CyberWire Daily - Geopolitical tensions rise with China. [Research Saturday]
Episode Date: May 4, 2024Adam Marré, CISO at Arctic Wolf, is diving deep into geopolitical tension with China including APT31, iSoon and TikTok with Dave this week. They also discuss some of the history behind China cyber op...erations. Adam shares information on how different APT groups are able to create spear phishing campaigns, and provides info on how to combat these groups. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Yeah, so it came to our attention with the indictment from the United States Justice Department
really outlining what APT 31 has been up to and just the revelations
really in detail about their specific operations, who and what they were targeting, and how
successful they were at that.
That's Adam Marais, Chief Information Security Officer at Arctic Wolf.
Today, we're diving into geopolitical tension with China, including
APT 31, iSoon, and TikTok.
Can you share some of the details there? I mean, what are the revelations that we had
when it comes to this group?
Really, I think it's useful to understand these indictments
if we go back a little bit and understand the past indictments
that have come out about the Chinese Communist Party and the PRC
conducting cyber operations around the world.
It wasn't always that the United States Justice Department
put out these very detailed indictments and name individuals and organizations
for possible prosecution if they're able to get their hands on these people. I think it was back
in 2014 when one of the first of these happened, where the U.S. Justice Department indicted five
Chinese hackers at that time for stealing information from companies in
the energy, metals, manufacturing areas. And they really outlined in that indictment,
this was 10 years ago, of things that they were doing. And so then you bring it forward a few
years. And in 2018, that's when we started talking about APT10
and the massive IP theft that was conducted by APT10 around the world. And what was really
interesting about that one was it was really a supply chain attack where they were attacking MSPs and then using that access as a one-to-many to conduct this IP theft of all kinds of organizations.
Then fast forward a few more years, and in 2020, the U.S. DOJ indicted another four Chinese hackers.
This time, they put together what had seemed like four disparate, large-scale computer intrusions, including the OPM hack, which, if you remember, was that's the organization that conducts background checks for top-secret security clearances for the U.S. government.
Right. That organization was hacked.
All that information was taken.
Equifax, Anthem, and Marriott.
And this indictment connected all four of those and named four specific Chinese hackers.
So I think understanding sort of that history as you come to this one really helps you understand
what's going on, the pattern, and how widespread across so many different sectors, across
governments, that these Chinese cyber
operations are. And so in this case, the indictment specifically talks about an organization
that they call Wuhan XRZ and the computer intrusion activities that it conducts
at the behest of the PRC government.
So it names specific individuals.
And it's always interesting to me now that they include images of those individuals in the indictment itself.
That wasn't something that the U.S. government did in the past.
Now they do.
They include those actual photographs.
Maybe to underscore the level of accuracy that they believe that they have reached in this indictment.
And then, you know, specifically outlining APT 31 or Zirconium, Judgment Panda, Violet Typhoon,
all the different names that we come up for these groups.
And then they begin to outline what they did.
And that's where it becomes, I think in this case, really interesting,
where these are network intrusion activities. And one of the things they were doing was targeting
work and personal email accounts, cloud storage accounts, and telephone records of millions of
Americans. And I think, you know, one thing that I've always taught when I teach security awareness
or I go into organizations and talk to them about what, you know, our organization, Article of Labs,
the things that we have found, I like to talk about how we like to think of our own personal
attack surface as being just in my organization and then at home. And of course, and we've seen
this across many different revelations like this, but in this particular indictment, we see that the attackers don't look at it that way.
They're going to attack your personal and your work or your government email address, for example, in a phishing campaign or your personal network, they will do this because any toll they can find, they will use
to try to then pivot and increase their access and do the traditional things that we see in the
attack chain. And even in this case, there were some wives and other family members of targeted
individuals that they sent their phishing or spear phishing email campaigns to.
So it really showed sort of the breadth of that activity.
But it wasn't just, you know, spear phishing campaigns, social engineering campaigns to gain a toehold.
The indictment also talks about very, very specifically sophisticated types of custom malware that they created to do things like DLL
sideloading, to get remote access, and to conduct other operations using zero-day exploits. So it
really goes across the breadth of different types of activities that hackers use to get into networks
and computers that they don't have access to.
And it outlines this activity over a decade.
So it really just underscores how persistent, how large and large scale this is, how many the infrastructure and the resources that they bring to bear to conduct these operations.
the infrastructure, and the resources that they bring to bear to conduct these operations.
Can you give us some context as to how this fits in when we look at espionage?
You know, it's my understanding that espionage is sort of put in a different category when it comes, you know, nation to nation.
