The PLA's Cyber Operations Go Dark

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. 

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

A new report describes the evolution of China's cyber capabilities over the past 30 years, including the incorporation of independent hacktivists into state-linked groups and the rise of the Ministry of State Security (MSS) as a hacking force. Most interestingly, the report examines the reorganisation of the People's Liberation Army (PLA) and the decline in reports of operations linked to the country's military hackers since 2017. 

The report, from security firm Sekoia, describes three primary state actors that carry out cyber operations for the Chinese Communist Party (CCP): the MSS, the PLA and the Ministry of Public Security (MPS).

Several years ago, the PLA was China's major cyber espionage actor. Mandiant's groundbreaking 2013 report, for example, linked the operations of a prolific actor it dubbed APT1 to a specific element in the PLA's General Staff Department, Unit 61398. Mandiant said the unit was responsible for stealing hundreds of terabytes of data from nearly 150 organisations spanning 20 major industries, and tied the organisation to a specific 12-storey building in Shanghai. 

PLA operations appear to have declined in number since then, for reasons that are not clear. 

Factors that might have contributed include the APT1 report itself, the US government strategy to publicly denounce unacceptable behaviour, including indicting hackers associated with Unit 61398, and a 2015 President Xi Jinping (China)-President Barack Obama (US) cyber security agreement to not 'knowingly support cyber-enabled theft of intellectual property… with the intent of providing competitive advantages to companies or commercial sectors'. 

The PLA also underwent significant reform over that time. In 2015 its cyber units were brought alongside space and electronic warfare elements under a 'Strategic Support Force' command (SSF). In April of this year the SSF was dissolved and its cyber elements elevated to a 'Cyberspace Force'. 

Nowadays, the MSS is the big kahuna and, since 2021, has been linked to the majority of cyber operations attributed to the PRC.

Sekoia floats a number of hypotheses to explain the apparent decline of the PLA's hacking relative to the MSS. One is that the MSS stepped up and assumed more responsibility for the worldwide strategic 'steal all the IP'-style campaigns that the PLA had been carrying out. 

Of course, what would that leave all the PLA's hackers doing? Sekoia's conclusion here is that the PLA has been retasked to directly support military operations. 

Military and government organisations are typically security-conscious hard(er) targets and long-term access is highly desirable, so these types of operations place a premium on stealth. Additionally, victims are also less likely to publicly disclose incidents in which they have been successfully targeted. 

Although the report doesn't mention Volt Typhoon, the behaviour of this group is entirely consistent with Sekoia's hypothesis. Volt Typhoon is the Chinese group that appears to be developing the capability to disrupt US critical infrastructure in the event of military conflict and uses difficult to detect 'living off the land' techniques. As an aside, this Washington Post report cites US and industry security officials linking Volt Typhoon to the PLA, although there are no publicly available official reports that confirm this. 

Mandiant reckoned in 2013 that APT1 (aka the PLA's Unit 61398) was a large organisation with "at least dozens, but potentially hundreds of human operators". These hands on keyboard operators would need to be supported by "linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors". 

In retrospect, it may be significant that in 2014, Xi Jinping called for China  to become a 'cyber power'. Unit 61398 is just one of the PLA's cyber units and has essentially disappeared from open source reporting. How much critical infrastructure disruption does hundreds of APT operators buy you? 

While there are operational drivers that encourage the PLA to hack quietly, there is a different dynamic at play when it comes to the MPS cyber operations. The MPS is China's national police force and Sekoia hypothesises that the Ministry's focus on internal security threats such as dissidents and the CCP's 'five poisons' (advocates for democracy, Taiwan and Hong Kong independence, Uyghurs and the Falun Gong) doesn't overlap all that much with the interests of Western cyber security firms. Another confounding factor is that both the MPS and MSS outsource operations to China's cyber contracting companies, so that public security operations could end up being linked by cyber security firms to the MSS because they both used the same cyber contractor, for example. 

The report provides a high-level overview of the Chinese hacking ecosystem, but of course the threat actor to be most worried about is the one you hear the least about. 

Malicious Actors Quick to Jump on 0days

Rapid exploitation of 0day vulnerabilities is the new normal, warns a joint advisory issued by Five Eyes cyber security authorities. 

The advisory says that in 2023 "the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day". This is a shift from previous years when the most exploited vulnerabilities tended to be unpatched older ones.

Risky Business News notes: 

CISA's list complements another recent report from Google's Mandiant division that found that of the 138 vulnerabilities disclosed last year, 70% were first exploited as zero-days—before patches were available.

A conclusion that can be drawn from both reports is that threat actors are investing in exploit development more than they have in the past, hoping to go on massive hacking sprees before patches are available.

This doesn't look like a trend that is going to go away any time soon. Last Friday 0-day vulnerabilities were reported in Palo Alto networks firewall appliances and Fortinet's Windows VPN client. (Note: Risky Business News described the Fortinet vulnerability as a design flaw rather than an 0day.) 

