Just a few days ago, Microsoft reported a cyberattack on its mail server software. Microsoft has since then come forward to claim that a Chinese cyber-espionage group was responsible for this. According to Microsoft’s Threat Intelligence Centre, the cyber-group named Hafnium was responsible for the attack on Microsoft. Hafnium has previously been accused of both being sponsored by China and operating out of the country. Microsoft claims that its conclusion is based upon “observed victimology, tactics and procedures”.
In recent years, China has successfully established itself as one of the world’s foremost forces in terms of cyber power. A 2020 report titled the “National Cyber Power Index 2020” published by Belfer Center for Science and International Affairs at Harvard University, ranks China as 2nd in the world in terms of cyber power, only behind the United States. This index measures a multitude of factors including government strategies, capabilities for defence and offence, resource allocation, the private sector, workforce, and innovation. Therefore, as far as cyber-attacks go, China is more than capable of facilitating such cyber operations.
China has long been suspected of funding and facilitating malicious cyber groups which engage in cybercrimes. Here are only some of the most notorious cyber groups which are either suspected or confirmed to be Chinese-backed:-
APT10 (Advanced Persistent Threat 10)
According to a report by the U.S. Cybersecurity and Infrastructure Security Agency, a federal agency under the U.S. Department of Homeland Security, the Chinese-backed cyber-espionage group APT10 has been active since at least 2006. APT10’s focus is to facilitate economic and commercial espionage against powers like Japan, the U.K., the United States etc. APT10 utilizes a variety of methods on its targets including spear phishing, usage of various Chinese malware, persistent targeting of MSPs (Managed Service Providers) etc.
In December 2018, two Chinese hackers belonging to APT10 were charged by the U.S. Department of Justice (DoJ) with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. According to the U.S. DoJ, these two Chinese hackers were working in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau, therefore revealing themselves to be working for the Chinese government.
APT10 continues to be active and goes by a number of aliases including MenuPass, Red Apollo, Stone Panda, Cicada etc.
Mustang Panda is a China-backed cyber-espionage group with a history of committing cyber attacks against Western NGOs which have a nexus with Chinese minority groups. This cyber group dates back to at least 2017. Mustang Panda utilizes malware like PlugX and Poison Ivy which is in use by almost all the Chinese-backed cyber groups operating today. Mustang Panda also relies on phishing lures that look like official documents written in the target’s native language in order to get the target to open an attached file that contains a .zip archive that executes malware like PlugX when opened.
In 2020, it was reported that Mustang Panda was targeting organizations associated with the Catholic Church. At the time of these cyber attacks, the Chinese Government and the Vatican were discussing the renewal of a 2018 accord between China and the Vatican, fueling speculations that the cyber activities of Mustang Panda were meant to provide an insight into the negotiations between China and the Holy See.
Mustang Panda goes by a number of aliases including RedDelta, TA416, BRONZE PRESIDENT etc.
BlackTech is a cyber threat group which primarily operates in East Asia countries like Taiwan and Japan, conducting cyber espionage operations. Known targets of BlackTech include finance, engineering, technology and government sectors of countries like Taiwan, Japan, Hong Kong and the U.S. with relation to East Asia. BlackTech’s strategy for cyber attacks often includes using compromised legitimate software in order to achieve its goals.
Reports state that BlackTech continues to remain active, utilizing new strains of malware to attack sectors in countries like Japan, Taiwan etc. In August 2020, the Taiwanese Government linked the cyber group BlackTech to the Chinese Communist Party (CCP), saying that BlackTech was working for the CCP in order to target multiple Taiwanese government and commercial entities.
BlackTech is known by several aliases including Palmerworm, CIRCUIT PANDA etc.
APT40 (Advanced Persistent Threat 40)
APT40 is a Chinese-backed cyber group which specifically focuses on countries and issues related to the South China Sea. The South China Sea is a disputed region over which China claims territorial sovereignty. APT40 is documented to digitally target maritime, engineering as well as government entities of countries bordering the South China Sea. A 2018 analysis report on APT40 infrastructure reveals that servers in Hainan, China were utilized by the group, which heavily suggests backing from the Chinese state. It is also important to keep in mind that Hainan is an island province of China located in the South China Sea.
In September 2020, Microsoft revealed that APT40 attempted to maliciously gain control of the cloud server but were identified and disrupted. A month before this, the Taiwanese government accused APT40 of digitally targeting various Taiwanese entities. Earlier in 2020, Malaysia’s Computer Emergency Response Team (MyCERT) issued an advisory naming APT40, linking the Chinese-backed cyber group to an espionage campaign against Malaysian officials.
APT40 goes by a number of aliases including GADOLINIUM, Leviathan, TEMP.Periscope etc.
APT 41 (Advanced Persistent Threat 41)
APT41 is one of the most prolific Chinese-backed cyber groups, with targets across various sectors and countries. Sectors like healthcare, media, and video games have been a target for cyber crimes by APT41. These cyber attacks by APT 41 hit multiple countries, including the U.S., Japan, South Korea, India, Australia, and the U.K. APT40 utilizes various ways in order to digitally attack their targets. These methods include using stolen digital certificates to sign malware, exploitation of remote access, using a custom malware Trojan known as Winnti etc.
In September 2020, in an effort to shine a light on the activities of APT41 the U.S. Department of Justice (DoJ) unsealed three indictments against five Chinese hackers and two Malaysian businessmen for a plethora of cyber crimes. The DoJ linked the activities of the Chinese hackers to a Chinese company known as Chengdu 404 Network Technology, which most likely operates at the behest of Chinese Ministry of State Security, which is a secret police agency in China. The DoJ indictments state that the Chinese hackers associated with APT41 are responsible for cyber attacks against over a hundred different organizations located in multiple countries.
APT41 is known by many other aliases. These include Barium, Winnti, Wicked Panda, Wicked Spider etc.
Chinese cyberthreat is real
As evidenced by the National Cyber Index 2020, China is the 2nd most powerful cyber power in the world. What’s even more impressive is the fact that China did not feature in the top 10 of a similar list titled Global Cyber Security Index 2018 provided by the International Telecommunication Union, a specialized U.N. agency. This indicates that China’s rise in cyber power is very recent and that the abovementioned examples of Chinese-backed cyber groups do not fully represent China’s future capabilities, which could also target India.
India was also under analysis for the National Cyber Index 2020. Out of the 30 countries assessed, India secured a rank of 21, clearly nowhere close to our neighbour. In terms of cyber offence or defence, India lags behind China in various indicators. This is a potential cause of concern for India, with military tensions at the Line of Actual Control heightening in the past year. Clearly, in order to achieve parity with China, India needs to heavily invest in its cyberinfrastructure and cybersecurity across the board in general.