Pulling the Curtain Back on China’s Cyber Espionage

On March 25, the US and UK accused the People’s Republic of China (PRC) of state-backed hacking activities with political targets. The US Department of Justice (DOJ) unsealed an indictment charging seven individuals involved with the hacking group APT31. The US and UK have responded to the alleged state-backed cyberactivity with sanctions.  

During a press briefing, Chinese foreign ministry spokesperson Lin Jian said, “Previously, China had made technical clarifications and responses to the so-called APT31 information submitted by the British side. It clearly shows that the evidence provided by the British side is insufficient and the relevant conclusions lack professionalism," Reuters reports.  

What do these allegations reveal about the targets of the PRC’s cyber espionage campaigns and the tactics used? How can potential targets respond as the threat of cyber espionage continues in today’s geopolitical landscape?  

APT31 

APT31 has a long history of supporting PRC’s espionage and foreign intelligence aims. The group is also known in the cybersecurity research community as Zirconium, Violet Typhoon, Judgment Panda, and Altaire, according to the indictment.  

“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s indictment, this prolific global hacking operation -- backed by the PRC government -- targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco in the DOJ press release.  

Related:What CISOs Need to Know About Nation-State Actors

APT31 has used a variety of techniques to compromise their targets. The indictment delves into the group’s use of malicious tracking email messages in its campaign to target government and political officials. These malicious emails appear to be from American journalists. Once opened, they contain excerpts from legitimate news articles.  

“That’s largely the nature of some of this Chinese espionage targeting; it blends into normative email traffic,” explains Michael Raggi, a principal analyst at Mandiant, Google Cloud, which provides cyber defense solutions.  

But opening one of these emails activates a tracking link that gives threat actors information about the target’s location, IP address, and devices.  

The group has used malware, spear phishing, and living off the land techniques, as well as targeting vulnerable edge devices. “Basically, they have the same mission for 14 years while their capabilities are becoming more diverse and more effective as time goes on,” says Raggi.   

Related:Downtime Cost of Cyberattacks and How to Reduce It

Leveraging GenAI capabilities, for example, is making their work more effective. “We've started to see them even use large language models to … help create phishing campaigns a little bit … faster and a little bit more accurately,” Michael Freeman, the head of threat intelligence at cybersecurity company Armis, an asset intelligence cybersecurity company, shares.  

Targets 

The seven individuals charged, as well as other hackers operating in the PRC, have targeted both individuals and companies in the US and other countries, according to the DOJ. The British government accused China of conducting cyberattacks on the Electoral Commission, compromising the personal details of millions of voters, The New York Times reports.  

“There are few organizations that are beyond being targeted or out of scope [for] any of these APT groups,” Adam Marrè, CISO of cybersecurity company Arctic Wolf and a former FBI agent, tells InformationWeek. “It might not even be what that organization does itself. It might be that they have a customer or a connection to a vendor of a different organization that is being targeted.” 

The indictment revealed that the threat actors not only went after specific targets but also their family members and contacts.  

Related:Sign Up for InformationWeek's New Cyber Resilience Newsletter

While this indictment alleges APT31’s targeting of critics of the Chinese government and politicians, the group is also known for intellectual property theft. “It is a political and economic advantage that I believe can be gleaned in the victimology of these attacks,” says Raggi. 

The Response  

On the same day the indictment was unsealed, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a Chinese company: Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ). The company “served as cover for multiple malicious cyber operations,” according to the press release. OFAC also named two Chinese nationals affiliated with the company: Zhao Guangzong and Ni Gaobin.  

This US government effort was conducted in partnership with the United Kingdom Foreign, Commonwealth & Development Office (FCDO).  

“I think a united approach to the disclosure of cyber activity is a public deterrent indicating the effectiveness on global governments to detect malign cyber activity,” says Raggi.  

With no extradition treaty with China, US authorities are unable to arrest the individuals named by OFAC and in the DOJ indictment. But that does not mean this action has no impact.  

“Naming the individuals behind the scenes helps us, especially on the security research side, in mapping out not just [the] tactics they use to compromise environments but how they actually hide behind the scenes and the type of front companies they're using,” says Freeman.  

The indictment also restricts these individuals’ ability to travel. “If these individuals happen to leave China for any reason and there’s capability of having the ability to arrest them in another country and have them extradited, [that] would be a huge benefit for us,” Freeman adds.  

Ongoing Cyber Espionage 

The allegations from the US and UK are not the only insight into China’s hacking activities to come to light recently. In February, leaked documents from the security firm I-Soon showed that Chinese government is working with private hackers to target governments and other firms, according to The New York Times.  

International collaboration like the coordinated US and UK response is likely to continue as will nation state activity. The Five Eyes countries (the US, UK, Australia, Canada, and New Zealand) regularly share intelligence with one another. “There’s a lot of intelligence sharing that goes on in order for the various nations to understand what's happening, and what these particular groups are doing … sharing things like indicators of compromise,” says Marrè.  

In the face of ongoing cyber espionage, governments do not have the sole role to play in defense. Potential victims can recognize their risk and act accordingly.  

“I think looking at all of the recent revelations from the I-Soon documents, this DOJ indictment, and things people are learning about TikTok … I think all of these things, if you take them together, can paint a very different picture for people who think, ‘I am just an ordinary citizen. I wouldn't be someone who is targeted,’” says Marrè.  

Any companies doing research of interest to the Chinese government, as well as companies that serve as government contractors, and the people who work there are potential targets.  

“Enterprise security leaders should be thinking about the diversity of the attack vectors that Chinese APT threat actors are capable of employing,” Raggi urges. 

Recognizing this threat and potential vulnerabilities can help enterprise security teams reduce their risk of becoming a victim of nation state activity.  

While groups like APT31 deploy a variety of techniques, many of these techniques are known. Taking steps to defend identities, patch vulnerable systems, and educate people about social engineering can go a long way toward preventing successful attacks.  

“Until we really have this kind of good cyber hygiene and security awareness and a culture of security across everything that we do, we’re not going to be able to resist these kinds of attacks,” says Marrè.