CyberWire Daily - Shining a light on China's cyber underground. [Research Saturday]
Episode Date: February 27, 2021Guest Maurits Lucas from Intel471 joins us to discuss his team's research into cybercrime in China. Data from Intel 471 show that the Chinese cybercrime underground proliferates through use of common ...methods or platforms, but behaves differently in large part due to the caution that actors take with regard to their identity. While the average citizen must follow the heavy handed nature of the government’s surveillance of cyberspace, Chinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the Chinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be much more organized. The research can be found here: No pandas, just people: The current state of China’s cybercrime underground Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We basically track the cyber underground all across the globe.
Looking at our reporting, we saw that the Russian-speaking underground is sometimes
somewhat over-represented, and there's less information on the Chinese cyber underground.
And so we thought we'd try and shine a light on that.
That's Moritz Lucas.
He's director of intelligence solutions at Intel 471.
The research we're discussing today is titled No Pandas, Just People.
The current state of China's cybercrime underground. Yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect
your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security. Well, take us through some of the basics here.
I mean, when we're talking about the Chinese underground, can you describe to us what it's made up of?
Yes, of course.
I think what it's made up of is actually very similar to other parts of the globe. Actors seem to be, the actors that are active in the cyber underground seem to have very much the same type of motivations.
There's just a couple of things that kind of set them apart from what we see in other areas of the world, especially if we look at the Russian-speaking cyber underground, if we can compare it with that.
What are some of the differences? Some of the key differences, they all have to do, of course,
with the kind of the unique situation in China, where there is an extremely active and pervasive
surveillance activity going on. And so that has its effects on Chinese underground actors.
They are very acutely aware that the government may take a dim view of what they do.
And so they kind of try and certainly they're very much focused on remaining anonymous.
They definitely do not want you to know their real life identity, as it were.
And at the same time, they may be very cagey about what types of activities they're engaged in
and to what level they're engaged in them.
So if you look at the very top-tier actors, if you look at the Russian-speaking underground,
they're very active, they're very open, they're eager to prove that they're top-tier actors,
whereas in the Chinese one, they're trying to keep a very, very low profile.
I hear people speak often about the Great Firewall of China.
What part does that play in these people's efforts?
It plays a large part.
There's actually the Firewall of China, apparently, from what we can see, is just one part of a larger puzzle.
It's actually a separate entity.
There's actually another project called Golden Shield,
whose aim it is to create, in the words of the Chinese government,
a safe cyberspace for China.
And that's all about surveilling and monitoring what's going on
on the internet within China.
The Great Firewall then shields that from the rest of the world. So from a perspective of the underground actors,
they're trying to evade the surveillance from the Golden Shield project. But at the same time,
if they want to access stuff kind of international, for want of a better word,
things such as tools or techniques that are being discussed in other
parts of the internet, they need to find a way around or through the great firewall of China.
Not all of them are able to do that. Some of them actually also do that because they want to conduct
their activities. So Chinese actors talking to Chinese actors, not within China, they want to
do it on infrastructure hosted somewhere else or tour services that kind of escape that surveillance.
So they're very much focused on the Great Firewall of China, trying to get around that.
It also serves as some kind of barrier. So one interesting thing that we see is some actors
are able to bypass the firewall. They will then take tools or open source tooling from other parts of the world and then repackage it or start spreading that in China, sometimes modifying it, renaming it, building their own versions based off of it.
But because the firewall makes it difficult for kind of their fellow actors to kind of get their hands on what's out there, they form this gatekeeping function or this conduit. And they're able to
modify them and sell these modified versions.
What level of sophistication does it
take to circumvent something like the Great Firewall?
Are these tools readily available to
average people who
want to use them or does this take a little more technical know-how?
I think it takes a little more technical know-how. However, the internet being the internet,
guides and information are available. I think for a lot of people doing it, the risk that they're
trying to, the balance they're trying to strike is you need to do it right.
So you not only want to bypass the Great Firewall, you don't want them to detect that you're doing it because that could have real life repercussions.
I think if you want to look at one of the things that really sets the Chinese underground apart is this acute realizations by all of the actors involved that if they're found out that could have real life repercussions on the other hand so many
people are are doing is not even for the most what we would term criminal reasons some just want to
watch foreign tv or watch foreign media or stream foreign movies etc et cetera, that aren't available within China.
