China is Conducting a Low and Slow Cyberwar, Attempting to Stay Under the Radar and Maneuver the Global Economy

The potential for cyberwarfare between the United States and Russia is openly discussed, and – if not actually defined – is well understood. The British attitude is clear and defined, and the threat of retaliation – not necessarily cyber retaliation – is explicit.

But few people talk about China and cyberwar. The reason is simple. China is already engaged in its own form of cyberwarfare, but one that does not readily fit into the West’s perception of war and peace. China, the world’s oldest surviving civilization, is taking the long view. It has no interest in winning short-term battles; its focus is on winning the long-term war.

This long view was summarized by Bill Priestap, assistant director, counterintelligence division of the FBI in a statement before the Senate Judiciary Committee this month: “The Chinese government,” he said, “understands a core lesson of the Cold War between the United States and the Soviet Union: economic strength is the foundation of national power. The competition between the United States and China will be greatly influenced, if not ultimately decided, on the strength of our economies.”

The USSR was not defeated by the might of the U.S. military, but the power of the U.S. economy. In striving to keep up or surpass the military strength of the West, the USSR was effectively bankrupted into dissolution. China sees a greater likelihood of success against the West by similar means than by open warfare – whether that be kinetic or cyber.

In front of the same Senate Judiciary Committee, assistant attorney general John Demers described the Chinese economic policy as ‘rob, replicate, and replace’. “The playbook is simple,” he said. “Rob the American company of its intellectual property. Replicate the technology. And replace the American company in the Chinese market and one day in the global market.”

It has been alleged that this playbook is visible in the histories of Canadian telecommunications company Nortel and China firm Huawei. Nortel had been a successful global company. But in 2004, senior security adviser Brian Shields discovered Nortel’s systems had been comprehensively hacked. This started in 2000 and continued for ten years.

Shields believes the hacking was undertaken by Chinese government hackers on behalf of Huawei. “This kind of thing is not done by just average hackers. I believe this is nation-state activity," he later said. On his LinkedIn profile, he notes, “I was the IT lead investigator on the major hacking in 2004 originating from China. I identified the beacon being used and used memory forensics to prove active compromises.”

There is no proof that Huawei was involved in or profited from the Nortel hacks. The fact remains, however, that Huawei rapidly prospered on the world stage while Nortel declined and filed for bankruptcy protection in January 2009. If Shield’s suspicions are correct, this would be a perfect example of ‘rob, replicate, and replace’.

The China version of cyberwar

The battle for economic supremacy is primarily if not entirely being fought in cyber. Given the West’s promise of retaliation for anything that meets its definition of cyberwarfare, China is largely avoiding the sort of destructive activity more usually ascribed to Russia (such as the attack on France’s TV5Mondeand Ukrainian power companies), and North Korea (such as the attack on Sony, and WannaCry).

Since the aim is economic supremacy, and since the state controls everything that is done in China, it would be reasonably accurate to describe Chinese cyber activity as different aspects of a single overall campaign motivated and controlled by China Inc. To defend against this campaign, it is important to understand how China seeks to advance its economy, and how effective Chinese hackers have become.

Understanding China Inc and its cyber priorities is an important first step in defending against Chinese cyberattacks. This requires an understanding of the legal framework underlying China’s approach to cyber operations, the quality of Chinese cyber operators, and the targets and reasons for specific cyber operations.

The legal framework

VerSprite’s geopolitical risk team explains the legal framework. “Several pieces of legislation govern China’s cyber operations,” it told SecurityWeek. “The 2015 National Security Law was an initial comprehensive piece of legislation to articulate China’s overall strategy. The 2017 National Intelligence Law specifically empowered the two parts of the secret police apparatus, the Ministry of National Security (guoan) and Internal Security Bureau of the Ministry of Public Security (guobao).”

Foreign operations largely come under the China Information and Technology Evaluation Center (CNITSEC), which is part of the Ministry of State Security (MSS) spy agency. “The APT3 group,” continued VerSprite, “which is part of CNITSEC, targets foreign entities, and hands over information that it accesses to MSS, to drive broader strategies.”

