Focus Mode
Threat Research

Understanding the Ecosystem of Chinese State-Sponsored Cyber Threats: A Three-Part Analysis

SekoiaIO

Summary:

The report outlines the structure and dynamics of China’s offensive cyber operations, highlighting the roles of state actors like the PLA, MSS, and MPS, as well as the increasing involvement of private companies and patriotic hackers. It emphasizes the shift in cyber activities post-2015 and the complexities in attributing cyber attacks to specific entities.

Keypoints:

  • China’s cyber operations are primarily conducted by the PLA, MSS, and MPS.
  • Since 2021, MSS has been more prominently linked to cyber operations than PLA.
  • Patriotic hackers have transitioned from hacktivism to professional roles in state-sponsored operations.
  • Private companies are increasingly involved in providing cyber offensive capabilities to state actors.
  • The hack-for-hire ecosystem in China is expanding, with state actors subcontracting cyber services.

MITRE Techniques

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Exploitation of Public-Facing Applications (T1190): Targets vulnerabilities in publicly accessible applications to gain unauthorized access.
  • Credential Dumping (T1003): Extracts account login information from operating systems and software.
  • Data Encrypted for Impact (T1486): Encrypts data to disrupt access and extort victims.
  • Supply Chain Compromise (T1195): Targets third-party software or hardware to gain access to a primary target.

Executive Summary

  • The People’s Liberation Army (PLA), the Ministry of State Security (MSS) and the Ministry of Public Security (MPS) are the three main state actors conducting state-sponsored offensive cyber operations for the interests of the Chinese Communist Party (CCP).
  • From 2021 onward, Sekoia observed that operations attributed to China were mostly linked to the Ministry of State Security (MSS) rather than the People’s Liberation Army (PLA). Still, since the 2015 PLA reform, malicious cyber activity attributed to MSS-sponsored entities increased, while activity attributed to the PLA depleted
  • Provincial departments of the MSS and the MPS enjoy a large degree of autonomy to conduct cyber operations and rely on private companies to outsource offensive capacities.
  • In addition to state actors, civilian actors also took part historically in state-sponsored operations. This is the case of the first communities of patriotic hackers, which conducted hacktivist campaigns in reaction to geopolitical events, and were progressively integrated into state-sponsored operations.
  • The role of patriotic hackers in Chinese cyber offensive capacities is highlighted by their participation in the development of malicious payloads used by China-nexus APTS, such as PlugX and ShadowPad. This proximity was encouraged by the policies of Xi Jinping, who made Military-Civil Fusion (MCF) a national strategy in 2015.
  • The CCP policy regarding activities of patriotic hackers changed after 2002, leading patriotic hackers to stop hacktivism and professionalise. Today, many of these individuals work for private companies and maintain parallel activities like cybercrime.
  • Recent leaks from the Chinese IT company I-SOON revealed important details about the current hack-for-hire ecosystem in China. State actors subcontract cyber offensive services at the provincial and the city levels.
  • State actors increasingly outsource cyber offensive capabilities to private entities, a trend fueled by ministries like the MSS collecting vulnerabilities from researchers and companies. These vulnerabilities are then weaponized and used as exploits in state-sponsored operations. 
  • The companies providing cyber offensive capacities to state actors are historical tech giants, but also smaller companies offering niche digital services, like I-SOON. China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units.

Introduction

Recent reports about the People’s Republic of China (PRC) cyber capabilities highlighted its important arsenal mobilising institutional and military actors, as well as private companies providing hack-for-hire services for governmental operations. These findings pointed out the complexity of attributing attack campaigns to specific clusters of malicious activity and tracing back Chinese state-sponsored units throughout the time.

This report aims at presenting the Chinese offensive cyber ecosystem, its key actors, their role and their relationships, based on Sekoia’s analysis of the latest cyber campaigns attributed to China, open source reports, and interviews conducted with prominent researchers on the topic. Thanks to Ivan Kwiatkowski, Dakota Cary and Eugenio Benincasa for their time and insights into this subject.

Cut-off date for this paper is 12 November 2024.

Share this post:

Source: Original Post

Tags: CREDENTIAL, IMPACT, CHINA