The fact that we're issuing indictments here when presumably we assume we're never going to bring these folks to justice, but the indictments themselves are a political message.
They're a diplomatic message.
Is that fair to say?
Absolutely. A lot of the classified means that are used to try to interdict espionage and and criminal investigations and using their tools along with the USDOJ to bring an indictment
like this, because then you can send a clear message and provide evidence through the conduct
of such an indictment to say, this is what we see them doing. And to say it in a very specific way, that's difficult to do when you're just talking about espionage or, you know, it can
be seen as throwing accusations around. This is much different when they're outlining this kind
of evidence and talking about very specific things in here, the names of malware, specific locations,
of malware, specific locations, specific accounts, businesses. And when you get that level of specificity, the information becomes a lot easier to verify and therefore a lot easier to trust for
anyone around the world to see this. Yeah, it's interesting too that our law enforcement folks
are showing their cards here, revealing what they know.
Yeah, and I think that signals, first of all, they've got plenty of other tools out there.
But also, I think it really signifies the importance of sending this message. you know, director of CISA and director Ray of the FBI out there talking with various organizations,
the press, and really emphasizing the increase in activities from the PRC and the CCP,
conducting hacking operations across all kinds of things, especially infrastructure.
And I think when you get that message, you know, being sent, it does hit one level of awareness
for people and one level of awareness for people
and one level of credibility.
But then when you add an indictment like this,
that's a whole nother level of credibility
that's added to it,
which really underscores it
and hopefully is a motivation to people
to really look at what they're doing
for their own security
and really understanding what the threat is.
Right around the time when this batch of revelations about APT31 came out,
we also had this leak of information from this ISUN organization,
this Chinese organization.
Can you give us some of the story when it relates to that
and how it all interweaves?
some of the story when it relates to that and how it all interweaves?
Yeah, it's actually really interesting how similar it is to what we were just talking about with APT 31 and those operations. When we have the Isun leak, what we're really talking about is a glimpse
into the world of cyber contractors in China. So, you know, these sort of quasi or
semi-private organizations that are set up and then they're providing services to the Chinese
government for pay and then paying their employees and they're doing it, you know,
conducting operations all over the world. Again, you know, getting remote access,
hacking, using social engineering, all the same kinds of things we talked about, but they're doing it as a private company.
I mean, it should be noted that countries all over the world, including the United States, many other Western nations, do the same thing, where they outsource some of their cyber activities to contractors, government contractors that conduct that work for them.
contractors that conduct that work for them. And so it's interesting in this case to see that China is doing the same thing as sort of an APT for hire situation, where they're using this
organization to conduct those activities. I think one of the more interesting things about it in
this case is also that, you know, this was a leak of documents. So unlike an indictment or some other,
you know, government reveal of evidence,
this was ostensibly an internal employee leaking this information so that people around the world
could see it. And it even included, you know, internal messaging where the employees were
complaining about their level of pay and how hard they were working. So I think that is really
interesting, adds the human element to this and that governments all over the world deal with this situation when they're using outsourced contractors. So I think that was something that was very interesting.
When you and your colleagues there at Arctic Wolf are looking at something like this, how do you evaluate the motivation of a leak like this?
evaluate the motivation of a leak like this? Yeah, it's really interesting. I think it helps to look at both what was leaked and how it was leaked. And those two things can lead you to
understand. And what information is there and is emphasized, I think, can really help you understand
what the motivations are here. Again, at the end of the day, though, it's analysts doing their best to understand
something if it's not expressly stated by the person who leaked it. But in this case, you know,
we're probably looking at an organization or someone within an organization that wanted to
bring light to some of the things. And possibly there was some sort of struggle for power where
they were saying, we want more pay or we want better working conditions. And this just showed the power that they have to be able to leak this information.
And by the way, obviously, this is not just limited to a contracting company in China.
This could be any company.
So it really underscores the insider threat risk for any company around the world, that especially for
employees that have a lot of access and access to specialized confidential type information,
that you've got to have an insider threat program and make sure that you have high morale and are
addressing things in the proper way so that employees aren't motivated to do something like this.
We'll be right back.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
It's a really interesting point i mean i think you know as you alluded to earlier it's
so easy for for people and organizations to think to themselves well there's nothing that
a nation state would be interested in when it comes to us but it seems certainly with the
chinese that um that's not necessarily Absolutely. And this is a point that bears repeating again and again and again,
is it's very easy to dismiss something like this.
If you're, you know, ABC Corporation and you say,
there's no way that China, a nation state like that,
would be interested in us.