However, to MSS activities we must add the operations of the People’s Liberation Army (PLA; that is, the Chinese military). It was Mandiant’s 2013 report on APT1 that first awoke the U.S. to the severity of Chinese hacking operations. Mandiant is now part of FireEye. Although the report initially met with both cynicism and criticism, its veracity was later confirmed when the U.S. government indicted five Chinese officers from Unit 61398 of the Third Department of the PLA.

China’s cyber expertise

In 2012, Trend Micro published an opinion piece titled, Peter the Great Versus Sun Tzu. Although it nowhere specifies this refers to Russia versus China, it created an impression that Russian hackers have greater expertise than Chinese hackers. The impression that Chinese hackers are not very clever has lingered – but needs to be revisited.

VerSprite points out that comparisons are odious – or at least onerous – noting that sophistication is not always necessary to achieve a required end. “The low-tech Twitter and Facebook misinformation campaigns, attributed to Russia, which took advantage of both platforms’ glaring vulnerabilities, were enough to achieve basic goals of spreading disinformation and causing confusion.”

But it also points out that China has a stated goal of wanting to close the gap with the U.S. in terms of cyber capabilities. The implication is that China is aware of any shortcomings and has a project to improve its cyber ability.

“The reality,” suggests Priscilla Moriuchi, director of strategic threat development at Recorded Future, “is that Chinese state-sponsored cyber operations have evolved dramatically over the past several years and should be considered as great a threat as Russian operations.”

Like Russia, part of this improvement has been achieved by subcontracting civilian expertise when necessary. “While some of the groups that employ more complex techniques and are effective at maintaining persistence in victims’ networks have been attributed to the PLA, a small but critical number of groups have also been attributed to the MSS, which is China's civilian intelligence agency. These groups include APT3 and APT10, both of which have been attributed to contractors working on behalf of the MSS.”

The accord between China’s President Xi and U.S. President Obama may also have inadvertently led to an increase in Chinese sophistication. “Before the Obama administration started holding them accountable,” comments Paul Kurtz, a former member of the White House National Security Council and now co-founder and CEO of TruSTAR, “China’s attacks were noisier and easier to attribute. Adversaries learn from each other and it should be expected. China took note of Russia, Iran, and North Korea’s tactics. At a minimum, our stated adversaries are becoming more sophisticated, and China is advancing despite the 2015 agreement between Xi and former President Obama.”

Examples of major hacks attributed to China include that of the U.S. Office of Personnel Management (OPM) in 2015, with the loss of detailed information on more than 21 million federal employees and federal employment applicants; and the more recent hack of Marriott hotels leading to the loss of details on 383 million individuals.

While in both cases China Inc is the primary suspect, there is no absolute proof. Accurate attribution in cyber is very difficult, and there are undoubtedly false flags left by hackers to confuse forensic analysis. The tactics and techniques used by the advanced Chinese groups are well known and easily replicated by other advanced groups – and the same can be said for other nation state actors.

China Inc’s targets

China does not wish to provoke open conflict with the U.S.; either cyber or kinetic. But in order to be stronger than the U.S. economically, it must first close the gap in both business technology and military technology. This means that its cyber operations must be sophisticated, targeted and non-destructive.

There are three primary targets: people, military, and critical infrastructure.

People

People are often defined as the weakest link in security. While this has traction at a local level, it is peoples’ data that is important at an international level. Direct access to credentials that don’t get changed allows easy access to networks. If credentials are not available, then personal details will often be sufficient to frame compelling and potentially irresistible spear-phishing attacks.

Access to large volumes of personal data – especially when those people are high caliber business or government employees – opens the opportunity for future stealthy operations against specific companies or government agencies. The perfect examples are the OPM (government) and Marriott (business) hacks.

With this level of information available, it also offers the potential for agent recruitment through coercion (blackmail) or incentive (bribe).

It follows that any business holding the personal details of large numbers of such people is a potential target for elite Chinese government hackers.

