While most people won’t be surprised to hear that China is investing heavily in cybersecurity, the extent of the country’s cyber power could be more significant than anyone would imagine.
According to Christopher Wray, director of the FBI, China already has a more extensive hacking program than every other major nation combined.
During his talk at the Mandiant mWISE conference on September 18, Wray gave an order of magnitude he previously presented to the US Congress in April 2023: “The Chinese cyber power is bigger than the rest of the world combined. If each of the FBI's cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber the US cyber personnel by at least 50 to 1."
“The rise of China as a cyber superpower is all everyone in cybersecurity has been talking about for the past few years”
According to Sandra Joyce, Mandiant head of global intelligence, these figures are not so surprising given how sophisticated some Chinese threat actors have become. Speaking with Infosecurity, she said that “while they started with noisy, easily detectable spear-phishing campaigns that put them in a tier 2 or tier 3 category in the 1990s and 2000s, most Chinese APTs are now top tier without a doubt.
“The rise of China as a cyber superpower is all everyone in cybersecurity has been talking about for the past few years. And the geopolitical tensions around Taiwan make things worse, since geopolitical events nearly always beget cyber events nowadays,” she added.
Targeting Edge Devices Through Zero-Days and Bypassing Security Measures
In another mWISE panel on the same day, Ben Read, Mandiant head of cyber espionage analysis at Google Cloud, shared some of the trends the company is observing with China-backed threat actors.
“Chinese advanced persistent threat (APT) groups have been active for a very long time now, but, over the past two years, the level of sophistication of their attacks has been growing significantly. We see a few tactical advancements, including a heavy focus on targeting edge devices.”
He explained that, recently, instead of trying to compromise endpoint devices, Chinese hackers have been dedicating their efforts to target assets that organizations rely on to access the internet, like servers, routers or VPN services.
“They’re going after those through a couple of ways. First, they frequently exploit zero-day vulnerabilities – Chinese hackers have been the top state-sponsored threat actors in terms of zero-day usage over the past three years and responsible for the biggest share of the 62 zero-day exploitations we observed in 2023.”
This is the result of a recent reorganization of the People's Liberation Army (PLA) and the Chinese Ministry of State Security (MSS), meaning that “China has put a greater focus on using cyber as an asymmetric capability.”
The second method Chinese APTs typically use is to deploy malware that allows them to compromise a system without the need for victim thrashing via phishing. “This is particularly effective since devices on the edge of the network are usually not architecture in a way that allows to install an antivirus or endpoint detection and response (EDR) solution, which makes them easy to compromise,” said Read.
Yes, China Also Conducts Cybercrime and Disinformation Campaigns
Another interesting recent development in Chinese APTs is the emergence of groups that conduct both espionage and financially motivated campaigns.
“APT41, for instance, conducts both espionage and financially motivated campaigns,” Read said.
Joyce added that China likely hosts some access brokers that work with APT groups and cybercriminals.
Additionally, although the China-backed financially motivated malicious campaigns are not as blatant as North Korean ones, money is not a foreign motive to some of them.
“We have seen them conduct espionage targeting organizations that are involved with, or could impact, the Belt & Road Initiative (BRI),” Joyce said.
Meta shut down 7700 fake Facebook accounts and 950 fake Facebook pages that were linked to Chinese disinformation campaigns in August 2023 alone
Similarly, they use misinformation campaigns to protect market share and get a decision advantage around the BRI.
For instance, Mandiant has tracked Dragon Bridge, a threat actor the company has not attributed to China but that is aligned with Chinese interests. Dragon Bridge has impersonated social media accounts of fake citizens living near a Texas rare earth processing factory.
Speaking to Infosecurity, Candice Frost, a former officer at the Cyber Command’s Joint Intelligence Operations Center (JIOC) and an adjunct professor at Georgetown University, said that Meta shut down 7700 fake Facebook accounts and 950 fake Facebook pages that were linked to Chinese disinformation campaigns in August 2023 alone. “Meta warned that the numbers are continuing to grow,” said Frost.
However, this threat could potentially become harder to detect since China is increasingly leveraging emerging technologies like generative AI to deploy such campaigns.
According to Wray, the country “is poised to use the fruits of their widespread hacking to power, with AI, even more powerful hacking efforts.”
Candice Frost plans to launch a research paper on Russian and Chinese threat actors’ use of AI and deepfakes in their cyber offensive toolset within the next few months.