The Dark Side of China:

The Evolution of a Global Cyber Power

www.intsights.com 1
 The Dark Side of China

Table of Contents
3 Executive Summary
3 The Growing Chinese Threat
4 China’s Vision for Growth and Global Power
4 The PRC as an Evolving Cyber Threat
4 Emerging Chinese Targets in 2020
5 Target Spotlight: India
5 Target Spotlight: Australia
6 Target Spotlight: Cultural and Religious Organizations
6 Attacks and Surveillance on Uighur Muslims
7 Attacks on the Vatican and Catholic Church
7 Target Spotlight: Hong Kong
8 Evolving Threats:
9 Surveillance and Espionage
9 APT41/Winnti Group
9 Information Warfare
10 Abuse of Technology Exports
11 Recommendations

2
 The Dark Side of China

Executive Summary
The People’s Republic of China (PRC) is perhaps the world’s
greatest cyber power. Current Chinese President Xi Jinping
has demonstrated he is far more aggressive than his
predecessor, Deng Xiaoping. Over the past decade, China
has become increasingly forthright in its intentions, and
this change has been observed in cyber operations as well.
Researchers have observed stark differences in tactics, tone,
and behavior from Chinese state-sponsored cyber, military,
and political parties over the past several years.

New targets and new tactics reveal an evolving Chinese

threat that is more agile than ever and will stop at nothing
to achieve strategic objectives for growth and expansion
of the government’s ideals. China’s cyber arm is evolving
into a dynamic force capable of attacking and disrupting its
economic and military enemies, as well as weaker nations it
seeks to control.

This report explores how China’s cyber operations are evolving to fit the dynamic digital landscape and achieve its strategic
short- and long-term objectives. IntSights researchers have assessed, with high confidence, that China is pursuing economic
growth and global expansion, according to the 13th Five-Year Plan and the “Made in China 2025” initiative. The Chinese
government seeks to gain influence and create a world more accommodating to its values and economic rule. China is
achieving this through:

• Aggressive, targeted cyber espionage campaigns aimed at dozens of public and private sector organizations and
countries in pursuit of intellectual property, trade secrets, and technological advancements in artificial intelligence (AI)
and machine learning (ML) to gain market and military advantages.
• Advanced military-led cyber offensive attacks utilizing newly developed native malware, such as GoldenSpy, Mgbot
malware, and Taidoor.
• Digital suppression of foreign and domestic cultural, political, and religious views that counter the Chinese
Communist Party.

The Growing Chinese Threat

To understand the cyber threat from the People’s Republic
of China, one must first understand its desired outcomes,
culture, and worldview. Simply observing China’s behavior
can offer insight into patterns and trends but reveals
only a narrow and limited view of its words and actions.
Understanding the country’s strategic intelligence collection
priorities will help its targets better understand how to
defend against China’s growing and evolving cyber threats.
If you know the enemy and know yourself, you need not
fear the result of a hundred battles. If you know yourself but not
the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in
every battle.
–Sun Tzu, The Art of War

The Communist Party of China (CPC or 中国共产党) is the ultimate authority in mainland China. The military and government
in China are subordinate to the CPC, unlike in Western societies, in which political parties vie for representation within
government. The People’s Liberation Army (PLA) reports directly to the CPC’s Central Military Commission (CMC or中央军事
委员会). This political structure is important to understand. The result is that military-sanctioned cyber attacks are ordered
and approved by the CPC. Cybercrime is strictly forbidden outside of what serves the state and the CPC.

3
 The Dark Side of China

China’s Vision for Growth and Global Power

Every five years, the CPC evaluates and updates its plans for growth and development. The 13th Five Year Plan (FYP) was
ratified by the National People’s Congress (NPC) in March 2016 and outlined President Xi Jinping’s vision for an economic
growth rate of 6.5% by 2020, innovation-driven development (创新发展), and a shift to higher value-added manufacturing.
The latter of these objectives is further outlined in a document called Made in China 2025 (中国制造2025), a strategic
roadmap for an upgrade to Chinese industry from low-quality and low-value products to production of high-tech goods in
categories including pharmaceutical, automotive, aerospace, semiconductor, IT, and robotics. These documented plans are
an important indicator for the motivation behind the corporate espionage and theft of intellectual property through cyber
intrusions that have been observed over the past several years.

