The South China Sea is an increasingly dangerous place to be in cyberspace. And as China is involved in territorial disputes over the area that bears its name with virtually all of its neighbours, there are no shortages of targets for its army of state-sponsored operatives.
F-Secure is the latest security vendor to confirm what most of us know already – that Chinese hackers, most likely working for the state, have been systematically stealing data from organisations with interests in the region for years now. It’s new report, NanHaiShu: RATing the South China Sea, details a new piece of information-stealing malware used in campaigns targeting government and private sector firms. Why? They were all involved, directly or indirectly, in a recent UN tribunal over ownership of a group of rocks in the South China Sea. Victims included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the tribunal
F-Secure cyber security adviser, Erka Koivunen, told me he suspects a nation state was behind the attacks, although definitive attribution is always hard.
“Admittedly the malware itself may not be the most sophisticated piece of code there is. That doesn’t however mean that the operation wasn’t sophisticated,” he said via email. “The lack of zero-days and bleeding edge alien technology may admittedly seem a bit boring, but in fact is a sign of cold calculation and professionalism on the level of execution.”
This report is the latest of a long line of similar intelligence highlighting extensive cyber espionage in the region related to Beijing’s interests in the South China Sea and the rocks, reefs and islands that dot the landscape. Late last year a ThreatConnect report revealed an alleged PLA cyber espionage campaign dating back five years and targeting the Philippines, Singapore, Thailand, Vietnam and many others in the region. US interests have also been attacked.
William Glass, threat intelligence analyst at FireEye, believes this is just the beginning, as China begins to flex its muscles in the region.
“More recently, we have seen the list of targets expand to energy companies, legal firms, and even GitHub, targeted by China’s Great Cannon in March 2015,” he told me. “Beyond simply stealing information, Beijing has found there are benefits to using cyberspace to propagandise and attempt to influence behaviour.”
He claimed that the army’s new Strategic Support Force may see disputes in the area as the perfect opportunity to test its significant capabilities, which could range from range from “typical cyber espionage to learn of plans and intentions of commercial companies to efforts designed to influence companies’ decisions to invest or operate in the South China Sea.”
“Recently, the Chinese media has singled out Australia and Japan for particularly harsh criticism following the tribunal ruling,” Glass explained.
“It’s possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
For starters, firms working in the energy, logistics and shipping, and political and legal advocacy sectors in the region would do well to redouble their cyber security efforts. But the truth is that any organisation that deals with China or works in an industry where Chinese companies have interests – which is virtually every organisation – should consider the threat of state-sponsored attacks from the East. Yes, it’s more likely they’ll encounter ransomware than an info-stealing RAT guided by the PLA. But the threat is there, and as UK organisations increasingly look to the Middle Kingdom in this post-Brexit world, it’s one they should all take seriously.
I’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.
The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.
“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.
“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”
So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.
“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”
As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.
“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.
“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”
Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.
As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.
“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.
It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.
Verizon’s annual Data Breach Investigations Report is out and several headlines have pointed to it highlighting China once again as the biggest source of global cyber espionage threats, however we need to be careful drawing such conclusions.
The report revealed that when it comes to cyber espionage, the majority (87%) is state affiliated rather than committed by organised crime (11%) and is targeted at victim organisations outside of the country of origin.
When it comes to “victim countries”, the US (54%) accounts for by far the majority, followed by South Korea (6%) and Japan (3%), although this is more of a reflection of the intelligence sources that inform the report than anything else.
More interestingly, it pegged “external actors” operating from Eastern Asia – mainly China and North Korea – as the most prolific worldwide, accounting for 49%.
Eastern Europe was next (21%), followed by Western Asia (4%), while North America and Europe were way down with just 1% each.
So what does this tell us? Well, those looking to prove that China is once again the arch bogeyman when it comes to global state-sponsored attacks should think twice, according to Verizon.
Report co-author and senior analyst, Kevin Thompson, told me that the results reflect the fact that large numbers of North American companies participate in the study and relatively few hail from East Asia – with none from China and Japan.
“We have been trying to recruit a partner organisation from China, Japan, or South Korea to increase our visibility into that part of the world,” he added. “Since many of our partners that investigate cyber espionage are based in North America they tend to only see attacks that are aimed at North American companies.”
Also, out of 511 total cyber espionage incidents recorded, more than half (281) were removed because no country could be attributed as the source of an attack.
“East Asia is the most commonly seen espionage actor when our partners are able to identify the country at all, which is not even half of the time,” Thompson explained.
