The South China Sea is an increasingly dangerous place to be in cyberspace. And as China is involved in territorial disputes over the area that bears its name with virtually all of its neighbours, there are no shortages of targets for its army of state-sponsored operatives.
F-Secure is the latest security vendor to confirm what most of us know already – that Chinese hackers, most likely working for the state, have been systematically stealing data from organisations with interests in the region for years now. It’s new report, NanHaiShu: RATing the South China Sea, details a new piece of information-stealing malware used in campaigns targeting government and private sector firms. Why? They were all involved, directly or indirectly, in a recent UN tribunal over ownership of a group of rocks in the South China Sea. Victims included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the tribunal
F-Secure cyber security adviser, Erka Koivunen, told me he suspects a nation state was behind the attacks, although definitive attribution is always hard.
“Admittedly the malware itself may not be the most sophisticated piece of code there is. That doesn’t however mean that the operation wasn’t sophisticated,” he said via email. “The lack of zero-days and bleeding edge alien technology may admittedly seem a bit boring, but in fact is a sign of cold calculation and professionalism on the level of execution.”
This report is the latest of a long line of similar intelligence highlighting extensive cyber espionage in the region related to Beijing’s interests in the South China Sea and the rocks, reefs and islands that dot the landscape. Late last year a ThreatConnect report revealed an alleged PLA cyber espionage campaign dating back five years and targeting the Philippines, Singapore, Thailand, Vietnam and many others in the region. US interests have also been attacked.
William Glass, threat intelligence analyst at FireEye, believes this is just the beginning, as China begins to flex its muscles in the region.
“More recently, we have seen the list of targets expand to energy companies, legal firms, and even GitHub, targeted by China’s Great Cannon in March 2015,” he told me. “Beyond simply stealing information, Beijing has found there are benefits to using cyberspace to propagandise and attempt to influence behaviour.”
He claimed that the army’s new Strategic Support Force may see disputes in the area as the perfect opportunity to test its significant capabilities, which could range from range from “typical cyber espionage to learn of plans and intentions of commercial companies to efforts designed to influence companies’ decisions to invest or operate in the South China Sea.”
“Recently, the Chinese media has singled out Australia and Japan for particularly harsh criticism following the tribunal ruling,” Glass explained.
“It’s possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
For starters, firms working in the energy, logistics and shipping, and political and legal advocacy sectors in the region would do well to redouble their cyber security efforts. But the truth is that any organisation that deals with China or works in an industry where Chinese companies have interests – which is virtually every organisation – should consider the threat of state-sponsored attacks from the East. Yes, it’s more likely they’ll encounter ransomware than an info-stealing RAT guided by the PLA. But the threat is there, and as UK organisations increasingly look to the Middle Kingdom in this post-Brexit world, it’s one they should all take seriously.
China’s head honcho when it comes to censorship recently stepped down. This being China, no-one seems to know whether he was effectively sacked, or asked to move to a new bigger and better role. But what we do know is that things aren’t going to get any better for those inside the Great Firewall.
Over the past three years, Lu Wei has been a constant thorn in the side of rights groups, diplomats and Silicon Valley bosses. His aggressive defence of China’s sovereign right to do with its internet what it sees fit – most notably at the laughably titled World Internet Conference in Wuzhen – has been jarring at times. The Cyberspace Administration of China (CAC) he headed up also runs root CA and .cn operator the Chinese Internet Network Information Center (CNNIC). As such, it was blamed by Google last year for issuing unauthorized TLS certificates for several of its domains, which were subsequently used in man-in-the-middle (MITM) attacks.
Even more damning, the CAC was accused of launching Man in the Middle attacks on Outlook users last year in response to its migration to HTTPS, which the authorities can’t monitor. And then it was pegged for a DDoS attack on anti-censorship organisation Greatfire.org – a constant thorn in the side of the authorities in Beijing.
I spoke to Greatfire.org co-founder Charlie Smith about the reasons for and implications of Lu’s departure.
