2016 saw a significant drop-off in cyber-espionage by China in the wake of a 2015 agreement between US President Barack Obama and Chinese Premier Xi Jingping. But over the course of 2017, espionage-focused breach attempts by Chinese hackers have once again been on the rise, according to researchers at CrowdStrike. Those attempts were capped off by a series of attacks in October and November on organizations involved in research on Chinese economic policy, US-China relations, defense, and international finance. The attackers were likely companies contracted by the Chinese military, according to Adam Meyers, vice president of intelligence at CrowdStrike.

The drop in Chinese cyber-espionage may have been influenced by the 2015 agreement, reached as the US considered imposing sanctions against China. The US did so in the wake of the massive breach at the Office of Personnel Management —an operation attributed to China—and a vast economic espionage campaign in which Chinese hackers were alleged to have breached more than 600 organizations in the US over a five-year period.

But Meyers told Ars that the drop may also have been because of a reorganization of China's People's Liberation Army (PLA), in which "they did a rightsizing and reduced 300,000 positions out of the PLA," Meyers said.

The disruption of the PLA's internal offensive hacking capabilities led to an increased reliance on nongovernmental entities in China to perform digital espionage—much as Russia and Iran have turned to contractors (and, in some cases, cyber-criminals) to bolster the capabilities of their intelligence organizations. The three hackers indicted in November of this year, all from the firm BoYu Information Technology Co., are an example of that trend, Meyers said.

The think tank attacks in October and November had all the hallmarks of a Chinese operation. The attackers worked largely during Beijing business hours, used tried-and-true (and widely available) tools, and were highly focused in their attempts to extract data.

"There were a few different techniques," Meyers told Ars, "but the tools were all known stuff." The attacks largely began with attempts to gain access through Internet-facing websites using the Web shell now widely known as the "China Chopper." Once in, the attacks used credential-stealing tools such as Mimikatz, which focus on Microsoft Active Directory. In one case, Myers said, the attackers used a legitimate administrative software tool to go after usernames and passwords. These tools were retrieved from a staging server using shell commands and used to move deeper into the targeted organization's networks.

Once in, the attackers searched for documents with very specific keywords, as Crowd Strike's Adam Kozy wrote in a blog post on the attacks:

Typically, the adversary also retrieved second-stage tools from an external staging server. Actors often searched for very specific strings, such as "china," "cyber," "japan," "korea," "chinese," and "eager lion"—the latter is likely a reference to a multinational, annual military exercise held in Jordan.

Eager Lion would have been of interest to China because it is a demonstration of how the US military collaborates with foreign military powers in a crisis. Information on the operation could be used to look for weak points in the US military's ability to work with other nations' forces for potential advantages, Meyers suggested—particularly if tensions in the South China Sea or with Taiwan led to the US collaborating with other regional military powers in a confrontation with China.

On at least two occasions, the attackers were observed by CrowdStrike's response team "conducting email directory dumps for a full listing of departments within the victim organizations," Kozy wrote. "Not only does this tactic help refine a list of targeted personnel within the organization, but access to a legitimate email server can provide a platform for conducting future spear-phishing operations."

Because the targeted organizations have frequent communications with Western governments, Kozy noted, harvesting email addresses and credentials for access to their mail servers could have been used for later phishing attacks against government organizations.

In one case, the attack was detected both by CrowdStrike's services team and by CrowdStrike's Falcon OverWatch threat hunting team as it began. The attackers were repeatedly thwarted as they attempted to leverage the China Chopper shell:

The operator attempted to access the server using the China Chopper shell for four days in a row, showing particular dedication to targeting this endpoint. The actor attempted several whoami requests during normal Beijing business hours. On the fourth day, after repeated failures, subsequent access attempts occurred at 11 pm Beijing time. This after-hours attempt was likely conducted by a different operator or possibly someone called in to troubleshoot the Web shell. After a quick series of tests, the activity ceased, and no attempts were made over the weekend. Except for the 11 pm login, the observed activity suggests that the adversary is a professional outfit with normal operating hours and assigned tasks.

But after being thwarted yet again in an attempt with a different shell tool, the attackers' professionalism broke down. "As they were being stopped, we saw frustration," Meyers said. "And they ended up taking it out on the [targeted] organization because of that." The attackers launched a low-grade denial-of-service attack against the Web server they had attempted to compromise as a farewell present.

"I would characterize it as unprofessional," Meyers noted, saying that the DoS attack was probably "off the books" as far as the task given the attacker by their customer. "In the post-agreement post-reorg world, if [the PLA] are relying more on outsourced resources, those outsourcers may have a lack of discipline. They took an aggressive and probably unsanctioned move."

This story has been updated with additional information from CrowdStrike to clarify comments made by Meyers.