SAN FRANCISCO — Eight years ago, the United States and China reached an historic treaty agreement that was designed, in part, to end a persistent deluge of cyberattacks targeting American businesses to steal their corporate secrets and intellectual property.
At the time, then-President Barack Obama lauded the agreement in a joint press conference with China President Xi Jinping, saying it marked a “common understanding” between the two nations “that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
Eight years later, that sentiment has aged like warmed over milk.
Chinese hackers did not stop targeting American businesses, but according to security experts at Google, they have evolved to become significantly more aggressive and innovative in the years since.
“I’ll tell you investigating intrusions that are orchestrated by China threat actors today are very different than investigating intrusions from … before the Obama/Xi treaty agreement in 2015,” said Charles Carmakal, chief technology officer at Google Mandiant, at an April 24 briefing held during the RSA 2023 Conference in San Francisco.
Prior to the agreement, hackers associated with China were broad and unfocused in the businesses they hacked. Today, a range of threat groups operating in China or working directly on behalf of Beijing to target valuable actors and specific industries with laser-like precision, including defense contractors, telecommunications firms, government agencies and technology companies. Most of those industries tend to manage, own or operate chunks of IT infrastructure on behalf of hundreds, thousands or millions of clients, meaning they can offer a potential pathway to infecting downstream customers, the way Chinese hackers did in the 2021 Microsoft Exchange attacks.
Chinese threat groups' strategies and tactics change since 2015 agreement
These have also altered their strategies and tactics to increasingly target edge devices like virtual private networks (VPN) and other remote access solutions, firewalls and hypervisors with zero-day vulnerabilities. Because these devices typically don’t support newer security technologies like endpoint detection and response (EDR), many companies simply don’t have the visibility to understand that they’re being compromised.
Carmakal said “every month” Mandiant posts at least one- to two pieces of threat intelligence research focused on vulnerabilities or exploitation in edge devices. Researchers will reach out to vendors when they see malicious traffic originating from a network device and request a hard drive image to conduct further analysis. Many times they’re “easily able to quickly identify that there was very novel malware that lived on these devices and nobody else was able to find it because nobody was doing forensics on these devices.”
“What we’re finding is that these actors are deploying more malware on these devices that don’t support EDR solutions — like VMware hypervisors, like Fortinet firewalls — because it’s very hard for a company to identify that there’s actually a problem, that there’s actually malware in these devices,” said Carmakal.
John Hultquist, head of Mandiant Threat Intelligence at Google Cloud, said Chinese hackers have also become far more adept at hiding and diversifying the infrastructure they use to carry out attacks.
Researchers used to be able to trace Chinese attacks back to specific towns where Technical Reconnaissance Bureau offices (support intelligence agencies that conduct hacking, signals intelligence and other activities on behalf of the Chinese government) were located, making attribution a relatively straightforward exercise.
Now, most groups rely on proxy networks or route their activity through small home office SOHO routers that allow them to better mask their presence and identities.
“That really breaks down your ability to track some of this stuff, because infrastructure is obviously such an important part of your attribution and clustering. It’s a real operational security innovation,” Hultquist said.
Malicious Chinese campaigns less spammy, more focused
In 2015, the United States was already being pilloried with online disinformation and influence operations from countries like Russia leading up to the 2016 president election. In the years since, countries like China, Iran and others have directed similar campaigns at American consumers.
One of most notable campaigns targeting the 2022 midterm elections, which Mandiant and Google’s Threat Analysis Group (TAG) calls DRAGONBRIDGE, was designed to discredit the U.S. political system and sow division between its allies. While Mandiant assessed with “high confidence” that the goal of DRAGONBRIDGE was to ultimately promote the political interests of the People’s Republic of China, Sandra Joyce, vice president of Google Cloud and Mandiant Intelligence, noted that they have not yet officially attributed the group and its work to the Chinese government.
Kristen Dennesen, reporting analyst at TAG, said that DRAGONBRIDGE’s activity was rather “low volume and spammy,” reflecting the ambiguous aim and impact of many digital influence operations, but it still required the blocking of 50,000 YouTube channels and the deactivitation of 100,000 Google accounts used by the group.
And in situations where there was a clear Chinese interest at play, such as when former House Speaker Nancy Pelosi, D-Calif., visited Taiwan last year, a “subset” of DRAGONBRIDGE’s content became much sharper and focused.
“It’s very much denigrating the U.S., promoting the interests and championing China, and in some cases we’ve seen it be pretty high quality in terms of the content and sometimes very coherent,” said Dennesen.