And I think there is nothing that is further from the truth. And these recent revelations and including the additional indictments I talked
about for the past 10 years, if nothing, have shown that the breadth and variety of companies
that have been targeted include companies from every vertical, every industry in almost every country around
the world.
So it really is more likely that you may be targeted than not.
And you really should think of it that way, as opposed to trying to say, well, I'm just
going to rely on security through obscurity and figure that we're not going to be targeted.
Because it could be something as know, something as I remember,
I was involved in an investigation or at least aware of one when I was still working for the
government myself, where Chinese actors targeted a company that made sprinkler systems, both
commercial and residential sprinkler systems to steal the IP. And that company never thought in
a million years they would have been targeted by China. And indeed they were.
So there's that.
But then also companies have customers and they have vendors that they do business with.
And looking at the way that there's pivoting from one company to another, it could be that you're not the target, but a company that you integrate with is the target.
but a company that you integrate with is the target.
And because you didn't have the proper security,
they're going to get into your organization, pivot,
and try to get into that next organization.
Right.
That sprinkler system company may be providing a third-party contractor who happens to have the contract to install sprinklers at the Pentagon.
100%.
Things like that can happen,
and they may just be interested in the IP,
you know, the intellectual property of that actual company. So I think it really
behooves all of us to look at ourselves and say, okay, well, what am I going to do
to defend against this? But the good news there is the things to do to defend against it are the
same cyber hygiene and things that we need to do to defend against all types of attacks.
But just maybe with a little bit more focus, a little more budget, and understanding the
seriousness can really help you get over the hump in trying to make sure that you've secured your
business or your organization. You know, the other, I'd say, newsworthy discussion that's
going on right now when it comes to China is about TikTok and whether or not we're
going to see a ban, whether or not that would really do anything. I'm curious on your insights
here. I mean, how much of this do you think is practical? How much do you think is posturing?
What's your take? Much like people in organizations not thinking that they are going to be targeted by a nation state like China, I think we have a similar type of thought process going on when it comes to TikTok.
that this fun app that they like to use or they use for their business is a potential espionage and influence operation tool of a foreign government. But the fact of the matter is it
very much is or can be that. And therefore, we need to really understand this application
in the context of the history that I outlined earlier, going back over a
decade of these very specific indictments showing what the Chinese government is willing to do.
Then you add to that some recent revelations that came out in a report by Microsoft that showed that
the Chinese government, or at least alleges that the Chinese government was backing various influence
operations and elections that are currently going on in places like India and Taiwan. And in particular, they're using AI to
help with those. It just shows that this government is willing to do so many different things,
utilize so many different tactics to try to increase their influence and their power around the world.
And why wouldn't you use this application that over 100 million U.S. citizens use every single day?
Why would you not use it?
I mean, that doesn't make any sense to me.
And then you add to that, this is an application capable and we've seen reports of people doing research in looking at all the different types of information that the application collects on the user, including location information, things copied into the clipboard, everything else in addition to the app's usage data.
everything else in addition to the app's usage data.
All of that is very useful.
And if you combine it with the understanding that these various APT groups and contractors use information like that to create targeted spear phishing campaigns, other social media
or social engineering campaigns, and use it to find good targets to get into organizations
that they want to get into and vector and pivot
to the real information that they want, show that the collection of this kind of information,
and I mean, just imagine, add that to the OPM, Equifax, Marriott, and Anthem information that
they already have, then you add this information to it. They have probably the biggest collection
of information on individual citizens in the United States that has ever been collected by a foreign government.
That is pretty incredible.
Now, we can argue about whether or not they're sharing the information, but the fact of the matter, it's possible.
It is possible for that information to be easily shared.
That's all been collected. And there was a recent article in Fortune where some good journalism
reporting talking to former employees of TikTok talking about other ways that the information was
being shared, maybe not directly through the server, but through spreadsheets and things like
that. So even if there's the risk that this is happening, the danger to the United States is
massive. I do think a lot of users think of the risk to just themselves and they say, oh, well,
I don't care if someone has that information.
Who cares if ByteDance knows where I go and drive my kids to soccer practice or whatever it is?
But what they don't understand is that isn't necessarily what they're after.
They're after who you might be connected to or your husband or your wife
and their high-level executive job or something like that could be the way that they pivot.
And when you're doing this at
scale, it just gives the optionality to the attackers to choose from anyone who uses that
application. And none of that is to focus on the influence, the power of influence operations,
where we don't even know well how the algorithms work on US-based social media companies,
let alone one that's controlled by a company in a foreign
country. Could they be using that algorithm to put their thumb on the scale and make all the
users feel just a little bit worse about the U.S. and about things that we do or the West in general?