The CPC is expected to release the 14th FYP in March 2021. Considering rising tensions between China and the United States,
experts predict that the next FYP will focus on autonomous development and reducing reliance on US and allied resources,
such as technology and exports. Furthermore, China is expected to continue solidifying partnerships in the Middle East and
budding nations in Africa, providing crucial funding and investments in foreign infrastructure, such as roads, rails, and ports.
Closely following these developments allows researchers to analyze China’s priorities and motivations, accurately attribute
cyberattacks, and observe which industries, technologies, and governments are being targeted.

The PRC as an Evolving Global Cyber Threat

China’s cyber arm has evolved significantly since the first advanced persistent threat (APT) groups were discovered over
a decade ago. The PRC is now finding success in a forthright, aggressive approach to taking what it needs to achieve
its objectives and defend its economic growth strategy. Chinese state-sponsored threat actors have been attributed to
hundreds of attacks in over 20 countries and countless industries around the world. In the United States alone, over 19
Chinese individuals have been indicted for state-sponsored cyber espionage. Christopher Wray, Director of the US FBI, claims
that Chinese theft of US trade secrets costs the country ‘$300 billion-$600 billion a year’ and named China as the United
States’ top cyber threat. Australia’s political leadership has admitted that China is a major threat to Australian organizations
but refuses to publicly attribute major attacks to the PRC out of fear of further retaliation and degradation of economic
partnerships.

Emerging Chinese Targets in 2020

When analyzing a cyber intrusion, there are several important factors to consider for accurate attribution. One of the most
important factors is the victim. As seen in the Diamond Model of Intrusion Analysis, there is an intersection between the
victim, the adversary, the capabilities of the adversary, and the infrastructure used in the intrusion. By filling in the missing
pieces of the puzzle, Cyber Threat Intelligence (CTI) analysts can work towards attributing the attack to a specific adversary or
threat group. The relationship between the adversary and the victim, also known as the socio-political axis, is an important
key to solving the intrusion puzzle, and often depends on the motivations and objectives of the adversary. Therefore, it is
crucial to understand China’s objectives and state priorities.

Figure 1: The Diamond Model of Intrusion Analysis

4
 The Dark Side of China

Target Spotlight: India

In June 2020, conflict reignited in the disputed border
territory of Galwan Valley, between India and China, resulting
in the death of 20 Indian soldiers. The nuclear-capable
military superpowers have been arguing for decades over
territory in the largely uninhabited region of Ladakh Valley
(Figure 2).

The conflict could escalate to a point that destabilizes the

region, but India is equally concerned about China retaliating
with cyberattacks. During the five-day period following
the border clash, the Indian police reported over 40,000
cyberattacks originating from Chengdu, China, the capital
city of the Sichuan province, a 300% increase over normal
Chinese attack levels. According to India-based cybersecurity
firm Quick Heal Labs, the attacks included Denial of Service
(DoS) attacks, phishing attempts, and malware attacks
on India’s critical infrastructure. As part of these attacks,
Figure 2: Map of disputed border territory between India and China
crypto mining and Remote Access Tool (RAT) malware were
discovered on victims’ computers, which enabled remote
admin, keylogging for credential theft, screen capture, privilege escalation, and data exfiltration. Indian cybersecurity firms
and government entities have raised concerns about maintaining defenses and protecting against vulnerable infrastructure in
an all-out cyberwar with China. To counter the Chinese threat, the Indian government banned 59 Chinese mobile applications
in July 2020, including social media platforms such as TikTok, WeChat, and Helo, claiming that user data is being sent back to
servers in China without authorization.

Target Spotlight: Australia

Chinese cyberattacks on Australia have been increasing
steadily over the past decade, but in June 2020, Australian
government officials issued warnings to all industries and
government entities of “sophisticated state-sponsored
cyberattacks” that security experts are attributing to
China. A timeline of publicly known Chinese cyberattacks on
Australian organizations reveals a steady pace of activity,
with notable breaches dating back to 2013. However,
IntSights’ analysis of the breach history reveals that in
recent years, Australian leadership has taken a more passive
approach to calling out nation-states and attributing this
Source: IntSights Cyber Intelligence
activity to any certain group. This policy is likely to affect
the timeline of significant events as the government tries to
maintain secrecy around classified breaches of government
entities. One notable event occurred in June 2020, when the prime minister announced that there was a significant increase in
attacks by a sophisticated adversary on multiple industries nationwide.
• June 2020: Nationwide attack on multiple industries reported by • 2015: China conducted a cyberattack on Australia’s Bureau of
Prime Minister Scott Morrison Meteorology, known to host data that is directly relevant to this
nation’s agriculture and wider economy
• June 2019: Australian National University breached by Chinese
state-sponsored actors, stole 19 years’ worth of personal data • 2013: BlueScope Steel targeted by Chinese hackers; alleged
including bank numbers, tax details, and academic records of Chinese hackers stole the blueprints of domestic spy agency
students and staff ASIO’s new headquarters in Canberra
• Early 2018: “China Chopper” web shell, commonly associated
with Chinese Advanced Persistent Threat (APT) groups, used in
cyberattack on eight Australian web hosting providers
5
 The Dark Side of China

