Inside The Chinese-Hacking Underground
Chinese-speaking hacking activity is on the rise. In April, Kaspersky Lab revealed a rising number of APT operations and new threat actors. In June there is an ongoing campaign targeting a national data center in the Central Asia was attributed to Chinese-speaking LuckyMouse and new research from Symantec recently uncovered a Chinese-linked hacking group targeting US-based satellite companies.IDG Connect talked to Mark Schaefer, an analyst on Flashpoint’s Asia-Pacific team, about what CSOs need to know about the threat from Chinese-language threat actors.
Can you explain how the Chinese-language cyber-criminal underground differs from other communities?
The most striking difference that we have observed between the Chinese-language underground and other communities is that the former is much more dispersed. Chinese actors are not as reliant on traditional web forums; their places of congregation and methods of communication are fluid and dynamic.
Chinese threat actors often rely on legitimate services offered to them within China (QQ, WeChat, Taobao, Baidu, Tieba, etc.) for communication because these platforms are ubiquitous in China, making communicating with other actors and finding resources convenient. At the same time, Chinese actors pivot across multiple chat rooms and threads among these platforms.
In addition, there appears to be an increasing cadre of Chinese underground actors who are cognisant and wary of being monitored, especially by their own government. These individuals often encourage others to use anonymizing tools and avoid popular Chinese communications applications like QQ and WeChat, since the authorities have access to this chat data.
However, Chinese actors cognisant of anonymity concerns may be in the minority, since a large amount of Chinese threat actor correspondence still takes place on several native Chinese platforms which are known to be monitored.
The push amongst some Chinese threat actors for higher consciousness for anonymity is likely associated with China’s new cyber-security law and regulations, enacted in 2017, that are representative of the Chinese government's efforts to fortify the country's information security architecture and expand its monitoring capabilities into all domestic data flows.
For context, the Chinese government views the Internet and information technologies as a double-edged sword--these technologies are key catalysts to growth and prosperity, but allowing unmonitored and unconstrained access to the Internet can foster numerous significant threats to the regime, including social organisation, the rapid growth of popular movements and “harmful” ideologies, and so on.
Among these legal changes were efforts to tie every online alias to a real identity and increase scrutiny towards any online post that may be dubbed illicit or involved in spreading “rumors” which may destabilise the state.
What topic is most openly discussed on the Chinese-underground forums?
Financial motivations are paramount in the Chinese Deep and Dark Web. The buying and selling of personally identifiable information (PII) that can be used for fraud and/or identity theft is the most frequent topic of discussion. Personal materials, such as copies of passports, government-issued ID cards, and credit and bank card numbers are some of the most highly sought-after items. Aside from the trade in PII, malware development and customization services are also highly prevalent.
What other trends are you seeing in the Chinese-language underground community?
What activity is increasing/decreasing? Chinese threat actors are increasingly making use of anonymised modes of communication, likely to avoid government monitoring. For example, Chinese actors frequently remind other users to utilise proxies, virtual private networks (VPNs), the Tor network, and end-to-end encrypted chat applications, such as Telegram. Actors adopting these measures may still be in the minority, but there has been a noticeable uptick in discussions around online anonymity roughly over the past year.
We have also observed more explicit commitment to anonymity on newer Chinese-language DDW (DeepDarkWeb) forums than compared to previous forums that have for one reason or another disappeared. For example, administrators of these sites forbid users from making public any data that could tie their online alias to their real identity.
Administrators on some Chinese DDW forums also highly encourage the use of their in-house, crypto-currency-enabled payments and escrow services. This not only allows transactions to be made anonymously, but also builds trust within the entire community, since users may believe that their financial interests and identities enjoy some level of protection from exposure.
Similarly, another trend appearing in the recent past is the emphasis on community building. The moderators and administrators of some Chinese DDW sites strongly encourage, and in some cases require, actors to converse with each other and divulge personal information such as technical skills, interests, beliefs and political views, as well as commitments to the values that the forums claim to uphold.
What surprises you about what you’re seeing?
What I find noteworthy about the Chinese DDW community is their fluidity as well as continued contact with other language DDW communities. Chinese threat actors pivot between multiple places of congregation, which differentiates their community from others, since these other communities rely on forums that are explicitly malicious in nature. The Chinese DDW community also leverages the Russian-language DDW community and procures knowledge, tools, and in products and services from Russian DDW forums and marketplaces.
How is the threat posed by threat actors from this community changing?
While cyber-crime in China is by no means a new phenomenon, the ongoing evolution of the Chinese DDW landscape and the apparent drive towards greater anonymity and the use of non-Chinese, in some cases end-to-end encrypted communications mediums is likely to frustrate efforts at monitoring communities of interest, as well as inhibit the effectiveness of fraud detection and prevention systems. Moreover, while law enforcement in China has had some notable successes in clamping down on cybercrime actors domestically, the move towards platforms which are not as readily monitored may hamper these efforts.
Are these threat actors being overlooked as a threat?
Traditionally, cyber-crime researchers, for good reason, have focused their efforts on keeping tabs on threats from the Russian underground, as these communities have proven to house the most persistent, organised, and advanced cyber-crime actors.
Nevertheless, there is a large Chinese DDW community, and despite widely being considered behind their Russian compatriots in the domain of cybercrime, the Chinese DDW community is becoming more advanced and learning from, and in many cases using, Russian forums and marketplaces to gain access to malicious tools. As a result, the threat posed by the Chinese cybercriminal ecosystem is very real and likely growing.
How we can disrupt these threats? What do CSOs need to know or do?
Do not undervalue or underestimate the Chinese DDW ecosystem. This community might not currently possess the sophistication of the Russians, but the landscape is constantly evolving. This also does not necessarily mean that there are not threats to their organizations on the Chinese DDW already.
In order to gain insight into and disrupt these threats, CSOs can either develop a cyber intelligence capability in-house, or work with a provider with expertise in the myriad of online ecosystems, including the Chinese space.
Increased cooperation between law enforcement bodies transnationally, as well as with security researchers, will also help mitigate the threat posed by Chinese threat actors.
You Might Also Read:
