Should your business worry about Chinese cyber attacks?
State-backed hackers are upping the anti, with businesses on high alert over the potential for falling victim to cyber espionage and IP theft
It’s often overlooked, but the threat from China-based cyber adversaries is great – more so than from Russia, according to many experts. This looming threat was, in fact, the subject of a warning from MI5 and the FBI in July, with the agencies jointly calling on organisations to consolidate security practices, and approach Chinese business relationships with caution.
Concerns about China are not new, but the threat is being taken increasingly seriously by the West. The US has acted to blacklist Chinese firms including Huawei following what it calls a dramatic escalation of espionage over the past decade. In the UK, the government removed Huawei devices from 5G infrastructure, while a group of cross-party MPs have campaigned for two Chinese CCTV companies to be banned from operating.
China and Huawei deny any wrongdoing, but cyber security firms say they have evidence the country is active in the geopolitical cyberspace. In 2013, Mandiant released a report on APT1, a team of hackers it traced to China's People's Liberation Army Unit 61398. The group has compromised 141 companies across industries including financial services and aerospace, as well as many government agencies. Almost ten years on, Chinese state-backed hacking groups are widely understood to be among the most active in the cyber espionage industry. Businesses must, therefore, take all the possible measures and precautions to protect themselves from being the next victim.
What are the most common attack vectors?
China is “probably the biggest threat actor of any across the globe”, says Philip Ingram, MBE, a former colonel in British military intelligence. This is fuelled by the fact that the country is “patient” and “will spend months and years perfecting breaches”, he warns.
China’s primary aim is to gain economic and technical advantage, which is why business intellectual property (IP) is among the country’s main targets. “Stealing already mature research and designs could save Chinese industries billions of dollars,” Ingram explains.
In order to obtain this data, China will levy their attacks through an individual such as a postgraduate student at a university where critical research is being carried out, or by compromising networks and cloud service providers. Indeed, universities often find themselves on the front lines of a cyber war.
Cyber attacks are performed by taking advantage of zero-day vulnerabilities and “potentially exploiting back doors or other compromises in components, devices and apps”, Ingram continues.
Cyber criminals have three primary targets for espionage activity, says Ian Thornton-Trump, CISO at Cyjax. These include Western organisations such as those creating new technology; military for competitive advantage; and government verticals for intelligence purposes. “They use a variety of different techniques ranging from traditional recruitment of agents in positions of trust, and computer network and supply chain exploitation,” he explains.
What are the most prominent Chinese threat groups?
Known Chinese cyber gangs can be separated into state-sponsored adversaries and standalone cyber criminal groups, says Adam Price, cyber intelligence analyst at Cyjax.
Chinese adversaries often share attack tools, while some established groups develop their own malware. Overarching this, there are common tactics that the groups tend to share, Price says. “For example, state-sponsored threat groups in several countries including China have been targeting journalists to spread malware or conduct espionage to gain a competitive edge or spread disinformation.”
As well as cyber espionage, Chinese threat groups are known to perform information theft campaigns. Attacks with a focus on gathering information can have two aims, Price says: “Firstly, a threat actor can use data and credentials in an extortion attack, threatening the victim with leaking the information. Secondly, the collected information may be used as intelligence for a politically motivated campaign, or to gain an advantage over opposing countries and organisations.”
Chinese attackers often use phishing to gain initial access into a network. “An email or SMS may contain a malicious document that deploys malware, or link to a compromised site for credential harvesting and banking fraud,” he adds.
Mustang Panda, a state-linked adversary, is known to use lures such as COVID-19 and more recently, documents related to the Russia-Ukraine war to deliver malware to both the public and private sectors. Meanwhile, others such as Aoquin Dragon and Gallium have targeted government organisations and telecommunications to conduct cyber espionage operations, says Price.
Standalone cyber criminal threat groups include Twisted Panda and Storm Cloud. “These vastly differ in their tactics, techniques and procedures and tend to have their own targets, aims and capabilities,” according to Price.
How is the China threat developing?
Amid the complex global geopolitical environment, the threat from China is evolving. It’s important, therefore, businesses are prepared. Ingram warns of the power quantum computing will give Chinese adversaries, as well as the security risks posed by the metaverse, as well as the rise of digital currencies – such as the digital yuan.
China’s cyber crime enterprise is “large, lucrative and expanding quickly”, says Christiaan Beek, lead scientist and senior principal engineer at cybersecurity company Trellix. He says the Chinese cyber criminal underground has recently undergone “drastic changes”, and that it’s “rapidly growing in scope and sophistication”.
It’s also getting increasingly more difficult to separate cyber crime from cyber espionage, says Beek. “We have observed Chinese cyber criminals offering services to spy on businesses and selling commodities that can be used to target organisations or government officials for economic and political espionage.”
How can organisations safeguard against the China threat?
With this in mind, organisations should ensure they’re aware of their own risk and understand where they sit on a Chinese target list, says Ingram. “Good cyber hygiene will mitigate many of the threats.” he says. He also warns businesses to be wary of any device they take into China. “Firms should automatically assume they, and any data they have access to, is compromised if they visit China.”
According to Thornton-Trump, companies should also ensure security background checks on potential employees, “especially those working in highly sensitive research areas”.
This is in addition to using rigorous data management with multi-factor authentication (MFA) and role-based access control as well as “iron-clad logging of all system activity”.
It’s easy to say “patch your systems” but focusing on critical and high-rated vulnerabilities will help avoid opportunistic attacks, says Ian McShane, VP of strategy at Arctic Wolf. “Monitor your infrastructure and network traffic, email and endpoint behaviour, making use of threat intelligence to proactively block known bad sources, destinations and files.”
If you operate in an industry that could be a potential target for China-based adversaries, it’s important to act as quickly as possible. While the risks posed by Russia are often highlighted, many experts believe firms are underestimating the threat from China-linked attackers.
“We are hugely underestimating the threat from China,” says Ingram. “China, from a cyber exploitation perspective, owns cyberspace in a way no other country really does. That’s why there are real concerns raised over Chinese hardware manufacturers including Huawei.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.