Cyberwar ‘made in China’ – professional industrial espionage on the rise

Disputes between states are increasingly being accompanied by highly professional cyber attacks – sponsored and supported by the respective secret services.

In addition to networks and data from state institutions and critical infrastructures (KRITIS), the IT infrastructures of private companies, their business, customer and employee data, their product and production details are increasingly becoming the focus of attacks. Chinese state hackers in particular have significantly increased their activities in this area in recent years. Based on the current development, industrial espionage is likely to develop into a brand core of Chinese cyber warfare in the coming years.

The simmering conflict between Russia and Ukraine has been making international headlines for several years. A central theme: the possibility of a ‘cyber war’ breaking out, a major attack by Russian state hackers on the IT systems of Ukraine – and those of its European allies.

It is not without reason that Ukraine is often referred to as the current ‘test bed’ for future Russian cyber warfare. The Russian state hacker attacks on critical infrastructure and state bodies in Ukraine in 2015, 2016 and 2017 are all too well remembered. The attacks at the time suddenly made the public – both inside and outside of Ukraine – aware of the vulnerability of digital infrastructures in the event of a broad-based, professionally managed cyber attack. The fears of numerous western states that, as allies of Ukraine, would also become victims of such an attack and become combatants in a large-scale cyber war, are correspondingly great. European states already felt the foretaste of the first wave of Russian attacks in the middle of last year, when a large number of their banks and politicians became the focus of Russian state hackers.

As much as Russia’s role may determine the current debates about a larger, nationwide cyber war, another power has long been waging it – also and especially from an economic point of view: the People’s Republic of China.

Chinese state hackers on the rise

China has significantly more resources – especially more manpower – available for attacks. As early as 2017, it was estimated that there were 50,000 to 100,000 Chinese state hackers – divided into numerous upper and lower groups that report to the People’s Liberation Army, the Ministry of State Security and the Ministry of Public Security. Russian secret services can’t keep up.

The goals of Chinese cyber warfare are diverse. Nevertheless, it is clear that the economic interests of the People’s Republic – at least for the time being – are a priority. The cyber war ‘made in China’ primarily serves to stabilize and strengthen the Chinese economy in the long term. His ‘war plan’ is based on the 5-year plans of the communist party. His preferred ‘weapon’ is industrial espionage. It is not without reason that FBI Director Christopher Wray recently declared that “no country […] for our ideas, our inventions and our economic security” is currently a greater threat than the People’s Republic of China.

In fact, Chinese state hackers have massively expanded their attacks on US and European private companies in recent years. There is currently no end in sight to this worrying development. The agreement concluded in 2015 between Presidents Obama and Xi Jinping to contain the Chinese cyber war – which was essentially intended to protect intellectual property – was shelved by the Chinese side by 2017 at the latest – as part of the radicalization of US China policy. Experts assume that attack groups will increase and attack teams will become more professional in the coming years. The Chinese Communist Party’s anti-corruption campaign, which has been going on for years, is increasingly undermining non-state Chinese hackers. It can be assumed that as the order situation on the ‘free Chinese market’ decreases, more cybercriminals will join the state hacker groups.

APT41/Double Dragon

The Chinese attackers are organized into numerous upper and lower groups. One supergroup about which some information has now been learned is referred to by cybersecurity experts as APT41, also known internationally as the ‘Double Dragon’. The group has been active since at least 2009 and maintains contacts with the Chinese Ministry of State Security. Its members are both cyber spies and cyber criminals. The espionage activities include stealing source code, code signing certificates, intellectual property and customer data, internal technical documentation and general business information. Their cybercriminal activities include – among others – ransomware attacks, cryptojacking and cryptocurrency spoofing.

Main attack vector machine identities

Their current main attack vector is the abuse of machine identities, which are used to determine whether software can be trusted or not. These attacks, which abuse the code signing process, have grown massively in popularity since their use in the Stuxnet attacks more than a decade ago. The cyber security company Venafi recently highlighted how such an attack works in the white paper APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks.

Many software developers still insufficiently secure their networks. APT41 recognized this fact years ago and took advantage of it. The group penetrates a software vendor’s network and appropriates their code signing certificate. Code signing certificates are machine identities. They enable developers to prove to the users of their software the authenticity – the trustworthiness – of their software code. Once APT41 has gained control of a certificate, the group can create malware and disguise it with the stolen certificate so that a victim’s security solutions will recognize and treat it as good and trustworthy software rather than malware. It then only has to be delivered to potential users and accepted by them.

APT41 has also found an effective solution for this: compromising the development pipelines of the software providers. Many commercial software companies have also poorly secured their internal work processes. Thus, if APT41 has already infiltrated a vendor’s network, it can also compromise the software development process itself, making the vendor an involuntary multiplier of its attack capabilities. Own malicious code is injected into the development pipelines and signed with the correct certificate – unnoticed by the software developers of the attack victim. The provider then delivers the software – including malicious code – to its customers. By compromising a single commercial software company, APT41 can – in one fell swoop – backdoor, infiltrate and compromise all of their customer systems.

Since 2017, APT41 has successfully deployed such an attack, also known as a supply chain attack, countless times against companies in the software, hardware, media, healthcare, high-tech and telecommunications industries. Even with high-quality, well-protected targets, it often took months – sometimes years – before the corresponding gateway could be tracked down and eliminated. An ideal attack vector for effective and efficient industrial espionage. And an effective way to permanently damage the trust of the attacked companies in the security of their networks and security solutions.

The group will certainly not be able to use the signature misuse attack vector for a long time. Software solutions have long been available to providers with which the signature process of software code can be effectively protected against precisely such attacks. APT41 and the constantly growing army of Chinese state hackers will certainly have long since found new, previously unrecognized starting points for attacks suitable for the masses. The cyber war ‘made in China’ has only just begun.