Prime Minister Scott Morrison said that attacks on Australian

organizations by state-sponsored cyber threats have “... been
increasing ‘over many months’” but declined to publicly claim
that the attacker was China-based in an effort to reduce the
chance of retaliatory attacks. However, many senior officials
in the Australian government have admitted, under terms
of anonymity, that the culprit is China. The prime minister
emphasized that the attacks “hadn’t just started,” and that
the “...activity is not new. Frequency has been increasing.”
Federal Labor Leader Anthony Albanese said he received
a full briefing on the ongoing attacks and the work being
done by intelligence agencies. He also stated that there had
“clearly been an increase” in the number of attacks, which,
in turn, prompted the prime minister to issue the warning to
Australian businesses and organizations.

Australia is one of the most targeted countries in the

world. Of the 16 occasions when Australian agencies or
organizations were targeted in the past ten years, around
half of them included references to alleged Chinese actors.

Target Spotlight: Cultural and Religious

Organizations
The Communist Party of China (CPC) is officially atheist and
has been scrutinized by outside human rights organizations
for discrimination and mistreatment of minority religious
groups throughout China. Although religious belief is
protected in the Chinese constitution, it does not guarantee Figure 3: Australia ranks #6 in the world for experiencing the most “significant
the right to practice religion or worship. Chinese officials cyberattacks”

monitor and police religious groups that might “disrupt public

order, impair the health of citizens or interfere with the
educational system of the State.” Under Xi Jinping’s rule, the
CPC has been cracking down on religious activity throughout
the country. Freedom House, a human rights monitoring
organization, claims that China is home to one of the largest
populations of religious prisoners.

Attacks and Surveillance on Uighur Muslims

In recent years, the Chinese government has reportedly
detained more than a million Uighur Muslims in “reeducation
camps.” The Uighur population is a predominantly Turkic-
speaking ethnic group in China’s northwestern region of
Xinjiang. Reports from refugees and survivors claim that the
Chinese government forces the Muslims to renounce their
religion and pledge loyalty to the Communist Party of China.
The United Nations and human rights watchdogs have urged
China to stop the crackdown.

In late 2019, hackers working for the Chinese government

hacked into telecommunication providers in Turkey,
Kazakhstan, India, Thailand, and Malaysia as part of a large-scale espionage campaign to track minority groups and VIPs
traveling between Central and Southeast Asia. China has been increasing its monitoring and oppression of minorities through
the following cyber operations: high-tech digital surveillance, exploitation campaigns via multiple strategically compromised
6
 The Dark Side of China

websites, exploitation of vulnerabilities in Android operating systems commonly used among the minority population, and
tracking and targeting of website visitors through digital profiling and exploitation. The attackers used Google apps for gaining
access to emails and contact lists of Gmail accounts via OAuth, and utilized copycat domains mimicking Google, the Turkistan
Times, and the Uighur Academy as lures.

Attacks on the Vatican and Catholic Church

In the Summer of 2020, Chinese state-sponsored hackers
conducted cyber intrusions and attacks on the networks of
the Vatican and the Holy See’s Study Mission in Hong Kong.
The attacks took place ahead of September’s anticipated
talks between Vatican representatives and the Communist
Party of China, and align with China’s stated objective
to “sinicize religion” in China. The talks are expected to
revisit terms of the Catholic Church’s presence in China and
determine the appointment of bishops in the area.

The attacks began with a phishing email purporting to

be a letter of condolence from the Vatican, addressed to
a reverend at the Study Mission in Hong Kong. The email
document was weaponized with the PlugX payload. Other
malware command and control (C2) IPs, such as PoisonIvy
and CobaltStrike, were also observed connecting to the
victim’s infrastructure.