Military

Military and associated technology secrets are a traditional target for international espionage of all categories. It is a primary target for China Inc.

A recent example was reported by Symantec. In 2013 Symantec spotted a new group it has called Thrip conducting espionage campaigns from systems located in China. It published a report on Thrip in June 2018.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies.

In June 2018 it was reported that Chinese government hackers had stolen 614Gb of data from a U.S. Navy contractor. The data included plans for a new type of submarine-launched anti-ship missile, sensors and submarine cryptographic systems.

In March 2018, it was disclosed that an organization providing services to the UK government had been targeted by the Chinese threat group known as APT15. Researchers believe that the ultimate targets were various U.K. government departments and military technology.

The method is similar to the campaign known as Cloud Hopper. In April 2017, PwC UK and BAE Systems described a widespread campaign by China-based APT10 aimed against managed services providers (MSPs) in at least fourteen different countries. The MSPs are not the ultimate target – rather, it is their customers.

The campaign starts with well-researched spear-phishing to compromise the MSP. From here the attacker obtains legitimate credentials to access the MSPs' client networks that align to APT10's targeting profile -- which the researchers claim aligns with China's current five-year plan (FYP) for economic growth.

On December 20, 2018, the U.S. Department of Justice (DoJ) announced that two Chinese nationals, members of the APT 10 hacking group, had been charged with engaging in computer intrusion campaigns for more than a decade. The announcement names two particular APT 10 campaigns: The MSP Theft Campaign, and The Technology Theft Campaign. Although the term ‘Cloud Hopper’ is nowhere used by the DoJ, it clear that the MSP Theft Campaign and Cloud Hopper are the same campaign.

Critical infrastructure

China Inc is unlikely to do anything too overt or dramatic with U.S. critical infrastructure – that would interfere with its long-term strategy. But it would be naïve to think it is doing nothing. “At a minimum, we must expect that China is seeking to map, model, and understand how to attack U.S. critical infrastructure. Doing so requires some level of reconnaissance,” comments TruSTAR’s Kurtz.

This is likely standard practice for every cyber-advanced nation in the world that accepts it has potential adversaries.

However, there are less dramatic elements to critical infrastructure than nuclear facilities, power grids and water supplies.

Recorded Future’s Moriuchi explains: “The U.S. Department of Homeland Security (DHS) has identified the communications, information technology, healthcare, defense industrial, and food/agriculture sectors as critical infrastructure. If you apply the DHS definition, then yes, Chinese state-sponsored hackers have been successfully targeting and exploiting U.S. critical infrastructure networks for many years.”

Many of these incursions, she continued, “have involved industrial espionage or intellectual property theft, however, many have not. Because China has been labelled for so long as conducting cyber operations to support intellectual property theft, many intrusions are mistakenly categorized as economic espionage when in reality they are much more.”

Summary

While the West worries about the potential for cyberwar with its traditional foe, Russia, it fails to realize that cyberwar with China is already happening. But this is cyberwar conducted on China’s terms – it is not the traditional view of warfare. China Inc is conducting a low and slow cyberwar, attempting to stay under the radar of recognition in the same way that individual hackers use low and slow techniques to remain hidden.

If this analysis of the long-term goal of China Inc is correct, then the threat from Chinese cyber operations is more dangerous and insidious than commonly thought. The policy is not one of direct confrontation but more designed to slowly maneuver the global economy until dominance shifts from the U.S. to China.

It benefits China Inc if the world continues to believe it has only low-level cyber expertise. “It is important for companies, information security professionals, and network defenders,” says Moriuchi, “to move beyond this stereotype of second-rate Chinese state-sponsored cyber operations and realize the scope, capabilities, and true threat in order to successfully defend their networks.”

Related: Talking Global Cyberwar With Kaspersky Lab's Anton Shingarev

Related: Talking UK Cyberwar with Sir David Omand

Related: China Believes Its Cyber Capabilities Lag Behind US: Pentagon

Related: The War Few Are Talking About