“If it ain’t broke, don’t fix it, right? We probably just had the quietest anniversary of Tiananmen [Square massacre] yet, in terms of online dissent and discussion. There is more censorship in general. Less circumvention because of a crackdown on VPNs. And fewer foreign companies are trying to challenge the status quo,” he told me via email.
“We know controlling the medium is pretty near the top of [president] Xi Jinping’s agenda. So why make a change now? The timing likely indicates that this was a planned and not a rash decision. There was no need to unsettle things before the 4 June anniversary and the change happens well before the next ‘World’ Internet Conference in Wuzhen.”
Smith went on to argue that, even though Lu presided over an unprecedented crack down on internet freedom – primarily through a new regulation banning the spread of “rumours” online – he didn’t go far enough.
“Lu was not perfect. As we have shown, it is impossible to completely block all information for those inside China,” Smith continued. “Maybe in this regard, Lu was being blamed and Xi decided he wanted somebody who can get the job done. Maybe Xi was upset about being ‘vilified as a murder suspect’ and could not comprehend why Lu Wei was unable to scrub information from the Chinese internet.”
Lu’s removal, if that is what it was, may also have been an attempt by Xi at curbing his growing influence – after all, propaganda is at the heart of the Party’s power and everyone inside knows it. His replacement, Xu Lin, is a Xi Jinping acolyte and one time deputy secretary of Tibet’s Shigatse Prefecture who will certainly toe the presidential line.
As Smith put it, “if Xu Lin fails to quell ‘rumours and slander’ Xi does not have to second-guess whether or not Xu is doing everything within his power to stop these attacks.”
So what prospects for the future? Pretty grim if you’re inside China and are a fan of human rights and internet freedom.
Beijing was one of a few countries – Russia, India, Indonesia included – that voted against a non-binding resolution at the UN this week stating all individuals must be afforded the same rights online as offline and that the universal right to freedom of expression should be upheld online.
As Smith said, if Xu Lin “handles information control on the Chinese internet the same way the authorities handle information control in Tibet then the situation could even get worse.”
There is some hope for businesses and individuals which need to leap the Great Firewall.
The hope is that it will encourage greater use of VPNs and help developers improve their circumvention products, as well as provide a much needed additional source of revenue for Greatfire.
The concern is that if it gets popular enough, Beijing will do all it can to put it out of action.
First of all, the app market will see an ever-tightening regulatory regime following new regulations passed in October, according to co-founder Percy Alpha.
“I fear that in the future, apps will be like websites, i.e you have to get a license before publishing any,” he told me by email.
Then there’s the current trend for Man in the Middle attacks as a way to monitor and block access to various online services and sites.
The Great Firewall has already tried this tactic on Google, Yahoo and iCloud to name but three. It’s the only way the authorities can see what people are up to once a site switches to HTTPS.
The smart money is apparently on more of these attacks in 2015, but increasingly focused on smaller sites so as to not arouse much media attention.
The Chinese authorities have also been going after Greatfire itself of late, proof the anti-censorship group must be doing something right.
Their mirrored sites, which allow users behind the Great Firewall view blocked content, have been a minor irritant to the authorities until now. But since last week Beijing upped the ante in two astonishing moves against the content delivery networks (CDNs) Greatfire uses.
The first resulted in EdgeCast losing all service in China – which could mean tens of thousands of sites affected. Then another swipe took out an Akamai subdomain also used by HSBC. The result? Its corporate banking services became unavailable. It just shows the lengths the Party is prepared to go to control the flow of information.
The last word goes to co-founder Charlie Smith:
“I think we will continue to see the kinds of crackdown we have seen this past year. I think that for a long time, many optimists have said, give the authorities some time, restrictions will loosen up and information will flow more freely. If anything, the exact opposite is happening – I’m not sure why people seem to make comments otherwise.
If anything, I think the authorities will take censorship too far in 2015. They will push the Chinese over the limit of what they are willing to tolerate.”
