China's MSS Doxxes and Threatens Taiwanese APT Operators

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Tines.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

China ramped up its name and shame cyber rhetoric this week when it identified and threatened four Taiwanese individuals it alleges are involved in cyber operations targeting the mainland. 

The four were named in a Chinese Ministry of State Security (MSS) Weixin post that published the names, passport-style photographs, birthdates, ID numbers and job titles within Taiwan's Information Communication Electronic Force Command (ICEFCOM). The unit was set up in 2017 and brings together the Ministry of National Defense's communication, cyber and electronic warfare units. 

This is the second time that the MSS has doxxed Taiwanese military hackers. In September of last year it published the identities of three other alleged cyber operators, but without some of the more granular identifying details.

This latest post also contains a direct threat, per ChatGPT translation: 

China's national security agencies warn that "Taiwan independence" is a dead-end road. The government will take all necessary legal measures to hold separatists accountable under the legal framework for punishing Taiwan independence-related crimes, enforcing lifelong prosecution for key figures. Cyber operatives aiding Taiwan's separatist agenda are urged to abandon their illusions and cease their criminal activities.

Nathan Attrill, a China analyst at the Australian Strategic Policy Institute, told Seriously Risky Business that being publicly identified by Beijing could have "serious and immediate consequences".

Attrill said the named individuals may face "tangible risks" particularly if they travel to Hong Kong or countries with strong ties to China. Then there's the implied threat that these operators would face punishment if China were to one day invade and annex Taiwan. 

"The recent case of Uyghurs being extradited to China from Thailand serves as a stark reminder of how China can exert influence over foreign governments to pursue individuals it targets," he said. 

When compared to US indictments of PRC-based hackers, the MSS's posts are nowhere near as 'good' from our cyber security nerd perspective. Department of Justice indictments provide enough detail to tell the story of PRC hacking campaigns in a way that reassures readers the US authorities know what they're on about. MSS Weixin posts provide none of that and are instead filled with propaganda and invective. 

The MSS post this week was also bolstered by three PRC-based cyber security firms releasing related articles within a day. Qi'anxin, Antiy and Anheng Information published their own reports on Taiwanese groups targeting mainland Chinese organisations. The reports don't draw explicit links to the individuals named by the MSS, but the timing suggests coordination between the MSS and the cyber security community. 

Dakota Cary, a China-focused consultant at SentinelOne, who has published extensively on Chinese cyber actors, told Seriously Risky Business this was a continuation of a strategy to "match what it sees as US attacks in the public opinion space". 

For nearly a decade, the US has employed a "name and shame" approach to expose PRC hacking, publicly detailing cyber campaigns through criminal charges and indictments. Cary said the PRC government chose to respond in kind after a joint 2021 statement from allies, including the UK, EU and NATO, criticised its "malicious cyber activity and irresponsible state behavior". Its initial attempts to out US cyber operations involved the recycling of material from old intelligence community leaks. Lame!

Cary described this week's efforts as "arguably" an improvement over using recycled US leaks. 

Even so, in our view, most of the recent MSS publication is just propaganda. For example:

Under the guise of developing "asymmetric warfare capabilities," the DPP [Taiwan's ruling Democratic Progressive Party] has recklessly spent taxpayer money to build a cyber force aimed at attacking and infiltrating the mainland. However, this effort is futile, akin to an ant trying to shake a tree. Internally, the cyber army is plagued by mismanagement, corruption, and dysfunction.

The point of both the propaganda and the doxxing is to intimidate. When the MSS names Taiwanese hackers that has some bite. By contrast, the US identifying PRC hackers in indictments feels like a symbolic gesture, albeit one that bolsters credibility.

It doesn't have to be this way for Taiwan's cyber operators. 

The PRC is an enduring US intelligence target, and various Chinese authorities have published multiple reports about NSA hacking. But they have never outed an American cyber operator because of the agency's robust OPSEC. 

