Professional Documents
Culture Documents
www.intsights.com 1
The Dark Side of China
Table of Contents
3 Executive Summary
3 The Growing Chinese Threat
4 China’s Vision for Growth and Global Power
4 The PRC as an Evolving Cyber Threat
4 Emerging Chinese Targets in 2020
5 Target Spotlight: India
5 Target Spotlight: Australia
6 Target Spotlight: Cultural and Religious Organizations
6 Attacks and Surveillance on Uighur Muslims
7 Attacks on the Vatican and Catholic Church
7 Target Spotlight: Hong Kong
8 Evolving Threats:
9 Surveillance and Espionage
9 APT41/Winnti Group
9 Information Warfare
10 Abuse of Technology Exports
11 Recommendations
2
The Dark Side of China
Executive Summary
The People’s Republic of China (PRC) is perhaps the world’s
greatest cyber power. Current Chinese President Xi Jinping
has demonstrated he is far more aggressive than his
predecessor, Deng Xiaoping. Over the past decade, China
has become increasingly forthright in its intentions, and
this change has been observed in cyber operations as well.
Researchers have observed stark differences in tactics, tone,
and behavior from Chinese state-sponsored cyber, military,
and political parties over the past several years.
This report explores how China’s cyber operations are evolving to fit the dynamic digital landscape and achieve its strategic
short- and long-term objectives. IntSights researchers have assessed, with high confidence, that China is pursuing economic
growth and global expansion, according to the 13th Five-Year Plan and the “Made in China 2025” initiative. The Chinese
government seeks to gain influence and create a world more accommodating to its values and economic rule. China is
achieving this through:
• Aggressive, targeted cyber espionage campaigns aimed at dozens of public and private sector organizations and
countries in pursuit of intellectual property, trade secrets, and technological advancements in artificial intelligence (AI)
and machine learning (ML) to gain market and military advantages.
• Advanced military-led cyber offensive attacks utilizing newly developed native malware, such as GoldenSpy, Mgbot
malware, and Taidoor.
• Digital suppression of foreign and domestic cultural, political, and religious views that counter the Chinese
Communist Party.
The Communist Party of China (CPC or 中国共产党) is the ultimate authority in mainland China. The military and government
in China are subordinate to the CPC, unlike in Western societies, in which political parties vie for representation within
government. The People’s Liberation Army (PLA) reports directly to the CPC’s Central Military Commission (CMC or中央军事
委员会). This political structure is important to understand. The result is that military-sanctioned cyber attacks are ordered
and approved by the CPC. Cybercrime is strictly forbidden outside of what serves the state and the CPC.
3
The Dark Side of China
The CPC is expected to release the 14th FYP in March 2021. Considering rising tensions between China and the United States,
experts predict that the next FYP will focus on autonomous development and reducing reliance on US and allied resources,
such as technology and exports. Furthermore, China is expected to continue solidifying partnerships in the Middle East and
budding nations in Africa, providing crucial funding and investments in foreign infrastructure, such as roads, rails, and ports.
Closely following these developments allows researchers to analyze China’s priorities and motivations, accurately attribute
cyberattacks, and observe which industries, technologies, and governments are being targeted.
websites, exploitation of vulnerabilities in Android operating systems commonly used among the minority population, and
tracking and targeting of website visitors through digital profiling and exploitation. The attackers used Google apps for gaining
access to emails and contact lists of Gmail accounts via OAuth, and utilized copycat domains mimicking Google, the Turkistan
Times, and the Uighur Academy as lures.
Figure 5: Malwarebytes Sample document from Hong Kong Mgbot malware campaign, 2020
7
The Dark Side of China
Evolving Threats
Surveillance and Espionage
China is the one of the most advanced surveillance states in the world today. Few nation-states have the technical and
political capabilities to collect data on human beings like China does. Its strategic objectives focus heavily on the research
and development of surveillance and data collection technology, artificial intelligence (AI), and machine learning (ML), and it
has been successful in both developing its own technologies and stealing technological secrets and patents-in-development
from public and private organizations around the world. The CPC uses these technologies for multiple purposes, including the
advancement of manufacturing technology, military technology, and robotics. However, there is a dark side to China’s use of AI
and ML as well.
