Pictured: The Forbidden City, in Beijing. Experts say Chinese APT operations use a mix of proprietary and publicly available tools to spy on institutions around the world. (Frédéric Soltan/Corbis via Getty Images)

Chinese APT operations have an army of coders at their disposal, and an array of advanced malicious tools. But some of their most important hacking tools aren’t even their own proprietary code. Much like other state-sponsored threat groups, they also rely on publicly available or open-source software that they can abuse for their own nefarious purposes – going as far as to monitor hacking forums to see the latest developments in code.

Many of these tools can be used for innocent purposes, but in the wrong hands, a helpful pen testing program can easily become a hacking aid used to spy on businesses, governments and other targets of interest.

Mike McLellan, director at Secureworks, talked to SC Media about the discovery and investigation of one recent Chinese attack campaign that revealed how nation-state actors will leverage any code at their disposal to achieve their goals. McLellan also addressed how monitoring adversaries as they hunt for new tools can help protect against future attacks, whether developers have a moral responsibility to be cautious when releasing their tools and exploits, and where China’s offensive hacking activities are trending.

Leveraging intelligence gained through recent incident response engagements with customers, Secureworks has found evidence of Chinese state-sponsored hackers adopting and abusing tools that were released by outside developers operating on hacking forums. Tell me more about this investigation.

We recently had a bit of success by tracking some of the tools that have been developed in Chinese hacking forums, then seeing them being used by Chinese government-backed threat groups. They’re not all developed in house. Like most threats we track, a lot of these tools now are open-source or publicly available, commercially available, whatever it might be. It’s much easier for threat groups to just repurpose stuff that’s already out there, and the Chinese groups are no different in many respects. So that’s been quite interesting for us to track, specifically things being developed in Chinese language environments and then being deployed against our customers.

We did an incident response engagement with a customer where we saw the actor using a particular exploit against a Microsoft Exchange server using an unpatched vulnerability. And when we looked at the commands that were being run and the exploit that had been used, we looked for evidence of those commands elsewhere. We searched the internet for any of those commands, and the hits we were getting back were coming from Chinese language forums where this exploit was being talked about. And there were hackers or researchers talking about how they could use it – in the same way that researchers do in the West – but most of the conversations of this particular thing appeared to be in Chinese language forums.

It suggested that this actor who we thought was Chinese had potentially gotten a tool from one of these forums, and then used it against one of our customers.

And then in a separate instance, we were looking at some malware we found that used a particularly novel way of loading itself: a PlugX [malware] that used a VBScript to load. And again, when we started to look into that loading technique, we found that they discussed it in a Chinese language forum. And we began to see a common pattern where there were a very small number of researchers who were basically developing tools – in the same way, again, that their Western counterparts do. There were Chinese groups that were picking these tools up and using them, sometimes within a day or two [of them being made] available. So [the threat groups were] very quickly incorporating them into their toolset, and then going out and using them against organizations that they were interested in.

And obviously we have no evidence that those researchers are linked to these operations in any way. Their tools are available to anyone who wants to download them, but clearly the Chinese threat groups that are busy monitoring the tools these guys put out, and are then looking to use them quickly.

From our perspective, if you can monitor that tool development and develop protections for it as soon as they become available, we can potentially get there before some of these threat actors do and actually have protections for the customers before we see it being used.

Why is this strategy beneficial for Chinese state-sponsored hacking groups as opposed to relying chiefly on their own proprietary toolsets, which they can develop from scratch and in stealth? Isn’t it an advantage for the security community that they, too, have window into these hacking forums and know about these tools?

This big “public-private model” I don’t think is particularly new for China. They have always looked to use private individuals and the tools that are developed by some of these individuals for their own benefit.

It’s a trend we’ve seen across the board, really. You look at other publicly available tools like Cobalt Strike, for example: So many threat actors are using that tool successfully against targets. So, there is a tried and tested model for doing this. The reason it succeeds is either because organizations [lack the] instruments to detect it or the developers of those tools are evolving them to make them harder to detect because that’s their model.

The second point is, why not try that? Even if you get caught, you can just try again with a different tool. There’s no cost to the threat group in developing that tool because they haven’t had to spend any time writing code, they don’t need to have developers in house to do that sort of stuff right.

And the third point is, even if you do get caught, it’s really hard for us to work out who it was, because we have to rely on things other than the tools. Whereas back in the good old days when the Chinese were writing their own malware, you could track individual groups based on the toolsets they used, because you knew that tool was only used by a particular group. As soon as they become publicly available, we can’t rely on tools on their own to be a form of attribution, so even if you get caught you just retool, try again, and the victim may never work out who it was who was trying to get in, in the first place.

In addition to developing protections for these tools to defend your clients, do you share these kind of findings with law enforcement?

We’ll have a conversations with law enforcement about what we’ve seen. We also need to be careful, because these [developers] are individuals who have built tools which are, in theory, developed for security testing purposes much like Cobalt Strike and Mimikatz and all that kind of stuff you hear about more commonly. So we have to be really careful that we are not suggesting to anyone, including law enforcement, that these individuals are involved [with APT threat groups].