It's time for Taiwan's ICEFCOM to take a leaf out of NSA's book and really up its OPSEC standards. 

Russia Throws Bombs, but Europe Will Throw Packets

Russia is waging a sabotage campaign against Western interests in Europe. Destructive cyber operations have only played a minor role in these attacks, but retaliation in the cyber domain from Western countries is definitely on the cards. 

A new report from the Center for Strategic and International Studies (CSIS) describes Russia's "shadow war against the west". Per the report:

Russia is engaged in an aggressive campaign of subversion and sabotage against European and US targets, which complement Russia's brutal conventional war in Ukraine… Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (or GRU), was likely responsible for many of these attacks, either directly by their own officers or indirectly through recruited agents. The GRU and other Russian intelligence agencies frequently recruited local assets to plan and execute sabotage and subversion missions. Other operations relied on Russia's "shadow fleet," commercial ships used to circumvent Western sanctions, for undersea attacks.

The report was based on a database of activity. This included "Russian attacks and plots that had (or were intended to have) physical effects, such as weapons and tactics using explosives, other incendiaries, firearms, and anchors for cutting undersea fiber-optic cables".

From a cyber perspective the database captured destructive or disruptive cyber operations, but excluded intelligence-gathering, election interference or disinformation operations. 

Cyber operations are often touted as the tool-of-choice for modern day sabotage. But electronic attack and cyber operations made up just 15% of attacks and only a single paragraph is dedicated to them in the report: 

Russian agencies utilized electronic attack and cyber operations with physical effects against transportation targets. Estonia, Finland, Lithuania, Norway, and Poland all reported specific incidents of deliberate GPS signal jamming from Russia, which led to navigation errors, flight deviations, and communication breakdowns—endangering the lives of those on board. Several countries, such as Poland, also reported cyberattacks against transportation targets, such as rail lines. More broadly, Russian-linked actors conducted hundreds of cyberattacks against targets in Europe, the United States, and other regions to collect intelligence, deface websites, orchestrate a denial of service, and occasionally conduct sabotage, according to a broader CSIS database of cyber incidents between 2006 and 2025 where losses were greater than a million dollars.

By contrast, other examples cited in the report include fires and explosions at manufacturing facilities that supply weapons or communications equipment to Ukraine, cutting submarine cables, and even assassination attempts.

Several were assassination plots that failed: one in Poland targeting Ukrainian President Volodymyr Zelensky; one in Austria against Bulgarian investigative journalist and director of the Bellingcat investigative reporting group Christo Grozev; and one in Germany targeting Armin Papperger, the chief executive officer of Rheinmetall, a large producer of artillery and tanks that had sent shells to Ukraine. The assassination plot against Papperger was one of the first instances in which Russia attempted to take lethal action against a Western citizen who had no previous connection to Moscow.

There were several other attacks against individuals. One was the assassination in Spain of Maksim Kuzminov, a Russian helicopter pilot who defected from Russia in August 2023. Another was the 2024 assault in Lithuania on Leonid Volkov, a Russian citizen and former close aide of now-deceased Russian opposition leader Alexei Navalny. The assailants, who Lithuanian intelligence assessed were likely "Russian organized," broke Volkov's arm but failed to kill him.

Several GRU entities including its sabotage and assassination group, Unit 29155, conduct cyber operations. But when it comes to killing people, guns and poison are easier options than keyboards. 

The report calls for an active and aggressive campaign in response, with one element being "conducting targeted offensive cyber operations against important Russian military and commercial targets, including the networks of Russia's energy sector that are vital to Russia's economy". 

This is wrapped up in a larger question of whether Western governments should respond with their own destructive sabotage campaign. The report addresses this directly:

Unlike authoritarian countries such as Russia, this logic [not responding in kind] assumes that democratic countries cannot—or should not—conduct forceful actions against Russia because they are not involved in a declared war. Yet these concerns are largely fallacious, and they reflect a mindset of self-deterrence. Russia, not Europe or the United States, chose to escalate a shadow war in Europe. In fact, a failure to respond will likely increase the likelihood of a protracted Russian campaign.

