Evidence is popping up indicating the China-U.S Cyber Agreement may be pushing Chinese hackers to shift to targets in Russia and Belarus.
Proofpoint researchers in a blog pointed to several clues that infer Chinese cyber gangs have shifted away from targeting U.S. interests. These include the use of specific types of malware used by these cybergangs in the past and a general decline in the number of Chinese attacks upon American organizations.
“We have high confidence in our attribution to the China-based attack group that we track as TA459. We documented similarities in TTPs (tactics, techniques, and procedures) and shared command and control infrastructure with other documented attacks and known malware used by this group,” Patrick Wheeler, Proofpoint’s director of threat operations, told SC Media.
The blog also stated that Proofpoint had previously published research on related activity in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries. This same group has now been observed targeting military and aerospace interests in Russia and Belarus.
The evidence cited by Proofpoint that the U.S.-China Cyber Agreement may have influenced this shift is somewhat circumstantial.
“It isn’t so much a shift to these targets as the absence of US targeting since the agreement went into effect. In particular, we do not have evidence of U.S. targeting by this group,” Wheeler said.
Other have also called the agreement a success, but also noted that it has not stopped all attacks.
“As Director of National Intelligence James Clapper mentioned in his testimony on January 5, China has not stopped conducting cyberespionage against the U.S. and our businesses,” Rep. Will Hurd (R-Texas) told SC Media.
Wheeler was not certain the exact goal the hackers hope to accomplish with these intrusions, but he feels the Chinese still feeling out the situation.
“At this point, it is not clear precisely what information they are looking to obtain. It appears that these attacks are attempting to establish a beachhead in Russian and Belarusian military and aerospace targets through the installation of the PlugX remote access Trojan that could potentially be used for a variety of espionage activities. As noted above, these attackers do not appear to have targeted US interests in the past,” he said.