Clearly, if we see those tools used, we’ll pass that information on, potentially, and it’s up to law enforcement to investigate links there. And they’re quite good at finding those links that exist. So yeah, we do work with law enforcement where we can to help them understand the impact to our customers – and obviously, with the consent of our customers. But we leave the analysis and assessment up to them in terms of how they then pursue that.

Is there a moral obligation on the part of these tools’ developers to take certain precautions so that these tools cannot be so quickly and easily abused by malicious actors? Perhaps in some cases the tools shouldn’t even be available to the public at large?

There is an interesting debate in the industry at the moment about the speed at which some of these tools are developed and the speed at which new exploits appear and are used. They certainly begin incorporating into some of these tools faster than organizations can patch and can check themselves. It’s an interesting debate, the development of some of those tools. But yeah, they are developed principally for good purposes.

It’s a really tricky one. I don’t think there is much they can do. They develop the tool and if they choose to make it publicly available, then how people choose to use it is kind of down to them. It shouldn’t be gratuitous. Development of these tools should be with the intent that’s stated, which is to help organizations understand their risk and be able to test that their controls are effective. And I think these tools provide a really useful valuable purpose for that, but there’s almost an indecent haste with which developers sometimes try to upgrade their tools and incorporate the latest and greatest exploit. and it’s always going to be faster than any sensible organization can defend themselves against.

So I think there is a responsibility to potentially think about the speed at which you’re making this stuff available. The ransomware stuff we’ve seen, for example, is a good case in point where the bar to entry has been lowered so much by publicly available tools that it’s not very hard now for someone to go off and start encrypting systems in someone’s network. They’ve got a bunch of tools off the internet and they’ve learned how to use them.

It’s a real balance. I’m obviously on the “blue team” side, I suppose… but I just think the industry needs to have a think about how best to deliver the effect [of the tools], which is to make sure organizations can protect themselves, without handing these sort of things to the bad guys who then go and use them against customers in other organizations.

Last July, U.S. Justice Department officials indicted two Chinese nationals accused of hacking Covid-19 research. Have you been tracking China’s cyber espionage efforts as it relates to the pandemic?

We’ve obviously been monitoring that situation carefully and we’ve been talking to our pharmaceutical customers a lot, and also customers who work in policy development and those kind of areas as well because all that stuff is tied together. Those sectors have always been high-priority targets for the Chinese since at least 2011.

There’s always been an interest in being able to develop and compete with overseas pharmaceutical industries, because China wants to be able to make its own drugs for its own people, and also compete internationally as well.

We haven’t seen a huge amount of that with our own customer base, but we have obviously heard the report of it happening elsewhere… So it’s not a surprise. The point we made to one of our pharmaceutical customers is: You shouldn’t be surprised the Chinese doing this. Even if we haven’t proved that they’re doing it to you at the moment, you will potentially be a target for them. So it’s an interesting development, one that we’ll keep an eye on.

How would you describe the current nature of the pact between the U.S. and China in which the nations have agreed not to steal intellectual property from private industries?

I think China was prolific in the early 2010s, and was stealing information, left, right and center relating particularly to their five-year plan to [meet] their strategic priorities as a country. With the agreement that the Obama administration brokered, I think it’s fair to say we saw a decrease in activity and it became less prolific. I think that was probably driven primarily by the political damage that they caused by being caught… We had some of the big indictments come out around the APT1 campaign and that kind of stuff which really highlighted the volumes of hacking. And I think the political cost to China maybe changed a little bit through the years… I think it became a little more costly for them. So yeah I think we did see a slight tapering of activity.

We probably still haven’t seen it reach those volumes it was at. I think that was the heyday for China stealing intellectual property in particular. All I would say is, I don’t think we ever saw a complete cessation of hacking intellectual property. So while there was a common narrative that they stopped doing commercial or industrial espionage, I don’t think that was ever entirely the case. I think they were still active in some of those areas… Utlimately they still see espionage as a facet of foreign policy and industrial development. It’s a political tool for them as much as anything else and an economic one so it’s not completely stopped.

How things are changing at the current administration, I suppose time will tell a little bit. Certainly we’re still seeing evidence of them trying to compromise our customers.

Describe the nature of Chinese state-sponsored hacking activity in 2020. What are the current trends?

The long term industrial and economic priorities are still a driving factor for China and its espionage – not just cyber but blended human-cyber operations – will continue to focus on that. I think that also they have been, and will continue to be, active in more pure intelligence collections and bulk data sets like the OPM hack and Anthem and those kind of things that were designed to gather large amounts of PII about individuals. That has an intelligence value because it allows you to track individuals and be able to monitor targets of interest, so that’s been a second thrust of activity.

A third one we’re seeing is not specifically U.S. focused. We see a lot of interest in their surrounding region so the South China Sea in particular and East Asia is quite active at the moment. Lots of activity against some of the countries around there. And we also see them to continue to react to current affairs – so reaction to the protests in Hong Kong, where the Chinese government sees cyber as a tool of statecraft, a tool of achieving its objectives.

The threat remains not dissimilar to what it was a few years ago. They’ve probably evolved their techniques and tactics a little bit. Certainly we’ve seen evidence of them going after vulnerabilities in a way that maybe they didn’t do quite as much before. So mass scanning of certain vulnerabilities to get publicly released and then trying to use those to gain access. But their strategic intent, I think, broadly follows those kind of lines.