers with no experience behind a keyboard are commanding cyber warfare units. This mismatch stems from the U.S. military’s failure to recruit, train, promote, and retain talented cyber warriors.
The crux of the authors' argument is that US Cyber Command is not as effective as it should be because it draws its workforce from the Army, Navy, Air Force and Marines. Cyber capabilities are not a top priority for any of these services and this ultimately results in a shortage of qualified personnel in Cyber Command.
The report includes an array of anecdotal data from 75 interviews with both active duty and retired military officers, which make it clear that Cyber Command is struggling with personnel and skill shortages.
One paragraph describes how cyber skills are not valued within various services:
Many officers have described how service culture denigrates cyber talent, damaging the morale of cyber personnel and eroding retention. "Retention rates of cyber personnel are abysmal," one retired Navy captain remarked. "The biggest reason the services haemorrhage talent is that cyber personnel do not feel valued by their service’s culture." Similarly, a retired Army colonel shared, "I've seen senior warfighting leaders dismissively call cyber research 'book reports,' cyber operators 'nerds,' and cyber capability development 'science projects.'" Only the creation of a new service dedicated to cyberspace can address these kinds of entrenched cultural challenges.
If you want a top-notch cyber workforce, you probably need to develop them in an organisation that actually cares about cyber capabilities.
Traditionally the services — the Army, Navy, Air Force, Marine Corps and Space Force — are responsible for recruiting, training and equipping people for their respective jobs. Given that historical division of effort, a Cyber Force makes sense.
Three Reasons to Be Cheerful This Week:
- Auf Wiedersehen Nemesis: The German federal police announced they had seized Nemesis darknet market server infrastructure and shut it down. Nemesis had more than 150,000 registered users and 1,100 seller accounts, almost 20% of which were from Germany.
- Six more countries sign up to counter spyware: Finland, Germany, Ireland, Japan, Poland, and South Korea have signed up to a US-led anti-spyware coalition, which now includes 17 countries.
- US House passes data broker foreign sale bill: The US House of Representatives has passed a bill that would outlaw data brokers from selling American's sensitive data to foreign adversaries. The intent mirrors a recent executive order that we discussed earlier this month.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Josh Kamdjou, co-founder and CEO of Sublime Security. Josh describes how Sublime implemented the concept of attack surface reduction to email security last year, how it works, and what customers are saying about it.
Shorts
Shining A Spotlight On The People Search Industry
Krebs on Security has been on a tear turning over rocks in the US people-search industry. People-search services enable users to find a scary amount of information about individuals, starting with just a name, physical address, or email address, for example.
One investigation resulted in Mozilla ending its partnership with Onerep, an identity protection service bundled with Firefox. Krebs found that Onerep's CEO had "founded dozens of people-search networks over the years".
Another investigation found a China-based US-focused people-search service whose owners appear to be fabricated personas.
US Announces Water Sector Cybersecurity Task Force
The US Environmental Protection Agency (EPA) is convening a task force and trying to work with the states to safeguard water sector infrastructure.
The administration announced the task force in a letter to state governors asking for cooperation. Threats to water infrastructure have been on the rise, but the federal government doesn't have much regulatory clout over the sector.
Previous efforts to shoehorn cyber security standards into EPA regulations were challenged in court, so asking nicely is probably the best that can be expected right now.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at Russia's recent leak of an intercepted German military discussion. From an intelligence point of view, the content of the discussion is only moderately interesting, but Russia decided to leak it in an attempt to influence European attitudes towards providing military aid to Ukraine.
From Risky Biz News:
EU bans anonymous crypto payments: The EU Parliament has passed new anti-money laundering legislation that bans anonymous cryptocurrency payments.
The legislation applies to payments made through online service providers, also known as hosted wallets. It also applies to platforms that exchange virtual currency for regular fiat currency. It does not apply to owners of hardware and self-hosted wallets.
Source: PDF
The new rules come to complement the EU's MiCA (Markets in Crypto-Assets) framework, which passed last year and is scheduled to go into effect on December 30, 2024.
[more on Risky Business News]
US sanctions Russian disinfo peddlers in LATAM: The US government has sanctioned two Russian nationals and their respective companies for running years-long Russian disinformation campaigns across Latin America.
The US Treasury Department has levied sanctions against Ilya Andreevich Gambashidze, the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, the CEO of Russian company Structura.
The sanctions come six months after a State Department report identified the two and their companies as the central pieces in Russia's disinformation effort across Latin America.
The two—together with a third company that was not yet sanctioned—managed a sprawling network of websites and operatives across Latin America.
[more on Risky Business News]
MFA bombing on Apple devices: Brian Krebs looks at a recent trend where threat actors are combining MFA bombing and social engineering to target and lock Apple users out of their accounts and devices.