For years China it seemed to be operating at a quieter end to the state-sponsored hacking spectrum. As Russia and North Korea conducted hacking and leak operations, launched massive disruptive cyber attacks and blurred the line between cybercriminals and intelligence agencies, China quietly focused on more traditional – albeit fruitful – espionage and intellectual property theft. But the collective message of dozens of countries today calls for a change in China’s Internet behavior – and for a trail of chaos from its primary cyber intelligence agency increasingly competing with the Kim or Kremlin regime.
On Monday, the White House joined the UK government, the EU, NATO and governments from Japan to Norway in announcements highlighting a series of Chinese hacking operations, and the US Department of Justice separately charged four Chinese hackers, three of whom are believed to be officials of the Chinese Ministry of State Security or MSS. The White House statement blames the Chinese MSS specifically for mass hacking campaign which exploited a vulnerability in Microsoft Exchange Server software compromise thousands of organizations around the world. It also reproaches China’s MSS for partnering with contracting organizations dealing with for-profit cybercrime, closing its eyes or even refusing extracurricular activities such as infecting victims with ransomware, using victim machines to extract cryptocurrencies and financial theft. “The PRC’s unwillingness to engage in criminal activity through contract hackers damages governments, businesses and critical infrastructure operators with billions of dollars in lost intellectual property, property data, ransom payments and mitigation efforts,” the statement said.
The long list of digital sins represents a significant shift in the way Chinese hackers work, which most Chinese observers say can be traced back to the reorganization of cyber operations in the country in 2015. He then transferred much of the control from the People’s Liberation Army to the MSS, a state security service that over time became more aggressive both in its hacking ambitions and in its willingness to surrender to criminals.
“They are getting bigger. The number of hacks has dropped, but the scale has increased,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, which has long focused on Chinese hacking activities. This is not a small part because the non-governmental hackers that MSS works with do not have to comply with state funding norms. “There seems to be a kind of greater tolerance for irresponsibility,” Segal says.
MSS has always preferred the use of intermediaries, contracting companies and suppliers from its own operations, says Priscilla Moriuchi, a non-resident associate with Harvard’s Belfer Center for Science and International Affairs. “This model in both HUMINT and cyber operations allows MSS to maintain plausible denial and create networks of recruited individuals and organizations that can bear the burden of guilt when caught,” says Moriuchi, using the term HUMINT to mean the human, non-cyber side of spyware. operation. “These organizations can burn down quickly and establish new ones as needed.”
While these suppliers offer the Chinese government a layer of denial and efficiency, they also lead to less operator control and less certainty that hackers will not take advantage of their privileges to get rich on the side – or MSS officials working outside the contract. “In light of this model, I am not at all surprised that MSB’s cyber operations groups are also conducting cybercrime,” Moriuchi adds.
The White House statement as a whole points to a wide, messy and in some cases unrelated collection of Chinese hacking activities. A a separate indictment lists four hackers linked to the MSS, three of whom were MSS officers, all accused of a wide range of intrusions targeting industries around the world, from healthcare to aviation.
But more unusual than stealing the information in the indictment was the mass hacking called in Monday’s announcement, in which the group is known as Hafnium – which the White House now links to China’s MSS –hacked into no less than 30,000 Exchange servers worldwide. And hackers left behind so-called “web shells” allowing them to regain access to those servers at will, but also introducing the risk that other hackers could detect and use them for their own purposes. That element of the hacking campaign was “unfocused, reckless, and extremely dangerous,” wrote former CrowdStrike technical director and Silverado Policy Accelerator founder Dmitry Alperovitch, along with researcher Ian Ward. in March on the blog. Least one ransomware group seemed to be trying to get revenge the exclusion of Hafni’s campaign shortly after it was exposed.
There is no clear evidence that MSS’s hafnium hackers themselves deployed ransomware or cryptocurrency mining software on any of those tens of thousands of networks, according to Ben Read, director of cyber-espionage analysis at Mandiant’s threat and threat response information agency. Instead, White House criticism of the Chinese government for obscuring cybercrime and cyber espionage appears to be linked to other, multi-year hacking campaigns that have more clearly crossed that line. For example, in September last year, DOJ accused five Chinese who worked for an MSS supplier known as Chengdu 404 Network Technology“Known in the cybersecurity industry as Barium before they were identified, they have all been accused of hacking dozens of companies around the world in a collection of operations that seemed to liberally confuse espionage with for-profit cybercrime.”