This blog post is the second in a series about APT attacks. To read about APT attacks associated with Russian proxies, click here.
Advanced Persistent Threat (APT) groups worldwide tend to have similar characteristics: they are a group of highly skilled individuals, with substantial financial funding and, usually, a solid ideological affiliation. However, as we shall see, not all APT groups are created equal.
In this blog, we focus on the unique behavioral characteristics of APTs associated with Chinese proxies and compare them with proxy players from Russia, Iran, and North Korea.
CyberProof research methods
The hypotheses presented in this post are based on CyberProof research of APT attacks perpetrated in 2022. Using the MITRE ATT&CK™ framework as our methodology, we developed several hypotheses regarding the behavioral characteristics of APTs. In our research, we explored four hypotheses related to the MITRE tactics and techniques used by these groups. Utilizing the open web for references and verification, we were able to corroborate our theories.
The following sections provide a deep dive into our research:
-
Hypothesis 1: Governmental policies can be used to predict which sectors will be targeted by APTs associated with Chinese proxies.
-
Hypothesis 2: APTs associated with Chinese proxies do more preparation – using preliminary actions and long-term planning tactics.
-
Hypothesis 3: APT attacks related to Chinese proxies are expected to become more disruptive.
-
Hypothesis 4: Local cultural behavior has an influence on the activity of APTs associated with Chinese proxies.
Hypothesis 1: Governmental policies can be used to predict which sectors will be targeted by APTs associated with Chinese proxies
Since 1953, the Chinese government periodically rolls out a “Five-Year Plan” (五年计划) – a series of social and economic development goals for the country. The plan identifies the industries that China believes it should strengthen to best promote Chinese interests domestically and globally. APT attack groups related to Chinese-proxies often align with those development goals to help gain an economic and political edge – enacting covert activity designed to obtain intellectual property and sensitive information. This means that effectively, the “Five-Year Plan” can predict which industries and sectors might become targets of threat actors.
Experience has shown that APT groups see the plan as an indicator of potential hacking targets. In the past, companies in the sought-after industries were attacked, lost intellectual property, and in some cases, even went bankrupt.
The latest plan (2021-2025) focuses on making China more self-reliant by developing independent supply chains and asserting their influence in different industries, such as: biotechnology, semiconductors, renewable energy technologies, quantum information & computing, agriculture, transportation, and health & medicine, among others.
Businesses in these sectors are at greater risk of being targeted and should take the appropriate measures to defend themselves. Any companies that potentially could give China an edge need to assume that their data might be vulnerable.
Security experts should regard the plan as a blueprint – enabling them to anticipate potential targets and protectively defend against APT threats.
Security experts should regard the plan as a blueprint – enabling them to anticipate potential targets and protectively defend against APT threats.
Hypothesis 2: APTs associated with Chinese proxies do more preparation – using preliminary actions and long-term planning tactics
Our analysis shows that compared to APTs in other countries, APTs associated with Chinese proxies tend to conduct extensive field work, which is reflected in the following ways:
-
Carrying out reconnaissance before launching cyberattacks by surveying the landscape and learning the complexities of their target’s networks.
-
Resource Development: Developing various tools and capabilities, including by purchasing or infiltrating existing infrastructure that would aid them in their attacks.
The attackers may spend months conducting preliminary actions on potential targets that will allow them to gain initial access and maintain persistence in infected assets.
The following attacks support this hypothesis:
-
Cloud Hopper attack: In December 2018, two members of APT10 (a group associated with Chinese proxies) were indicted for taking part in an operation that infiltrated eight managed IT service providers. APT10, believed to be the group behind the attack, recognized the service providers as entry points to gain access to the Managed Service Provider’s (MSP) client networks and steal government and industrial data. The APT group carried out meticulous reconnaissance work, analyzing the supply chain of their targets, finding weak links, and identifying potential vulnerabilities. They also mapped out their network architecture, identifying critical systems and locating valuable data repositories. The in-depth reconnaissance work enabled them to understand the network’s topology and plan their lateral movement within the victims’ environments.
-
ASUS supply chain attack: In 2019, threat actors associated with Chinese proxies were suspected of being responsible for a supply chain attack against the software company ASUS. Prior to the attack, the APT group conducted extensive reconnaissance to understand ASUS’ network and systems. They identified vulnerabilities and obtained authentic digital signatures. Moreover, the attackers carefully planned the timing of their attack, leveraging a time window when many users would be expected to download and install software updates. This allowed them to maximize the potential impact of the attack.
Hypothesis 3: APT attacks related to Chinese proxies can be expected to become more disruptive
Traditionally, overtly malicious cyberattacks were often associated with threat actors affiliated with proxy players from Iran, North Korea, and Russia. However, the cyber landscape is ever-changing, and APT groups associated with Chinese proxies have started to deploy similar tactics. While typically, they are known to conduct their operations discretely, in recent years, we are observing a shift to more overt behavior by Chinese-related proxy players. It is likely that this more aggressive type of behavior will continue to increase.
There are several factors that contribute to this trend:
-
Implementation of the “Five-Year Plan” by the Chinese government and the urgent push to fulfill the objectives outlined in the plan. This push makes it more likely for Chinese proxies to adopt a more overt approach and employ disruptive tactics. This departure from their usual modus operandi is a response to the pressure imposed by the plan, which demands tangible results and strategic achievements. Consequently, these threat actors may utilize more techniques to maximize the impact of their attacks, disrupt their targets, and showcase their capabilities.
-
APTs related to Chinese proxies continue to evolve and improve their abilities, and as a result, the quality of their attacks improves. They develop more sophisticated Tactics, Techniques & Procedures (TTPs) to infiltrate and compromise their targets. These include Zero-Day exploits, custom-built malware, and advanced social engineering tactics. Additionally, they look to bypass traditional security measures and remain undetected for large periods. This enhanced proficiency enables them to carry out more effective and disruptive cyber operations, like supply chain, watering hole, and island-hopping attacks, among others – causing considerable damage to the targeted organizations’ networks, systems, and data.
-
Boosted confidence as a result of past successful operations may lead APT groups associated with Chinese proxies to engage in more disruptive cyber activities over time. By adopting these types of tactics, they aim to send a clear message to their adversaries and assert their presence and capabilities in the cyber landscape.
Overall, the shift and evolution from covert to overt behavior by APTs associated with Chinese proxies reflect the push to support the “Five–Year Plan” goals, and an improvement in the quality of their attacks. By adopting disruptive tactics, these threat actors assert dominance and gain a strategic advantage in the cyber domain.
Hypothesis 4: Local cultural behavior has an influence on the activity of APTs associated with Chinese proxies
Chinese cultural behavior plays a role in cyber activity and hacking campaigns by APTs associated with Chinese proxies, in several ways.
-
The concept of “Guanxi” (关系) – which refers to the importance of interpersonal relationships and networks, can have an impact on cyber activism. The cultural emphasis on trust and loyalty within “Guanxi” can play a role in how employees working at companies in China respond to requests from individuals within their personal networks. In the worst-case scenario, this can increase vulnerabilities, as threat actors associated with Chinese proxies may leverage their personal connections to gain access to valuable information or exploit vulnerabilities within target foreign organizations in China.
-
The attackers’ patriotic beliefs in collective identity and national pride can fuel Chinese cyber activities. Attackers may view their actions as serving the national interest. They may feel they are protecting their country’s sovereignty and guarding against perceived threats when carrying out covert or overt cyberattacks against foreign entities. The notion of defending China’s interests in cyberspace can be a motivating factor for those involved in hacking campaigns.
-
A focus on perseverance and patience can influence the tactics employed by threat actors associated with Chinese proxies. They may exhibit a high level of persistence in carrying out their operations, investing considerable time and effort to achieve their objectives. This can involve long-term reconnaissance, careful planning, and the use of advanced techniques to evade detection and maintain persistent access to target networks.
-
Reverence for education and gaining knowledge contributes to the development of skilled cyber operators. China has an educational system that puts emphasis on the fields of science, technology, engineering, and mathematics. Moreover, in the past few years, the same system has encouraged incorporating programming and AI into the school curriculum, for children as young as primary school age. This focus on technical expertise produces highly capable threat actors who possess the knowledge and skills to carry out sophisticated cyberattacks.
National activity and cultural norms impact the cyber activity of threat actors related to Chinese proxies
Research into cyber activity initiated by APTs related to Chinese proxies indicates that Chinese cultural norms and national activities have a significant impact on the behavior of local threat actors. On a macro scale, analyses of the Chinese government’s “Five Year Plan” can help identify which sectors may be likely targets of cyberattack. More locally, Chinese cultural behavior influences local cyber activity. In addition, compared to other nation-state sponsored attacks, threat groups associated with Chinese proxies are most likely to invest in extensive preparation before conducting cyberattacks, leveraging preliminary actions and long-term planning tactics. To bolster this, APT attacks related to Chinese proxies are expected to become increasingly more disruptive, contributing to the ever-changing global threat landscape.
This blog post is the second in a series about APT attacks. To read about APT attacks associated with Russian proxies, click here. Interested in learning more about how to mitigate the risk of cyberattacks? Contact us.