And so they're looking to bypass the firewall for those reasons.
Well, let's go through some of the various markets that you all have listed here in your research.
You start out by talking about the deep mix market. What's going on there?
So I think deep mix is one of the most well-known Chinese marketplaces.
There's actually, we've done two versions, DeepMix 1 and DeepMix 2.
DeepMix 1 was the original.
But as I said, there are not just Golden Shield, but also regular projects or schemes run by the government kind of where they're cleaning up the internet.
You'll be able to find announcements where they've arrested so many or arrested so many cyber criminals or people selling fraudulent products, et cetera, et cetera. The first
iteration of the deep mix market went offline after it suffered a sustained distributed
denial of service attack and then resurfaced a little bit later on,
but with some added DDoS protections and also some modifications,
some enhanced protection for its users.
And so we refer to that as kind of deep mix market,
the second version, or deep mix market two.
And that's where underground actors can basically,
you can create an account and you can buy and sell things.
It's an underground marketplace.
And again, most of the focus for what we see is trading kind of virtual goods, things that
you can transfer digitally.
There is a, obviously with all the surveillance and actors trying to stay anonymous, anything
that requires them to physically deliver something to the seller or the buyer to get something from the seller is something that they're a little less enthusiastic about but
digital or virtual goods are very much what we see there and what are some of the other markets
that you all are tracking here what are the other ones that catch your eye well we've there's
basically um kind of variations of deep mix meaning markets that do the
same thing so you have the um united chinese escrow market it was established as one of the other um
kind of other variations deep mix market um we have t horse road um again, basically similar to United Chinese Escrow Market and DeepMix.
And Free City is another one of the well-known marketplaces that we track.
And then you also mentioned that there are some efforts to have open web forums, but
I suppose the government has its eye on those?
Yes, absolutely.
There are some.
And some, what we see about the open web forums, they exist,
but then they'll get shut down as they run afoul of the authorities.
Quite often what they try and do is position themselves as being kind of research hubs
for people interested in security or interested in hacking. It's just
people who want to learn more about it, but not necessarily want to be engaged in it or want to
learn how to protect themselves from hacking. But of course, all of the tooling and all of the
knowledge you learn there to quote unquote protect yourself against hacking can also be used for what
will be their primary use. But they try and evade the ire of the authorities
by presenting themselves as more research
or only for people who are interested in learning more about it.
But of course, if they overdo it
and they actually do start to look too much like a real cyber underground form
but in the open web,
then quite often we'll see the authorities react and it gets taken down.
You know, there's a sense with some of these criminal undergrounds
that sometimes governments will turn a blind eye.
I'm thinking specifically of the Russians.
But do we see evidence of that sort of thing with the Chinese as well?
This idea that perhaps folks whose day
jobs are working for the state, they're moonlighting on the side? We see some evidence of it sometimes,
but actually, exactly the point that you raise, we see in China, it's actually mostly the opposite.
Actors, most actors are acutely aware that for the most part, the government will
take, will probably take a very dim view of what they do. So they are very much focused on
guarding their anonymity, keeping their real identity private, etc. Having said that,
there's a group called, they're called Honker Union, which actually comes from the Chinese for Hong
Kei, which means, interesting enough, it means red guest, because the Chinese for hacker is actually
black guest, an uninvited guest. So what this means is red hackers, is basically the red hacker
union. And these have been engaged in mostly in international relations
if one country makes disparaging remarks
about China,
or if companies, for instance,
list either Taiwan or Hong Kong
as separate countries to mainland China,
which is obviously very often
something that will get you
a sternly worded letter
at the very least.
You sometimes see them launching DDoS attacks, defacement attacks, etc.
Within the Hong Kong Union, we have seen some voices say that they want to have closer ties to the state.
You can see that they can be useful as sort of proxy forces in that sense.
And there are some, you do see some similarities sometimes where you see the Chinese government
protest and the Hong Kong Union also trying, launching their kind of attacks.
But I think that's the extent of it.
I think that's the extent of it.
Can you give us a sense for how a Chinese citizen would go down this path?
I'm thinking about how do you hide your IP address?
How do you go about doing the – if this is something you're interested in,
how do they typically go about it and still maintain their anonymity?
So there's a couple of ways of going about it.
One, obviously, is to find some kind of open Wi-Fi.