Target Spotlight: Hong Kong

Democratic movements for independence in Hong Kong have
sparked protests, violent riots, and police brutality across
the region, starting in June 2019 and continuing through
present day. The anti-government protests were prompted
by proposed changes to laws allowing Hong Kong citizens
to be extradited to mainland China to be tried for crimes in
trials that are often unfair and yield violent punishments.
Figure 4: Image of the weaponized spear-phishing email used to infect the victim
With the global attention on Hong Kong and democratic with PlugX malware
nations showing support, the Chinese government saw an
opportunity to target political dissidents through a malware campaign. Using a document embedded with an archive file called
“Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar,” it employs template injection to download the remote
template, which leads to dropping the Mgbot malware payload (Figure 5).

Figure 5: Malwarebytes Sample document from Hong Kong Mgbot malware campaign, 2020
7
 The Dark Side of China

Evolving Threats
Surveillance and Espionage
China is the one of the most advanced surveillance states in the world today. Few nation-states have the technical and
political capabilities to collect data on human beings like China does. Its strategic objectives focus heavily on the research
and development of surveillance and data collection technology, artificial intelligence (AI), and machine learning (ML), and it
has been successful in both developing its own technologies and stealing technological secrets and patents-in-development
from public and private organizations around the world. The CPC uses these technologies for multiple purposes, including the
advancement of manufacturing technology, military technology, and robotics. However, there is a dark side to China’s use of AI
and ML as well.

Domestic Surveillance and the “Social Credit System”

China’s domestic surveillance program is closely tied to its “Social Credit System,” a tool to ensure citizens’ obedience and
compliance with government laws, but also a tool for keeping crime in check, maintaining accountability for the population,
and allowing law enforcement access to vital intelligence. It is, essentially, a reputation-based behavioral scoring method that
assesses China’s population of over 1.4 billion people and millions of businesses. In 2019, there were an estimated 200 million
CCTV cameras included as part of the “Skynet” system in mainland China, four times as many surveillance cameras as in the
United States. By the end of 2020, the number of surveillance cameras in mainland China is expected to reach 626 million.

The state monitors its population for both negative and positive behavior. Xi Jinping’s objective is to identify dissenters in real
time. Some examples of negative infractions include traffic violations, playing loud music, eating in public transit areas, not
sorting rubbish properly, and fraudulently using someone else’s public transit passes. Positive behaviors that can raise one’s
social credit score include donating to charity, volunteering for community service, donating blood, and heroism. The citizen’s
credit score is used to elevate or stigmatize the individual and use social pressure to encourage conformity. This technology
is used invasively against religious minority groups and enemies of the state. In 2019, when Hong Kong citizens took to the
streets to protest new proposed extradition laws, the CPC began large-scale surveillance and facial recognition operations
to identify and apprehend protesters. To counter this effort, protesters began to wear masks and paint their faces in ways
that confused the government’s AI technology. The CPC also uses this technology to monitor and suppress groups in Tibet,
Xinjiang, and Taiwan.

Foreign Surveillance and Espionage

What used to be covert cyber and physical espionage operations are now well known around the world. The Chinese
government sponsors and orders the use of counterintelligence and offensive cyber operations to infiltrate adversary
networks, monitor user behavior, and steal valuable data. Well-known Chinese military-cyber units, identified by
cybersecurity firms as advanced persistent threats (APTs), conduct these operations at the will of the CPC. The cyber
espionage operations are primarily led by the Chinese Ministry of State Security and the People’s Liberation Army (PLA)
General Staff Department’s (GSD) 3rd Department (总参三部二局), also known as Unit 61398 (61398部队). Chinese APTs
include APT1 (Comment Crew), APT3 (UPS Team), APT10 (MenuPass Team), APT12 (Calc Team), APT16, APT17 (Deputy Dog,
Tailgator Team), APT18 (Wekby), APT19 (Codoso Team), APT30, APT40, and APT41 (Wintti Group).

Foreign targets of Chinese espionage include over 29 countries and countless

private industries. Traditionally, these hacking groups are assigned specific
targets, industry verticals, and data to exfiltrate. Instances of financially
motivated attacks are extremely rare because these groups fall under the
budgets of the government and military. However, in 2020, APT41 was
attributed to both espionage and cryptocurrency-mining operations. For this
reason, IntSights has chosen to spotlight APT41 to bring awareness to this
changing tactic and motivations for the new operation.