Absolutely, that's possible. I don't know that we have proof that they're doing it, but they could absolutely be doing it. And this is one of the reasons for many, many decades, we had laws that said, if you're
going to own a major broadcasting company, television broadcasting company in the United
States, you had to be a United States citizen, which is why Rupert Murdoch had to become a US
citizen in order to own Fox News Corp. Now, there's been some weakening of that in the United States, and we don't treat social media apps like TikTok the same way we do as television broadcasters.
But maybe we need to understand it in that same light.
The reason that we don't do that, we don't allow that foreign ownership, is because there could be undue foreign influence through those television channels.
We thought it was such an issue that we created laws around it. I would argue that we should have those same kind of laws for this kind
of application, which is arguably much more influential than a television station. So there's
lots of reasons to be concerned about this application. If we're really honest with
ourselves and can remove the addictive entertainment know, the addictive entertainment value,
or even if you're running a business through it,
to really look at it as,
is this something we should be concerned about?
Now, if we pivot to the issue of the ban,
is that effective?
I think if we were really just trying to do a ban
against a specific application,
I think that would be really hard
to make work and make happen.
But because they give the option to ByteDance
to just divest and sell, and they stand to make a tremendous amount of money doing that, and they
can still have some connection to this new company, I think makes this much more palatable and
possible. Although there are legal hurdles that this would have to pass,
especially since ByteDance has said they will challenge it in court.
I think it does remain to be seen if the current laws it's written,
if it is passed, would be able to pass those legal tests.
So there is a question there.
But really, I think addressing the question of,
should we be concerned about that?
But should we be doing something?
In my mind, that's an absolute yes. Is the way this ban's happening the best way to do it? It is
a way to do it. I don't necessarily think it's bad because of the ability for ByteDance to sell
it, but will it be effective is still a question that remains to be seen.
Yeah. Before I let you go, I mean, taking a look at a high level here as an observer of these geopolitical tensions between the U.S. and China, how do you see them trending?
Is it getting worse? Are we in a steady state? Are things getting better? Where do we stand?
That's a great question. It's this continued increase in
network and computer intrusions, especially into things like infrastructure. As long as that
continues, I think this relationship is going to deteriorate and it shows no sign of stopping.
The apparent goals of the Chinese government are to increase their power on the world, but it's specifically around
the subjects of Taiwan and the South China Sea. And I think as Director Wray of the FBI pointed
out the other day in an interview that China plans to be ready by 2027 to have a serious deterrent
to the U.S. getting involved in a conflict that
would happen between those two nations, China and Taiwan. And in addition to that, they want
to just continue to erode U.S. and Western influence around the world. And they're doing
that through these blows to civilian infrastructure to try to
induce panic, to really lower America's willingness to resist, especially among the citizenry.
So I think it's not directionally optimistic at this point. I think things will continue to
deteriorate. Hopefully, though, you know, the better angels or nature can ultimately win out here and
we can have a, you know, a softening, a thawing of relations between the two nations. But especially
as China continues to conduct the operations that they are, I don't see that happening in the short
term. Yeah. I mean, it really strikes me that you don't want
to risk being breathless in your warnings, but at the same time, vigilance is in order.
Absolutely. I don't think we're at like the, you know, 1159 of the, you know, doomsday clock or
anything like that. Right. But I do think there is sometimes a misunderstanding or a lack of willingness to really believe that the threat and the risk exists at the level that it does. And I think it really is at that point. We don't want to be ethnocentric or jingoistic or anything like that, but we do want to understand our adversaries and really appreciate the threat and then look for solutions to try to solve these issues. I mean, it also should be said that China is a
wonderful nation with a lot of different kind of people in it. And they have dissidents and
problems internally. And they've got some population issues with a lot more single men
than women in the country, which is something that like, not just China, but everyone should
be worried about because that never leads to good things. And so there are other issues
to worry about and be concerned about here. But we are hoping that the government can take a turn
to a more open society and they can deal with these issues in a way where other nations around
the world can help them. So I'm hoping and optimistic for that. You're right. We don't want to be just breathless about the warning,
but we do want to be honest with ourselves about the risk that we face today and about what the
PRC and CCP are willing to support when it comes to cyber operations around the world.
Our thanks to Adam Marais from Arctic Wolf for joining us.
He recently published a blog post on today's content.
We'll have a link from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please
share a rating and review in your podcast app. Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many
of the world's preeminent intelligence
and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people. We make you smarter
about your teams while making your teams
smarter. Learn how at
n2k.com.
This episode was produced by Liz Stokes. We're mixed by Elliot
Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Our executive editor is Brandon
Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.