“There tends to be more research around East Asian espionage than other countries, especially among North American partner organisations. Since there is more research in that area, it is easier for a partner to identify espionage from those regions while espionage from North America or Europe might be labelled ‘Unknown’ and would not be included in figure 59 of the report.”
If the NSA revelations have taught us anything it’s that the 1% figure for North America-based attacks is likely to be way smaller than in reality.
Verizon also claimed in the report that “the percentage of incidents attributed to East Asia is much less predominant in this year’s dataset”.
The real growth in activity is actually coming from Eastern European attackers, it said, adding the following:
At a high level, there doesn’t seem to be much difference in the industries targeted by East Asian and Eastern European groups. Chinese actors appeared to target a greater breadth of industries, but that’s because there were more campaigns attributed to them.
Malicious email attachment (78%) and web drive-by (20%) are still the most popular method of gaining access to a victim’s environment.
As for advice on how to lower the risk of a compromise, Verizon reiterated the basics.
These include: patch all systems and software so they’re fully up-to-date; use and keep an updated anti-malware solution; maintain user training and awareness programs; segment your network; log system, network, and application activity; monitor outbound traffic for data exfiltration; and use 2FA to stop lateral movement inside the network.
As a hack whose inbox has been deluged with this kind of dross for weeks now, I’m going to look ahead to 2014 with a more focused question, namely: “how will Western companies fare in China next year, and vice versa?”
Well, first up the signs aren’t looking good for US tech firms. Washington has turned up the anti-China rhetoric fiercely in 2013 and with high profile reports like Mandiant’s finally tying Beijing to cyber espionage, things were already looking tricky for US firms in China.
Then Edward Snowden happened – a gift from heaven for the Chinese government which can now portray itself as victim of spying, not a perp, with an even straighter face.
Expect the backlash to come from Beijing, partly because of this, but also because China has some world class companies of its own now, especially when it comes to networking equipment (Huawei and ZTE), PCs (Lenovo) and mobile devices (all of the above plus Xiaomi, Oppo, Meizu, Coolpad, etc etc), so it can afford to be more self-reliant.
IBM and HP have both announced they’re shedding jobs in the PRC, despite the strategic importance of the market.
IBM just announced a new cloud partnership which will see it team up with Azure partner 21 Vianet to provide managed private cloud capabilities to business customers there, however it admitted in October a 22 per cent sales slump in China. Ouch.
Cisco has seen a recent 6 per cent sales slump in China with John Chambers admitting on a November earnings call: “China continued to decline as we and our peers worked through the challenging political dynamic in that country.”
Then there’s Qualcomm, which counts China as a $1bn market, has worked with countless local OEMs to support their products and yet now finds itself at the centre of an anti-monopoly investigation which could see it fined in excess of $1bn.
The rule in Beijing seems to be; if you can’t beat ‘em (and China still has some way to go before its chip makers are world class), fine ‘em.
Expect more of the same next year.
So what of the great Chinese invasion? I spoke recently to Deloitte TMT partner William Chou about this.
In the hardware space historically only the likes of ZTE, Lenovo and Huawei had a chance to grow their offerings abroad, but with VC firms now splashing the cash, more innovative local firms will be able to invest in R&D and expand their footprint internationally, he argued.
Coolpad, Meizu and Xiaomi, to name but three, could be names to watch for 2014.
“There are a lot of these smartphone manufacturers but the ones which will be winners are not really the handset manufacturers but the ones which can combine hardware, software and internet services, like Xiaomi,” Chou told me.
Others he mentioned included a Shenzhen-based handset firm looking at JVs in France and South Africa and an unnamed private company “aggressively” looking to expand in the European market.
On the internet side there are fewer potential breakaway global brands which could make a real impact in 2014.
Tencent’s WeChat is definitely one of them, although Chou argued that Google-beater Baidu will struggle as it seeks to “re-engineer its business model from search to mobile internet”.
There are also a host of little-known software and online firms under-the-radar ready to pounce, including one of the China’s online travel giants which is looking to acquire in Germany, Chou revealed.
In fact, the recently announced Deloitte Fast 500 list of fastest growing APAC start-ups had more companies from the Middle Kingdom than any other represented, although none made the top ten.
Going into 2014 entrepreneurs who are able to “apply technology to other industries” will stand the best chance of success, Chou said.
“China has an ageing population and a one-child policy so healthcare is a serious problem, so how you apply e-health will be a trend,” he explained. “Another major challenge is pollution, so clean tech will be a major area for entrepreneurs to consider as well.”
Whatever happens, things are never quiet in this part of the world. Let’s see what you’ve got 2014.