8
 The Dark Side of China

The Evolution of APT41

APT41, also known as Wintti Group or WickedPanda, is an advanced, state-sponsored hacking group under the direction of the
Chinese government. The group is thought to be stationed in the Xicheng District of Beijing and may fall under the umbrella of
the PLA’s Strategic Support Force (SSF / PLASSF), which is responsible for space, cyber, and electronic warfare missions. This
group is notorious for espionage campaigns but has recently (2020) been observed utilizing cryptocurrency-mining malware
for financial gain, which is a significant shift in tactics. Many researchers speculate that the crypto-mining operations may not
be state sanctioned. Others speculate that this activity could be used to supplement the group’s budget.

APT41 attacks have targeted organizations in at least 15 countries, as well as Taiwan and Hong Kong. Their operations can
be tracked back as far as 2012, with some researchers discovering campaigns going back to 2008. They have been assigned
various target industries including software and video game developers in South Korea and Hong Kong, healthcare, telecoms,
the high-tech sector, higher education, travel services, and news media firms worldwide.

APT41 is a technical hacking group, which has utilized over 46 different code families, and over 150 pieces of unique malware
and hacking tools including, but not limited to, rootkits, credential stealers, keyloggers, and MBR bootkits to hide their
presence and maintain persistence in the victims’ networks. Malware used by this group includes Metasploit, CobaltStrike,
ASUS updates, CCleaner, Wintti, Pipemon backdoor, ShadowHammer, XMRig (final stage cryptominer), and more.

Between January and March of 2020, APT41 was observed targeting Citrix, Cisco, and Zoho network appliances with
Speculoos malware through exploitation of a recently disclosed vulnerability, CVE-2019-19781.

Figure 6: Timeline of APT41’s global intrusion campaign exploiting CVE-2019-19781

Source: FireEye

Information Warfare
The Chinese Communist Party (CCP) will go to great lengths to “save face,” protect its reputation, and appear functional and
efficient to its own people, as well as to governments around the world. The CCP has already invested billions of dollars in
protecting its reputation on the global stage to paint a picture of a responsible, mild-mannered global rise to power. Chinese
influence operations are conducted by the United Front Work Department (UFWD), a network of academic, business, and
cultural institutions located domestically and abroad.

In 2019, IntSights published a report called PSYOPS: How States Weaponize Social Media to Disrupt Global Politics that breaks
down the concept of information warfare and disinformation campaigns. The report contrasts how China and Russia use
information warfare for different objectives. However, these two countries have recently found common ground. In 2020,
prompted by the global COVID-19 pandemic and global scrutiny, China has dramatically changed its tactics for disinformation.

From late 2019 into early 2020, COVID-19 broke out in Wuhan, China. Several American leaders, including President Trump,
labeled the virus the “Wuhan virus,” attributing the outbreak to China’s mishandling of biological material at the Wuhan
Institute of Virology and accusing China of having engineered the virus in the lab. This began an information war between
China and the rest of the world, prompting the CPC to aggressively defend itself against rumors. Within a few months, the
Chinese government took to social media with influence campaigns, both inside the country and around the world. The tactics
looked similar to previous disinformation campaigns inside of China: spreading messages to quell concerns and rumors of
the Chinese government creating COVID-19, minimizing the numbers of positive COVID-19 tests, and using propaganda to
influence Chinese citizens to quarantine inside their homes for the good of the public.
9
 The Dark Side of China

Within months, the narrative shifted to pointing fingers at the United States as the creator of the novel coronavirus in a US
state-operated lab. Chinese diplomats and embassies flocked to Twitter, which is banned within China, to amplify conspiracy
theories about the virus’s origin. According to the Brookings Institute, Chinese foreign service officials now have more than
100 accounts on Twitter — a “300% increase since April of last year”. One Chinese Foreign Ministry spokesman tweeted to
300,000 followers that COVID-19 originated in the United States, and included a link to a pro-Kremlin (Russian) media outlet.
The tweet was then shared by over a dozen Chinese officials. It is becoming increasingly clear that China and Russia have a
similar narrative to spread and are working together to amplify each other’s messages in a coordinated manner. The goal
is simple: break down trust in democracies, disrupt election cycles or manipulate democratic election results, and gain
economic advantage over adversaries to advance global position and power.

In June 2020, Twitter reported that it successfully shut down over 173,000 posts that were spreading a “Communist Party
of China geopolitical narrative” that was false and misleading. 23,750 of those accounts were posting original content,
and 150,000 accounts were used to amplify, or share, those same messages across multiple media outlets. In July 2020,
the European Union spoke out, publicly accusing China of mass-scale information warfare. This was an unprecedented
announcement by the European Union, which followed a rash of disinformation attacks on France.

