Beware of sleeping dragons

October 2018

Shanghai skylineDavid Bird FBCS reminds us that it’s not just Russia in the East that we can expect cyber mischief from. China and North Korea are both threats also.

There is a cold war frost creeping in after the recent exchanges of rhetoric between the West and Russia. All this has brought a nervous tension into the cyber dominion and a spate of disparaging comments about cyber war and the like. However, from this latest furore we should not forget the outstanding allegations and accumulated evidence of other nefarious cyber activities perpetrated over the past decade - all pointing towards the strengthening powers in the Far East.

It has been a considerable amount of time since the Mandiant Report provided evidence exposing Advanced and Persistent Threat actor (APT) 1 located in the Shanghai region of China. Unsubstantiated evidence suggests there has been a decade of asymmetric cyber activities pointing to both the Chinese and North Koreans; between them activities are tantamount to cyber-espionage, politically motivated cyber-spying, cyber-crime and outright disruptive hacks.

Agendas afoot

Only this year, mistrust has been exacerbated by supposed Chinese actions to exfiltrate gigabytes of data from a US naval contractor. Furthermore, in 2018 it has been alleged that a UK government service provider had been the subject of a malware attack, where backdoors were deployed originating from the China-linked APT15.

Late last year an Australian defence contractor was hacked using the China Chopper remote web access tool, enabling data to be exfiltrated; it is now feared that restricted data pertaining to the F-35 Lightning has been acquired. Similarly, in 2009, a cyber-attack against one of the largest US defence aerospace companies, who builds stealth fighter jets, had been attributed to China.

In 2016 the Chinese-linked APT10 was responsible for undertaking a global cyber-espionage campaign known as Operation Cloud Hopper. This approach consisted of subverting managed service provider infrastructure to fulfil Chinese national security goals. After gaining a foothold APT10 deployed hallmark backdoors and remote access Trojans to conduct their nefarious activities and extrapolate customer data.

In June 2016, Chinese APT actors targeted a European consumer electronics company and US subsidiary of a French energy management company; the former just so happens to specialise in drone technologies and the latter is an infrastructure contractor for the US government and department of defense.

China was blamed for the high-profile hack of the US Office of Personnel Management in 2015. Additionally, there is a suspicion that in 2008 the smartphones and laptops used by staff of the US republican leadership campaigns had apparently been undermined by hackers working for the Chinese government. Also, a US think tank that was going to host an event, featuring an exiled Chinese entrepreneur, detected a Shanghai-based cyber-attack last September.

In 2011, a number of US drone companies received weaponised spear-phishing emails thought to have originated in Shanghai. Other collaborative cyber warfare efforts are suspected with Chinese involvement after US unmanned aerial vehicles (UAV) were captured by the Iranians.

Google’s office in China was hacked in 2009. The cyber-attack was traced back to Taiwan but is thought to have originated from Beijing; the attackers pivoted to Google’s headquarters in the US and the company laid the blame firmly at the Chinese government’s door. It is thought the intent was to gain access to dissident Gmail accounts.

Likewise, recent events such as Watering Hole attacks (which infect a targeted user’s computer and gain access to the network at the target’s place of employment) against South Korea in 2018, last year’s WannaCry worm attack against the UK National Health Service, cyber-crime against the Bangladeshi bank in 2016 and the attack in 2014 against Sony Pictures have all been blamed on the North Korean-linked Lazarus Group. Now the US Cyber Emergency Response Team has issued a recent alert regarding two strands of malware attributed to the North Korean government.

Suppositions

It is probably no coincidence that China has developed technology that appear to be clones of US designs - take, for instance, the similarity between the superior F-22 Raptor with a pedigree dating back to the 90s and the Chinese J-20 aircraft with its origins coincidentally starting from 2009. Of course, this is not unusual. Another controversial airframe is the Chinese CH-4 (circa 2013) and the more recent and larger CH-5 that look almost identical to the US MQ-9 Reaper UAV (from 2005) - the CH-4B combat variant is, however, disadvantaged by China’s inferior engine designs.

Prior to cyber-espionage tools, tactics and techniques being developed, spying on an adversary has been around for millennia. However, espionage at the level probably conducted by the Chinese is unprecedented. Comparatively, during the cold war some Russian aircraft designs did have striking similarities to Western airframes.

These likenesses were attributed to some copying, brinksmanship, and also the limitations of aerodynamics. There may have been some espionage activities conducted by the Soviet Union, but nowhere near the same amount as the Chinese who have purportedly carbon copied nigh-on entire US aircraft designs.

Meanwhile Lazarus Group affiliates appear to have undertaken cyber-espionage and sabotage against South Korea and, in 2018, continue to target foreign defence, national infrastructure and financial industries. It might appear that, with trade sanctions in place, there may have been a desire to raise capital through cyber-crime.

Therefore, you might be forgiven for thinking, in a pessimistic and speculative way, that such activities may in some way be associated with the bank rolling of the North Korean nuclear weapons programme. Coincidence?

With hindsight, it appears that Chinese hackers tried to take control of the domain used by the WannaCry payload; the same domain registered by the British computer professional who rendered it useless for that active strain. Was this action undertaken for nefarious purposes or an attempt to deal with the malevolence probably perpetrated by its neighbour after China was also hit? Speculation? Or was this a protest action?

Conclusion

From 2014, there has been a concerted effort for international cooperation against cyber-crime between the UK’s National Crime Agency and China. Over the past few years commercial collaboration is strengthening between UK government and a large Chinese corporation collaborating on matters of technology provenance. China is also investing in a large UK critical national infrastructure project; hence commerce is driving and encouraging ties between our countries. In a similar vein, an accord was signed three years ago between China and the US; both formally agreed not to conduct or knowingly support economic cyber-espionage.

However, from recent events it would appear that old tricks die hard and there is apparently fresh concern in the US over a separate Chinese manufacturer of mobile phones; so much so that the US Department of Homeland Security and the Federal Bureau of Investigation have issued warnings about unmitigable risks - the UK has followed suit.

Although Chinese cyber-espionage involvement has been flatly denied over the years by its politicians, the state appears to have a multi-faceted approach to achieve economic gain and trade growth. Encompassing both commercial and clandestine methods, combined with surveillance against human rights activists and Taiwan on the outside; whilst using the great firewall of China from the inside.

Similarly, the North Korean Lazarus Group affiliates have conducted more pointed state-sponsored style attacks seemingly against anyone who dares to stand-up to the North Korean state.

So, in effect, credible hypotheses can be built upon these facts surmising that China has used cyber competencies in the past to perform cyber-espionage and manoeuvrability with regards to cyber-spying. North Korea has allegedly chosen to use cyber capabilities for the pursuance of crime and certainly disruption.

Even in the absence of incontrovertible proof, with all these coincidences across the cyber-geopolitical landscape, there can be no denying the shameful pernicious cyber behaviours stemming from these ‘sleeping dragons’.

Image: Getty/Zorazhuang