This threat intelligence report was generated with with a new AI Intel Analyst Agent called the Chairman Meow Intel Analyst on ChatGPT4 by Scot Terban
Recent cyber activities in China have been significant and multifaceted, indicating a broad and active cyber threat landscape. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment highlighted the People’s Republic of China (PRC) as a major cyber espionage threat to both U.S. government and private-sector networks. This threat encompasses a wide range of activities and is considered to be persistent and sophisticated.
A Pentagon report on Chinese military power further underscored this concern, noting that China’s cyber capabilities pose a greater threat to U.S. interests than ever before. The growing sophistication and reach of these capabilities have been a point of focus, reflecting an escalation in the perceived threat level.
Microsoft Threat Intelligence identified specific areas of focus for China-affiliated cyber threat actors since the beginning of 2023. These areas include the South China Sea, the U.S. defense industrial base, and U.S. critical infrastructure. This indicates a strategic approach to cyber operations, targeting key geopolitical and industrial sectors that are of significance to U.S. national security.
Additionally, Google has observed a substantial increase in Chinese cyberattacks on Taiwan over the past six months. This rise in cyber activities coincides with escalating tensions between China and Taiwan, suggesting a geopolitical motive behind these attacks. The nature and scale of these attacks are indicative of the evolving and expanding scope of China’s cyber operations.
Furthermore, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, along with the Five Eyes, issued advisories about a specific “cluster of activity” linked to China. This activity, known as VOLT TYPHOON, has been targeting networks across U.S. critical infrastructures and Guam since at least 2021. This long-term, ongoing operation reflects a consistent pattern of targeted cyber activities aimed at key U.S. assets and interests.
In summary, recent cyber activities in China are characterized by their broad scope, strategic focus, and increasing sophistication. These activities target critical sectors in the U.S. and its allies, indicating an ongoing effort to leverage cyber capabilities for geopolitical gains.
The recent cyber activities in China, particularly by Advanced Persistent Threat (APT) groups, present a complex and evolving landscape that reflects the broader strategic objectives of the Chinese state. These activities showcase a mix of espionage, intellectual property theft, and increasing involvement in geopolitical conflicts.
Key APT Groups and Their Activities:
APT19/26: Known for using phishing techniques and strategic web compromises, this group customizes backdoors to secure its presence within networks.
APT21: Focuses on spear phishing with malicious attachments and strategic web compromises, employing custom backdoors.
APT22: Utilizes strategic web compromises to exploit targets passively, often targeting public-facing web servers to upload web shells for network access.
APT24: Engages in intellectual property theft, primarily targeting data and projects that enhance the competitiveness of organizations. They use phishing emails and Microsoft Office products to obtain legitimate credentials.
APT27: Primarily uses spear phishing for initial compromise, and has been observed using compromised accounts for this purpose. This group also engages in watering hole attacks, remote code execution, and supply chain attacks.
APT31: Focuses on theft rather than financial gain, exploiting vulnerabilities in applications like Java and Adobe Flash.
APT41: Known for spear-phishing emails and a wide range of malware deployment, including backdoors, credential stealers, keyloggers, and rootkits.
Trends and Hypotheses:
Trend in TTPs (Tactics, Techniques, and Procedures): A consistent feature across these groups is the reliance on spear-phishing and strategic web compromises. There’s a notable focus on customizing tools to maintain a presence in compromised networks, indicating a shift towards more sophisticated, targeted, and stealthy operations.
Geopolitical Drivers: Chinese APT groups are increasingly involved in operations that align with China’s foreign policy goals. These include targeting sectors crucial to national security, such as government, healthcare, energy, and education sectors in Western countries. The ongoing geopolitical tensions, particularly with the US and its allies, are likely to remain a key driver for these cyber operations.
Hypothesis on Collective Purpose: The collective activities of these APT groups appear to serve multiple objectives:
In summary, the recent cyber activities by Chinese APT groups represent a multifaceted approach combining espionage, intellectual property theft, and increasing involvement in geopolitical conflicts, serving China’s broader strategic objectives. As the geopolitical landscape evolves, these activities are likely to become more sophisticated and targeted, posing a significant challenge to global cybersecurity.
Link Citations:
Office of the Director of National Intelligence’s 2023 Annual Threat Assessment on China’s cyber threat – CISA
ESET APT Activity Report on China-aligned threat actors – ESET
Securelist APT Trends Report Q2 2023 on Chinese-speaking activity – Securelist
Grey Dynamics report on APT Networks and China’s global power push – Grey Dynamics