The state monitors its population for both negative and positive behavior. Xi Jinping’s objective is to identify dissenters in real
time. Some examples of negative infractions include traffic violations, playing loud music, eating in public transit areas, not
sorting rubbish properly, and fraudulently using someone else’s public transit passes. Positive behaviors that can raise one’s
social credit score include donating to charity, volunteering for community service, donating blood, and heroism. The citizen’s
credit score is used to elevate or stigmatize the individual and use social pressure to encourage conformity. This technology
is used invasively against religious minority groups and enemies of the state. In 2019, when Hong Kong citizens took to the
streets to protest new proposed extradition laws, the CPC began large-scale surveillance and facial recognition operations
to identify and apprehend protesters. To counter this effort, protesters began to wear masks and paint their faces in ways
that confused the government’s AI technology. The CPC also uses this technology to monitor and suppress groups in Tibet,
Xinjiang, and Taiwan.
8
The Dark Side of China
APT41 attacks have targeted organizations in at least 15 countries, as well as Taiwan and Hong Kong. Their operations can
be tracked back as far as 2012, with some researchers discovering campaigns going back to 2008. They have been assigned
various target industries including software and video game developers in South Korea and Hong Kong, healthcare, telecoms,
the high-tech sector, higher education, travel services, and news media firms worldwide.
APT41 is a technical hacking group, which has utilized over 46 different code families, and over 150 pieces of unique malware
and hacking tools including, but not limited to, rootkits, credential stealers, keyloggers, and MBR bootkits to hide their
presence and maintain persistence in the victims’ networks. Malware used by this group includes Metasploit, CobaltStrike,
ASUS updates, CCleaner, Wintti, Pipemon backdoor, ShadowHammer, XMRig (final stage cryptominer), and more.
Between January and March of 2020, APT41 was observed targeting Citrix, Cisco, and Zoho network appliances with
Speculoos malware through exploitation of a recently disclosed vulnerability, CVE-2019-19781.
Information Warfare
The Chinese Communist Party (CCP) will go to great lengths to “save face,” protect its reputation, and appear functional and
efficient to its own people, as well as to governments around the world. The CCP has already invested billions of dollars in
protecting its reputation on the global stage to paint a picture of a responsible, mild-mannered global rise to power. Chinese
influence operations are conducted by the United Front Work Department (UFWD), a network of academic, business, and
cultural institutions located domestically and abroad.
In 2019, IntSights published a report called PSYOPS: How States Weaponize Social Media to Disrupt Global Politics that breaks
down the concept of information warfare and disinformation campaigns. The report contrasts how China and Russia use
information warfare for different objectives. However, these two countries have recently found common ground. In 2020,
prompted by the global COVID-19 pandemic and global scrutiny, China has dramatically changed its tactics for disinformation.
From late 2019 into early 2020, COVID-19 broke out in Wuhan, China. Several American leaders, including President Trump,
labeled the virus the “Wuhan virus,” attributing the outbreak to China’s mishandling of biological material at the Wuhan
Institute of Virology and accusing China of having engineered the virus in the lab. This began an information war between
China and the rest of the world, prompting the CPC to aggressively defend itself against rumors. Within a few months, the
Chinese government took to social media with influence campaigns, both inside the country and around the world. The tactics
looked similar to previous disinformation campaigns inside of China: spreading messages to quell concerns and rumors of
the Chinese government creating COVID-19, minimizing the numbers of positive COVID-19 tests, and using propaganda to
influence Chinese citizens to quarantine inside their homes for the good of the public.