It’s based on a Trend Micro report – The Mobile Cybercriminal Underground Market in China – published this week by its Forward Looking Threat Research Team, which reveals once again the sophistication and commercialisation of the underground networks via which cyber criminals trade goods and service.
Although the report itself doesn’t throw up a huge amount of new data it’s interesting to see evidence that such networks exist in China, selling common attack kits like premium service abusers, SMS Forwarder Trojans and spam.
Typically, being broadcast journalism we were kept strictly to 5 minutes of short, sharp soundbursts by the BBC which allowed for little meaningful discussion of the topic besides “what’s the Dark Web”? “How do I get on it?” and Who’s behind these attacks?”. I had a better chat with the researcher the night before.
That said, it’s an important topic to air publically.
Although we didn’t cover this in as much detail as I’d have liked, the real message to listeners of the program – which apparently has among the highest audience numbers on the planet – is to be more vigilant when downloading apps online and make sure they install basic AV on smartphones.
In China, where unregulated third party Android stores are the norm and mobile AV is rare, the cyber criminals have it made.
The only light I can see on the horizon in this part of the world is for the government to follow through with its planned regulation of the mobile app space. This would force industry to self-regulate and clamp down on malicious apps either pre-loaded onto phones or uploaded to web stores.
The only problem is that any new regulations are also likely to restrict content deemed “offensive” to Beijing – in other words censorship by the back door.
I’ve been doing a bit of work researching a piece on the latest Lenovo bombshell to hit the tech world – its $2.9bn bid for Motorola Mobility. Now, in my innocence, I reckoned there might be quite a few hurdles for Lenovo on this one, but the analysts I spoke to were pretty upbeat on the deal.
Remarkably, most were pretty confident this was a good buy and that it’ll help propel the firm to third in the global smartphone stakes in a matter of a couple of year.
It’s easy to see why on paper. Here’s what Canalys APAC MD Rachel Lashford told me were the main benefits for Lenovo:
· Immediate entry to the US market, Motorola’s major market, as well as key markets in Western Europe and Latin America.
· A unique relationship with Google.
· Credibility with operators and consumers worldwide.
· Existing US operator relationships and a handful of global ones.
· Additional experienced phone sales teams.
· Additional and highly rated phone engineers.
· Additional tablet and phone shipments, as it becomes the key manufacturer of Google’s Nexus line.
Hard to argue with that lot. It’s also hard to see how Lenovo could have done better than Motorola – there wasn’t much choice out there, after all (BlackBerry? HTC?). Except that doesn’t mean it’s going to be a success. Although it has high brand recognition in the US, Motorola is a fading star, with neither innovative designs or huge volume sales to its name.
I wonder then if it’s really going to give Lenovo that huge leg-up into the US smartphone space it desperately wants. I’ll be even more surprised if Lenovo merges the two brands, as various analysts told me will happen eventually, unless Plan A has succeeded perfectly.
The thing I imagined would cause the biggest potential roadblock is a US political backlash. Lawmakers can be a pretty obstinate bunch, especially when they feel their country is being invaded by ‘foreign hordes’.
It’s certainly right to say that Lenovo has a better relationship with the US government – where ThinkPads are still used – than most Chinese firms, and that consumer smartphones are hardly a national security matter, unlike telecoms infrastructure (sorry Huawei, ZTE). But I still think there’s the potential for a unwelcome bit of political interference here, especially if some more news comes to light on Chinese spying and state links to tech firms.
Given the stakes, it’s not surprising Lenovo has apparently hired some big name attorneys, some of whom have worked for the CIA and Homeland Security, to help it lobby the deal through.
Lashford even speculated that “announcing two deals in one month will ease its progress, not complicate it”. I suppose we’ll all have to wait and see on that one.
One thing’s for certain: Motorola employees will be a happy bunch. I wonder how may will be queuing up for Lenovo CEO Yang Yuanqing’s annual $3m employee bonus giveaway?