The joint cyber security advisory contains the usual advice to end-user organisations to 'be prepared to patch quickly'. This recent Palo Alto bug is a case study in the difficulty of this approach. It is a pre-authorisation remote code execution bug on the firewall's web management interface—so it is bad—but despite being aware of its possible existence, Palo Alto Networks wasn't able to do anything about it. Per Risky Business News:

The Palo Alto zero-day is believed to be related to an alleged exploit sold on the Exploit hacking forum earlier this month.

Source: @phantmradar on X

…

Until last week, Palo Alto engineers couldn't prepare a patch due to the limited information about the "supposed" exploit or if it existed. With confirmed attacks, we expect the company to have something out throughout the week.

Once a patch is issued, end-users must then spring into action, so there is obviously a window of opportunity for cyber crooks here. Given the inherent delays in patching, it simply isn't possible to patch our way out of widespread 0day exploitation. 

Another part of the advisory recommends that vendors implement practices that will result in more secure products. What a grand idea!  We are struck by how often the same vendors of enterprise products appear on these most exploited lists. If only there were some way to introduce financial incentives that would encourage vendors to improve their products…

With that framing in mind, we can't help wondering if Palo Alto Networks should have just bought the exploit in the first place. If you squint (a lot), it would be the exact same as a bug bounty program, except the reward would be set by (black) market forces. So capitalist!

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. AI scam-buster I: Google is rolling out scam detection technology to some Android devices. Google says this feature is "powerful on-device AI to notify you of a potential scam call happening in real-time by detecting conversation patterns commonly associated with scams. The device can then warn its user that the call is potentially a scam. 
2. AI scam-buster II: British telco Virgin media O2 has announced it has developed an AI granny persona it calls Daisy to waste scammers’ time by keeping them talking on the phone for as long as possible with "human-like rambling chat". O2 says it "has put Daisy to work around the clock answering dodgy calls" and that she has "successfully kept numerous fraudsters on calls for 40 minutes at a time". Here is a video about Daisy. 
3. Making software repositories safer: The Python Package repository PyPI now supports 'digital attestations'. These improve on traditional PGP signatures because they are more automated (so user error is less likely), provide stronger provenance assurances and are signed with identities and not private keys (so private keys can't be lost or stolen). More detail here. 

Shorts

Changing of the Guard at CISA

Both Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and Deputy Director Nitin Natarajan are expected to leave their posts when President-elect Donald Trump is sworn into office next year. Their replacements could have a significant impact on CISA's direction. 

Writing for Wired, Eric Geller polls experts who say Trump's second term will mean less regulation, abandoning human rights concerns such as abusive spyware and aggressive responses to cyber adversaries. 

Bitfinex Hack Couple Sentenced

Ilya Lichtenstein has been sentenced to five years in prison for money laundering relating to the 2016 theft of 120,000 Bitcoin from cryptocurrency exchange Bitfinex. Lichtenstein stole the funds and then subsequently involved his wife, Heather Morgan, in laundering the Bitcoin. She was sentenced to 18 months for her involvement in the money laundering. 

We first mentioned Lichtenstein in 2022 after the pair was arrested and USD$3.6bn in cryptocurrency seized. The ability to track cryptocurrency flows as described in the indictment was amazing. The stolen Bitcoins were worth USD$71m at the time of the hack and are now worth over USD$10.5bn. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about what cyber weapons really are and why use of the term is counterproductive. 

From Risky Biz News:

Microsoft announces Quick Machine Recovery, a feature to fix future CrowdStrike disasters: At its Ignite developer conference this week, Microsoft announced a new feature for its Windows 11 operating system that will allow admins to remotely fix PCs with booting issues.

The company developed the feature as a way to tackle future cases like the CrowdStrike incident that crashed over 8.5 million PCs in July this year.

The new feature is named Quick Machine Recovery and will allow a company's IT administrators to tap into the Windows Update system to deliver fixes for boot-related bugs that normally require physical access to a machine.

[more on Risky Business News including more security-centric announcements at Ignite]

The US' Microsoft dependency: A ProPublica investigation looks at how Microsoft offered the US government free cybersecurity upgrades in 2021 and ensnared the US government IT apparatus into its closed ecosystem, making it harder to switch to other solutions due to high migration costs.

"The White House Offer, as it was known inside Microsoft, would dispatch Microsoft consultants across the federal government to install the company's cybersecurity products — which, as a part of the offer, were provided free of charge for a limited time. But once the consultants installed the upgrades, federal customers would be effectively locked in, because shifting to a competitor after the free trial would be cumbersome and costly, according to former Microsoft employees involved in the effort, most of whom spoke on the condition of anonymity because they feared professional repercussions. At that point, the customer would have little choice but to pay for the higher subscription fees."

Source: Chris Bing on X

Pakistan preparing VPN ban: Pakistan's religious advisory board has ruled that the use of VPN apps is against Shariah Law. The announcement from the Council of Islamic Ideology comes weeks after the government announced plans to ban VPNs. VPN use exploded in Pakistan after the government deployed a national firewall in July to block access to unwanted information. [Additional coverage in VOA News]