China is now the world’s biggest sponsor of cyber-attacks on organisations in the West, ahead of Russia, North Korea, and Iran as state-sponsored hackers are increasingly targeting IT networks to gain access to intellectual property and other trade secrets.
Most of the cyber-attacks sponsored by China are targeted at major technology firms, universities, government departments, think-tanks and NGOs with an aim to obtain intellectual property, even though such hackers are not targeting political organisations as frequently as Russia hackers do.
China-sponsored hackers looking for trade secrets, intellectual property
In its “Observations From the Front Lines of Threat Hunting” report that covers a mid-term review of the most sophisticated cyber-attacks in the first half of 2018, security firm Crowdstrike revealed that while 36 percent of cyber-attacks sponsored by China targeted technology firms, many of such attacks also targeted research institutions, biotechnology companies, universities, and pharmaceutical, defence, mining, and transport companies that held a vast repository of intellectual property data and commercial secrets.
According to Crowdstrike, China recently carried out a reorganisation of the People’s Liberation Army (PLA) which transferred the responsibility of hacking operations from the Army to private contractors, thereby giving China the freedom of deniability. Since such contractors are not controlled by the state, they operate freely, have a large number of computer science experts, and have extensive links to hacker forums where malware samples are easy to find.
After analysing 116 “adversary groups”, Crowdstrike concluded that while a bulk of them were state-sponsored Chinese hackers, only ten were Russians, eight were Iranians, five were North Koreans, and the remaining few were either Pakistanis, Indians, Vietnamese, or South Koreans.
The security firm also noted that hacker groups used different methods to target different organisations, Departments, or NGOs. For example, a group of hackers gained access to a victim network in the technology sector via RDP by leveraging valid credentials, before using the legitimate Microsoft certutil.exe and expand.exe tools to decode binaries masquerading as Windows Update log files.
Similarly, a hacker group was also found establishing persistence on an infected host belonging to a senior executive in a biotechnology organisation. The group modified the Windows Registry to execute a couple of PowerShell commands that leveraged script blocks to read and execute each line in inf32.dat and imeins32.dat. Analysis of the .dat files revealed them to be keylogger and file extraction utilities, respectively.
Role of Chinese hackers in recent times
This isn’t the first time that state-sponsored Chinese hackers have been found to be behind a spate of cyber-attacks on organisations in the West. Between May 2016 and late 2017, a hacker group alleged to be close to the Chinese government hacked into a UK government contractor’s network and stole information related to UK government departments and sensitive communication technology.
The hacker group named ATP15 used an open-source tool Mimikatz and several backdoors like BS2005, RoyalCLI and RoyalDNS to access sensitive information and to send it to a remote C&C server.
In November last year, a U.S. court indicted three Chinese nationals for sending phishing emails to and conducting malware attacks on U.S.-based private companies in order to steal sensitive and valuable information. The Department of Justice said that he said Chinese nationals were residents of Guangzhou in China and were running a cyber security firm named Boyusec. It added that between 2011 and May 2017, the hackers ‘conspired to hack into private corporate entities in order to maintain unauthorized access to, and steal sensitive internal documents and communications from such private companies.
The said hackers stole trade secrets and sensitive corporate information from GPS maker Trimble Inc. so that they could use such knowledge on developing a Global Navigation Satellite Systems technology designed to improve the accuracy of location data on mobile devices. They also stole 407 GB worth proprietary commercial data about Siemens’s energy, technology and transportation businesses in 2015.
Between 2013 and 2014, the hackers also ‘accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee’. As such, they were able to access all e-mails received by such employee and these e-mails contained proprietary and confidential economic analyses, findings and opinions.