The Emergence of a New Strategy
While espionage has long been a goal for China-nexus APTs, with APT1 being disclosed in 2013 after launching a multi-year, enterprise scale espionage campaign, the groups have evolved based on national-level strategies. China’s national goals early on revolved around asserting itself internationally. Then, between 2014 to 2016, researchers observed an overall decline in activity by China-nexus groups, which they said may have been due to transitions within China’s government.
“The apparent decline in observable incidents may reflect the shift within China’s own bureaucracy, where the centralization of state power and the restructuring of the military apparatus resulted in a move away from prolific amateur cyber-attacks in favor of more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors,” said researchers.
In 2017, researchers observed espionage actors both re-emerge with new malware, or reorganize in completely new groups. Since then, researchers have steadily observed actors’ technical tradecraft steadily evolving to become “stealthier and more agile, while taking measures to complicate attribution.” The actors have been launching supply-chain attacks and relying on zero-day flaws such as the Microsoft Exchange ProxyLogon vulnerabilities or flaws in Pulse Secure VPNs.
In a February testimony before the U.S.-China Economic and Security Review Commission, researchers said they believe Chinese cyber espionage activity has shown a “higher tolerance for risk and is less constrained by norms or diplomatic pressures.” Researchers also observed resources being shared across groups over the past year, with multiple Chinese espionage actors using the same malware, signaling a centralized development and distribution center.
“Chinese cyber espionage operators’ use of vulnerability exploitation, third party compromise, and software supply chain compromise exemplify both the scale of Chinese state-sponsored threat activity and the strategic evolution in use of tactics to maximize efficiency and impact,” said Kelli Vanderlee, senior manager of strategic analysis with Mandiant threat intelligence.
