Inside The Chinese-Hacking Underground

Chinese-speaking hacking activity is on the rise. In April, Kaspersky Lab revealed a rising number of APT operations and new threat actors. In June there is an ongoing campaign targeting a national data center in the Central Asia was attributed to Chinese-speaking LuckyMouse and new research from Symantec recently uncovered a Chinese-linked hacking group targeting US-based satellite companies.
 
IDG Connect talked to Mark Schaefer, an analyst on Flashpoint’s Asia-Pacific team, about what CSOs need to know about the threat from Chinese-language threat actors.
 
Can you explain how the Chinese-language cyber-criminal underground differs from other communities?
The most striking difference that we have observed between the Chinese-language underground and other communities is that the former is much more dispersed. Chinese actors are not as reliant on traditional web forums; their places of congregation and methods of communication are fluid and dynamic. 
 
Chinese threat actors often rely on legitimate services offered to them within China (QQ, WeChat, Taobao, Baidu, Tieba, etc.) for communication because these platforms are ubiquitous in China, making communicating with other actors and finding resources convenient. At the same time, Chinese actors pivot across multiple chat rooms and threads among these platforms.
In addition, there appears to be an increasing cadre of Chinese underground actors who are cognisant and wary of being monitored, especially by their own government. These individuals often encourage others to use anonymizing tools and avoid popular Chinese communications applications like QQ and WeChat, since the authorities have access to this chat data. 
However, Chinese actors cognisant of anonymity concerns may be in the minority, since a large amount of Chinese threat actor correspondence still takes place on several native Chinese platforms which are known to be monitored.
 
The push amongst some Chinese threat actors for higher consciousness for anonymity is likely associated with China’s new cyber-security law and regulations, enacted in 2017, that are representative of the Chinese government's efforts to fortify the country's information security architecture and expand its monitoring capabilities into all domestic data flows. 
 
For context, the Chinese government views the Internet and information technologies as a double-edged sword--these technologies are key catalysts to growth and prosperity, but allowing unmonitored and unconstrained access to the Internet can foster numerous significant threats to the regime, including social organisation, the rapid growth of popular movements and “harmful” ideologies, and so on. 
 
Among these legal changes were efforts to tie every online alias to a real identity and increase scrutiny towards any online post that may be dubbed illicit or involved in spreading “rumors” which may destabilise the state.
 
What topic is most openly discussed on the Chinese-underground forums? 
Financial motivations are paramount in the Chinese Deep and Dark Web. The buying and selling of personally identifiable information (PII) that can be used for fraud and/or identity theft is the most frequent topic of discussion. Personal materials, such as copies of passports, government-issued ID cards, and credit and bank card numbers are some of the most highly sought-after items. Aside from the trade in PII, malware development and customization services are also highly prevalent.
 
What other trends are you seeing in the Chinese-language underground community?
What activity is increasing/decreasing? Chinese threat actors are increasingly making use of anonymised modes of communication, likely to avoid government monitoring. For example, Chinese actors frequently remind other users to utilise proxies, virtual private networks (VPNs), the Tor network, and end-to-end encrypted chat applications, such as Telegram. Actors adopting these measures may still be in the minority, but there has been a noticeable uptick in discussions around online anonymity roughly over the past year.
 
We have also observed more explicit commitment to anonymity on newer Chinese-language DDW (DeepDarkWeb) forums than compared to previous forums that have for one reason or another disappeared. For example, administrators of these sites forbid users from making public any data that could tie their online alias to their real identity. 
 
Administrators on some Chinese DDW forums also highly encourage the use of their in-house, crypto-currency-enabled payments and escrow services. This not only allows transactions to be made anonymously, but also builds trust within the entire community, since users may believe that their financial interests and identities enjoy some level of protection from exposure.
 
Similarly, another trend appearing in the recent past is the emphasis on community building. The moderators and administrators of some Chinese DDW sites strongly encourage, and in some cases require, actors to converse with each other and divulge personal information such as technical skills, interests, beliefs and political views, as well as commitments to the values that the forums claim to uphold.
 
What surprises you about what you’re seeing?
What I find noteworthy about the Chinese DDW community is their fluidity as well as continued contact with other language DDW communities. Chinese threat actors pivot between multiple places of congregation, which differentiates their community from others, since these other communities rely on forums that are explicitly malicious in nature. The Chinese DDW community also leverages the Russian-language DDW community and procures knowledge, tools, and in products and services from Russian DDW forums and marketplaces.
 
How is the threat posed by threat actors from this community changing?
While cyber-crime in China is by no means a new phenomenon, the ongoing evolution of the Chinese DDW landscape and the apparent drive towards greater anonymity and the use of non-Chinese, in some cases end-to-end encrypted communications mediums is likely to frustrate efforts at monitoring communities of interest, as well as inhibit the effectiveness of fraud detection and prevention systems. Moreover, while law enforcement in China has had some notable successes in clamping down on cybercrime actors domestically, the move towards platforms which are not as readily monitored may hamper these efforts.
 
Are these threat actors being overlooked as a threat?
Traditionally, cyber-crime researchers, for good reason, have focused their efforts on keeping tabs on threats from the Russian underground, as these communities have proven to house the most persistent, organised, and advanced cyber-crime actors. 
 
Nevertheless, there is a large Chinese DDW community, and despite widely being considered behind their Russian compatriots in the domain of cybercrime, the Chinese DDW community is becoming more advanced and learning from, and in many cases using, Russian forums and marketplaces to gain access to malicious tools. As a result, the threat posed by the Chinese cybercriminal ecosystem is very real and likely growing.
 
How we can disrupt these threats? What do CSOs need to know or do?
Do not undervalue or underestimate the Chinese DDW ecosystem. This community might not currently possess the sophistication of the Russians, but the landscape is constantly evolving. This also does not necessarily mean that there are not threats to their organizations on the Chinese DDW already.
 
In order to gain insight into and disrupt these threats, CSOs can either develop a cyber intelligence capability in-house, or work with a provider with expertise in the myriad of online ecosystems, including the Chinese space.
 
Increased cooperation between law enforcement bodies transnationally, as well as with security researchers, will also help mitigate the threat posed by Chinese threat actors.
 
IDG Connect
 
You Might Also Read: 
 
Three Pronged Attack: Chinese Military In Cyberwarfare Buildup:
 
German Spies Warn Of Chinese Espionage:
 
Chinese Hackers Steal Naval Warfare Secrets:
« Trump Backs Russia On Election Interference
Is GDPR Good For SME Data? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Bsquare

Bsquare

Bsquare DataV software and engineering services help enterprises implement business-focused Internet of Things systems.

Akin Gump Strauss Hauer & Feld

Akin Gump Strauss Hauer & Feld

Akin is a leading global law firm providing innovative legal services and business solutions to individuals and institutions. Practice areas include Cybersecurity, Privacy and Data Protection.

DKCERT

DKCERT

DKCERT (Danish Computer Security Incident Response Team) is a service of DeIC (Danish e-Infrastructure Cooperation).

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

Nucleon

Nucleon

Nucleon enables cybersecurity tools, organizations and software developers to become proactive by blocking threats before they become breaches.

Carve Systems

Carve Systems

Carve Systems was founded to bring enterprise level information security, training, and risk management services to organizations of any size and industry.

Internet 2.0

Internet 2.0

Internet 2.0 is a Cyber Security technology company with a core focus on developing affordable but sophisticated cyber security solutions.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

Secuna Software Technologies

Secuna Software Technologies

Secuna is the most trusted Cybersecurity Testing Platform in the Philippines. Our pool of vetted security researchers will find and ethically report security vulnerabilities in your product.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.