For years, China seemed to operate on the quieter end of the spectrum of state-sponsored hacking. As Russia and North Korea have carried out hacking operations, launched massively disruptive cyber attacks, and blurred the line between cybercriminals and intelligence agencies, China has quietly focused on more traditional espionage, though prolific, and intellectual property theft. But today, a collective message from dozens of countries calls for a change in China’s online behavior – and how the chaos trail of its main cyber-espionage agency increasingly rivals that of the Kim regime or of the Kremlin.
On Monday, the White House joined the UK government, the EU, NATO and governments from Japan to Norway in announcements highlighting a series of Chinese hacking operations, and the US Department of Justice has separately indicted four Chinese hackers, three of whom are believed to be officers from the Chinese Ministry of State Security or MSS. The White House statement specifically blames the Chinese SSM for a mass hacking campaign that used a vulnerability in Microsoft’s Exchange Server software to compromise thousands of organizations around the world. He also blames the Chinese MSS for partnering with subcontractor organizations that engage in for-profit cybercrime, turning a blind eye or even tolerating extracurricular activities such as infecting victims with ransomware, using of victimized machines for cryptocurrency mining and financial theft. “The reluctance of the PRC to tackle the criminal activities of contract hackers harms governments, businesses and operators of critical infrastructure through billions of dollars in lost intellectual property, proprietary information, payments of ransom and mitigation efforts, “the statement said.
This long list of digital sins represents a significant shift in the modus operandi of Chinese hackers, much of which, according to Chinese observers, can be attributed to the country’s reorganization of its cyber operations in 2015. That’s when there that he transferred much of the control of the People’s Liberation Army to the MSS, a state security service that has become over time more aggressive both in its hacking ambitions and in its will to outsource to criminals.
“They’re getting bigger. The number of hacks has gone down but the scale has gone up,” said Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations, which has long focused on China’s hacking activity. . In large part, this is because the non-government hackers that the MSS works with do not necessarily obey the standards of state-sponsored hacking. “There seems to be a kind of greater tolerance for irresponsibility,” Segal says.
The MSS has always preferred to use intermediaries, shell companies and contractors for its own practical operations, says Priscilla Moriuchi, a non-resident fellow at Harvard’s Belfer Center for Science and International Affairs. “This model in HUMINT operations and cyber operations allows the MSS to maintain plausible deniability and create networks of recruited individuals and organizations who can bear the brunt of the blame when caught,” says Moriuchi, using the term HUMINT to refer to the human, not the cyber side of espionage operations. “These organizations can be quickly destroyed and new ones created if necessary.”
While these contractors offer the Chinese government a layer of denial and efficiency, they also lead to less control over operators and less assurance that hackers will not use their privileges to get rich on the side. – or the MSS officers who take care of it. take out the contracts. “In light of this model, it is not at all surprising to me that the cyber operations groups assigned to the MSS are also carrying out cybercrime activities,” adds Moriuchi.
The White House statement as a whole points to a large, messy, and in some cases unrelated collection of Chinese hacking activity. He was accompanied by a separate indictment of four hackers affiliated with MSS, three of whom were MSS operatives, all accused of a wide range of intrusions targeting industries around the world, from healthcare to aviation.
But more unusual than the data theft described in that indictment was the mass hacking announced in Monday’s announcement, in which a group known as Hafnium – now linked by the White House to the Chinese MSS –broke into no less than 30,000 Exchange servers around the world. Pirates too left behind what are called “web shells”, allowing them to regain access to these servers at will, but also introducing the risk of other hackers discovering these backdoors and exploiting them for their own ends. This element of the hacking campaign was “untargeted, reckless and extremely dangerous,” wrote former Crowdstrike CTO and Silverado Policy Accelerator founder Dmitri Alperovitch, along with researcher Ian Ward, in a March blog post. At least a ransomware group appeared to be trying to graft of Hafnium’s campaign shortly after his revelation.
There is no clear evidence that the MSS’s Hafnium hackers themselves deployed ransomware or cryptocurrency mining software on any of those tens of thousands of networks, according to Ben Read, director of the MSS. cyber espionage analysis at the incident response and threat intelligence firm Mandiant. Instead, White House criticism of the Chinese government for scrambling cybercrime and cyberespionage appear to be linked to other multi-year hacking campaigns that have more clearly crossed that line. In September of last year, for example, the DOJ indicted five Chinese men who worked for MSS contractor known as Chengdu 404 Network Technology– known in the cybersecurity industry as Barium before they were identified – who are all accused of hacking dozens of companies around the world in a series of operations that appeared to liberally mix espionage and cybercrime for purpose. lucrative.