If you agree, the question to us is: why respond with cyber? Why not hire some local bomb throwers like Russia does? It gets amazing bang for its ruble by recruiting local criminals to carry out destructive acts. The West could do the same.

We don't think it will, though. If Western governments run a counter-campaign, we suspect they'll prioritise stealth and deniability. In that case, destructive cyber operations fit the bill. Slower, more expensive and lower impact, but more deniable and less on the nose.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Cyber security layoff reprieve: The White House has told federal agencies that cyber security jobs are national security-related and should therefore be exempt from layoffs. CISA is also reaching out to reinstate probationary employees that had been fired after a judge issued a temporary restraining order against the terminations. 
2. A responsible cryptocurrency exchange: The OKX cryptocurrency exchange took steps to prevent abuse after detecting North Korean hackers trying to misuse its services. OKX temporarily suspended its decentralised exchange (DEX) aggregator services so it could implement measures including detecting and blocking hacker's latest addresses in real time. We are still cynical about OKX's motivations and cryptocurrency in general, but this is a hell of a lot better than the typical crypto theft story. 
3. End-to-end encryption for RCS: The GSM Association has announced specifications for Rich Communication Services (RCS) that include end-to-end encryption (E2EE). That may one day mean that people will be able to directly send E2EE text messages directly between iOS and Android phones. 

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Matt Muller, field CISO at Tines. He explains how governments are using carrots and sticks to improve the security of enterprise software. Matt discusses CISA's 'Secure by Design' pledge and the UK NCSC's effort to quantify 'unforgivable bugs'.

In this product demo CEO Eoin Hinchy shows how Tines' Workbench can integrate an LLM into security workflows to gather, analyze, and act on data from both inside and outside your company. This demo includes grabbing IOCs from an external webpage, comparing them to your companies' own incidents, and taking actions like resetting passwords.

Shorts

Don't Panic Everyone, the FCC Has a Plan

US Federal Communications Commission (FCC) chair Brendan Carr has announced the formation of a National Security Council within the agency. 

The Council's goals are to: 

1. Reduce the American technology and telecommunications sectors' trade and supply chain dependencies on foreign adversaries; 
2. Mitigate America's vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries;  
3. Ensure the U.S. wins the strategic competition with China over critical technologies, such as 5G and 6G, AI, satellites and space, quantum computing, robotics and autonomous systems and the Internet of Things.

These are worthy goals. 

The day before Carr's press release last week, the FCC announced a "massive deregulation initiative", and published a "Delete, Delete, Delete" public notice that requested input on "every rule, regulation, or guidance document that the FCC should eliminate for the purposes of alleviating unnecessary regulatory burdens". 

We imagine improving security will require regulation, so it'll be interesting to see how these conflicting imperatives play out. It will certainly be a win if the FCC can replace unnecessary regulations with ones that meaningfully improve security.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how offensive cyber operations could do so much more than just 'deny, disrupt, degrade and destroy'. Grugq thinks this thinking is rooted in military culture and he wonders why cyber operations are always so mean.

Or watch it on YouTube!

From Risky Biz News:

GitHub supply chain attack prints everyone's secrets in build logs: A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.

The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.

The action works by analyzing pull requests and detecting what files. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it become one of GitHub's most popular actions.

It's still unclear how the attacker compromised Changed-Files, but once they were inside, they added malicious code to every action version—meaning that repos using old versions were also impacted.

[more on Risky Bulletin]

FBI warns of online file converters that distribute malware: The FBI says that cybercriminals are using free file format and document conversion tools to scrape personal data and deploy malware, and even ransomware.

The warning applies to online websites that convert files between different formats, but also apps that users download on their devices.

[more on Risky Bulletin]