Trojan Technology & Software Supply Chain Attacks

One of the biggest concerns in the world today is the use of technological exports as weaponized trojans in foreign countries.
Much like a modern-day warfare tactic, China is exporting technology around the world that has hidden backdoors, superior
surveillance capability, and covert data collection capabilities that surpass their intended purposes and are being used for
widespread reconnaissance, espionage, and data theft.

Huawei and 5G Tech

Concerns have been raised around the world regarding cell phone networks that allow access to sensitive data and
communications. One of the companies that has played a major role in the development of these networks is Huawei, a China-
based telecom company that has grown to be the world’s largest vendor of telecommunications equipment. This equipment
resides in every step of the internet connectivity process, from the router in your home to the infrastructure company that
hosts all the websites you visit. Huawei designs and manufactures the network switches, gateways, routers, and bridges;
therefore, it has significant control over internet systems around the world. The US and many other nations have expressed
concerns over the relationship between Huawei, its founders and leaders, and the Communist Party of China. The board and
leadership within Huawei are made up of many CPC members and prominent leaders.

Privacy advocates and technology leaders around the world are concerned with the close relationship between the
Communist Party of China and Huawei. Essentially, if a significant conflict were to occur, the theory is that Huawei officials
could commandeer their equipment overseas, shut down systems, and cut off adversaries’ access to communications.
In February 2020, US national security adviser Robert O’Brien said, “We have evidence that Huawei has the capability to
secretly access sensitive and personal information in systems it maintains and sells around the world.” The US intelligence
report was declassified in 2019 to enable sharing with allied countries in an effort to convince them to shut Huawei out of
5G developments in those countries. Huawei has denied all allegations of misuse of its technology, as China does for all
espionage accusations.

TikTok
TikTok is one of the top 10 most downloaded mobile apps in the United States. The popular social media app is owned by
Bytedance, a China-based parent company. In August 2020, US President Donald Trump signed an executive order banning
the mobile application TikTok from the United States, citing intelligence community concerns over excessive personal data
collection. Like the Huawei trust issue, officials are concerned that the CPC could subpoena TikTok user data, which could
reveal valuable intelligence on adversary operational security. According to Chinese law, private sector companies are
obligated to hand over data at the request of the government.

10
 The Dark Side of China

Software Supply Chain Attacks

A software supply chain attack involves hiding malicious code within apps and software updates that users trust. The
malicious code is used to conduct nefarious tasks, such as spying on the user’s behavior, logging keystrokes (used for stealing
credentials), monitoring cameras and microphones, or even taking remote control of the device. Over the past three years,
more than six companies have suffered from software supply chain attacks at the hands of one particular Chinese threat
actor – APT41. Researchers and security teams around the world have observed a common attack pattern with this group.
They inject malicious code into software, push out updates across the world, and then sort through the victim list for intended
targets to exploit further.

In 2017, NetSarang, a Korean enterprise remote administration tool, was breached by APT41, which then implanted malicious
code into the software before cryptographic protections were applied. Months later, Avast revealed that its subsidiary’s
product CCleaner was compromised with a backdoor whose code closely matched the NetSarang code. Over 700,000
machines were compromised as a result, marking one of the largest supply chain attacks to date. In January 2019, Asus, a
Taiwanese computer company, announced that it had discovered a backdoor installed in its software, which was pushed out
to over 600,000 machines over the previous three months. The malicious backdoor shared many similarities to the CCleaner
attack. When research firm Kaspersky searched for similar code among its customers’ devices, it discovered that several
video game development companies were also affected by this same threat actor. To date, these attacks have been used for
espionage campaigns against very targeted victims.

Recommendations
1. Threat actor attribution must be reevaluated and checked against evolving tactics and indicators of compromise,
and compared to past campaigns in order to accurately track behavioral changes.
2. Implement strategic cyber threat intelligence briefings into your security program to evaluate third-party risks and
Chinese state-sponsored threats to your industry or technologies in use.
3. Evaluate risks to your third-party supply chain, including deployed software, firmware, and hardware technologies.
4. Stay on top of new cyber threat trends and threat actors based in China to ensure your organization is prepared to
defend against potential attacks.

About IntSights
IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform
designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous
monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and
orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with security infrastructure for
dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in the world. IntSights has offices
in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more,
visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.

To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.

11
Visit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.com