If you are a Japanese conglomerate, you’ve no doubt been made aware of the threat of cyber espionage and the level of effort that is being expended to compromise the trade secrets and intellectual property of your company.

This multifaceted effort is being launched from within China and is part of a far larger dynamic, which is China’s projection of power within the Indo-Pacific region.

In 2017, the Rand Corporation issued a comprehensive report on China’s efforts to adjust the status quo in the region (pdf) without firing a shot through the use of “gray zone” coercion focused on three domains: maritime, cyber and space. They asked two hard questions:

How can Washington and Tokyo counteract a determined adversary, such as China, when it is seeking to undermine Japanese control over the Senkakus, intrude into computer networks for the purposes of industrial espionage and national security, and potentially cripple allied space assets in a time of crisis?

How can the allies deter China's gray zone coercion in situations where tit-for-tat strategies are either unavailable or unappealing due to the medium (such as a counterstrike in space)?

The report notes how attribution enables China to operate within the gray zone, which makes deterrence challenging. The Japanese government recognizes that cyber groups within China — acting independently or with the covert support of China —are working on an “as needed basis at the behest of the Chinese government” to attack Japanese websites and conglomerates. As long as the efforts do not create a national emergency, they will continue to fall within the area of criminal activity.

Japanese media notes how China, using their long-range planning, is driving toward being the global superpower by the year 2050. To achieve that, they must continue to adopt “transformative technologies.” One way to achieve such knowledge is through espionage and cyber espionage.

Tracking Chinese cyber espionage

To that end, security researchers at Secure Works have conducted a deep dive into Bronze Butler threat group, which they assess has been operating out of China since at least 2012. The group’s primary focus has been on attacking Japanese companies and stealing their intellectual property and any other confidential data of interest. The primary focus appears to be companies involved in support or supply of critical infrastructure.

How Japanese firms are being infiltrated

The Bronze Butler team uses all the arrows in their quiver to gain access to Japanese intellectual property, not relying on just one avenue of approach. They have been successful in the use of spearphishing, website compromises and exploitation of zero-day vulnerabilities. Interestingly, they used steganography to mask the malware payload delivery by embedding the payload within animated images.

These efforts place the results of the Bronze Butler efforts firmly within the gray zone discussed by Rand, as the information being exfiltrated and collected are germane to national infrastructure, policy, and planning and sustainability of industry. They are not specifically targeting the national infrastructure. One might say the Chinese are collecting this information to create their playbook for when they do wish to attack Japan’s national infrastructure.

The takeaway for those engaged in industry-supporting national infrastructure in any nation: Protect your intellectual property and your customers' data because the Chinese and others want to collect the information for their strategic playbook.