9
The Dark Side of China
Within months, the narrative shifted to pointing fingers at the United States as the creator of the novel coronavirus in a US
state-operated lab. Chinese diplomats and embassies flocked to Twitter, which is banned within China, to amplify conspiracy
theories about the virus’s origin. According to the Brookings Institute, Chinese foreign service officials now have more than
100 accounts on Twitter — a “300% increase since April of last year”. One Chinese Foreign Ministry spokesman tweeted to
300,000 followers that COVID-19 originated in the United States, and included a link to a pro-Kremlin (Russian) media outlet.
The tweet was then shared by over a dozen Chinese officials. It is becoming increasingly clear that China and Russia have a
similar narrative to spread and are working together to amplify each other’s messages in a coordinated manner. The goal
is simple: break down trust in democracies, disrupt election cycles or manipulate democratic election results, and gain
economic advantage over adversaries to advance global position and power.
In June 2020, Twitter reported that it successfully shut down over 173,000 posts that were spreading a “Communist Party
of China geopolitical narrative” that was false and misleading. 23,750 of those accounts were posting original content,
and 150,000 accounts were used to amplify, or share, those same messages across multiple media outlets. In July 2020,
the European Union spoke out, publicly accusing China of mass-scale information warfare. This was an unprecedented
announcement by the European Union, which followed a rash of disinformation attacks on France.
Privacy advocates and technology leaders around the world are concerned with the close relationship between the
Communist Party of China and Huawei. Essentially, if a significant conflict were to occur, the theory is that Huawei officials
could commandeer their equipment overseas, shut down systems, and cut off adversaries’ access to communications.
In February 2020, US national security adviser Robert O’Brien said, “We have evidence that Huawei has the capability to
secretly access sensitive and personal information in systems it maintains and sells around the world.” The US intelligence
report was declassified in 2019 to enable sharing with allied countries in an effort to convince them to shut Huawei out of
5G developments in those countries. Huawei has denied all allegations of misuse of its technology, as China does for all
espionage accusations.
TikTok
TikTok is one of the top 10 most downloaded mobile apps in the United States. The popular social media app is owned by
Bytedance, a China-based parent company. In August 2020, US President Donald Trump signed an executive order banning
the mobile application TikTok from the United States, citing intelligence community concerns over excessive personal data
collection. Like the Huawei trust issue, officials are concerned that the CPC could subpoena TikTok user data, which could
reveal valuable intelligence on adversary operational security. According to Chinese law, private sector companies are
obligated to hand over data at the request of the government.
10
The Dark Side of China
In 2017, NetSarang, a Korean enterprise remote administration tool, was breached by APT41, which then implanted malicious
code into the software before cryptographic protections were applied. Months later, Avast revealed that its subsidiary’s
product CCleaner was compromised with a backdoor whose code closely matched the NetSarang code. Over 700,000
machines were compromised as a result, marking one of the largest supply chain attacks to date. In January 2019, Asus, a
Taiwanese computer company, announced that it had discovered a backdoor installed in its software, which was pushed out
to over 600,000 machines over the previous three months. The malicious backdoor shared many similarities to the CCleaner
attack. When research firm Kaspersky searched for similar code among its customers’ devices, it discovered that several
video game development companies were also affected by this same threat actor. To date, these attacks have been used for
espionage campaigns against very targeted victims.
Recommendations
1. Threat actor attribution must be reevaluated and checked against evolving tactics and indicators of compromise,
and compared to past campaigns in order to accurately track behavioral changes.
2. Implement strategic cyber threat intelligence briefings into your security program to evaluate third-party risks and
Chinese state-sponsored threats to your industry or technologies in use.
3. Evaluate risks to your third-party supply chain, including deployed software, firmware, and hardware technologies.
4. Stay on top of new cyber threat trends and threat actors based in China to ensure your organization is prepared to
defend against potential attacks.
About IntSights
IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform
designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous
monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and
orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with security infrastructure for
dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in the world. IntSights has offices
in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more,
visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.
To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.
11
Visit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.com