So I think the first, again, the first qualifying remark is that if you're engaged in something which is kind of something very,
the Chinese authorities would take a very, very dim view of,
then most of these measures, you'd need to do
much, much more. But for an average Chinese citizen, finding a coffee shop, getting on the
Wi-Fi, or any other open Wi-Fi, using those VPNs, we can also see that some Chinese actors, when they use their home internet
connection, if you power cycle your modem or cable modem or whatever, you may get a fresh new IP
address. So they'll go online, do what they need to do, and then quickly make sure that they get
assigned a new IP address and then engage in their regular activity. None of that is foolproof.
Of course, if someone were to go to their ISP and look at logs and forms, you'd be able to see when they had that IP address.
They do it for activity where no one is going to go to that much trouble to kind of track them down.
Other things that we see is people talking about using kind of satellite internet or satellite services
even especially when looking for when you want to watch foreign movies if you can get a dish
but if you if you get a dish I think you're supposed to get a license so many people try and
put some cover over them disguise them as air conditioning units for instance but it's just a
box with a with a dish in it.
So those are the types of, I think there's actually an Instagram account
where people publish pictures where they've spotted a disguised dish.
So those are the kind of tricks that people get up to.
And is there a specific type of malware, of goods and services that the Chinese folks seem to be focused on?
There's a lot of focus on brute forcing, DDoS tooling, exploitation tooling.
There's a particular focus on anything to do with exploit for vulnerability.
There's a particular focus on anything to do with exploit for vulnerabilities. So think web servers, Apache, Microsoft servers, cryptocurrency mining, and also stealing and brute forcing of cryptocurrency wallets.
You see kind of local variations of well-known remote access Trojans or pen testing tools, things like Cobalt Strike, Anubis, NJ Rat, Ghost, things we see.
And then we see these local versions that are being traded.
A lot of focus on illegal gambling and hacking of illegal gambling sites.
Sometimes some other activities around kind of what they call the other vices.
So looking for activities around that. And a major focus on ripping other actors off,
which is kind of logical. If this is the kind a closed-off pool and you're restricted to that section,
sometimes they start scamming each other.
No honor among thieves, I suppose.
No, or very little.
Where do you see this going?
I mean, is there a sense of equilibrium here in terms of what the government does and what these actors do? Is this an ongoing game of whack-a-mole? Where do you think we're headed in the future with this?
question i think there's always going to be a certain equilibrium i mean that's the the system will will find a this system will find some point of equilibrium um around how much effort the the
authorities are putting into into to doing this versus um the activity of the actors there i at
the same time i think it it goes in it ebbs and waves as as it were. You see these, they're almost annual announcements
of these operations to sweep the internet,
and then you get this focus on how many cyber criminals,
for instance, are arrested or people committing fraud.
I think a lot of them are tied around kind of stuff
that is playing in Chinese society at large.
So the last one, for instance, had a particular focus on people
making fraudulent offers around anything to do with COVID-19
or spreading rumors.
And I think from the government perspective,
what we would classify as cybercrime is one of the things
they're trying to stop.
They're also trying to
keep a lid on many other types of things, either discussing politically sensitive subjects,
making disparaging remarks about the government or the Communist Party, which are the same thing
in China. They're one and the same. So they're basically looking to keep a lid on all those
kind of things. Cybercrime is just one aspect of it. At the same time, the Golden Shield,
that project to kind of make sure that Chinese cyberspace is safe, I think will continue and
will become more and more kind of larger and invasive and better. One of the things that
we found in our reporting,
of course, is that looking at the internet is just one part of it. They're also looking at
all kinds of, all aspects of behavior of citizens, and these things are linked. So if you
step out of line, for instance, in public life, do something there. All of that would, all of it goes back into,
I think, what they call their social credit score. And if you lose too many credits, you will be
limited in your activities. There was talk of people not being allowed to travel. You can't
go on holiday. You can't travel internationally, for instance, or even domestically, if your
social credit score is not good enough.
And all of these activities on the internet, if you get caught out doing something there,
will also have negative consequences for that credit score.
It sounds very 1984, very totalitarian.
So this is just one part of that larger,
what seems to be a much larger
endeavor. And
I think they're
still very much at work on
building that out.
Our thanks to Maritz Lucas from Intel
471 for joining us.
The research is titled No Pandas, Just People.
The Current State of China's Cybercrime Underground.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.