Security news that informs and inspires

Chinese Cyber Espionage APTs Refocus Strategy


Chinese cyber espionage actors have evolved their operations to closely align with national-level priorities around economic development and national defense, a recent report revealed.

In Mandiant’s M-Trends report released this week, researchers said in 2021 the number of Chinese espionage groups in the landscape dropped from at least 244 separate Chinese actor sets, tracked over the last five years, to 36 active groups, pointing to a “more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors.”

This smaller set of groups, which include existing and known groups like APT10, APT41, and the Conference Crew group, have retooled and pivoted their strategies to better align with China’s overall strategy, which is encapsulated by its most recent Five Year plan, launched in early 2021. This plan focuses on supporting the nation’s Belt and Road Initiative, its long-term policy and investment program that centers on infrastructure and economic development, which aims for national self-reliance through growing domestic markets versus a previous strategy that relied on trade agreements. The plan also focuses on markets like technology, financials, energy, telecommunications and healthcare.

“These national-level priorities signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defense industry products and other dual-use technologies over the next few years,” said researchers with Mandiant.

The Emergence of a New Strategy

While espionage has long been a goal for China-nexus APTs, with APT1 being disclosed in 2013 after launching a multi-year, enterprise scale espionage campaign, the groups have evolved based on national-level strategies. China’s national goals early on revolved around asserting itself internationally. Then, between 2014 to 2016, researchers observed an overall decline in activity by China-nexus groups, which they said may have been due to transitions within China’s government.

“The apparent decline in observable incidents may reflect the shift within China’s own bureaucracy, where the centralization of state power and the restructuring of the military apparatus resulted in a move away from prolific amateur cyber-attacks in favor of more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors,” said researchers.

In 2017, researchers observed espionage actors both re-emerge with new malware, or reorganize in completely new groups. Since then, researchers have steadily observed actors’ technical tradecraft steadily evolving to become “stealthier and more agile, while taking measures to complicate attribution.” The actors have been launching supply-chain attacks and relying on zero-day flaws such as the Microsoft Exchange ProxyLogon vulnerabilities or flaws in Pulse Secure VPNs.

In a February testimony before the U.S.-China Economic and Security Review Commission, researchers said they believe Chinese cyber espionage activity has shown a “higher tolerance for risk and is less constrained by norms or diplomatic pressures.” Researchers also observed resources being shared across groups over the past year, with multiple Chinese espionage actors using the same malware, signaling a centralized development and distribution center.

“Chinese cyber espionage operators’ use of vulnerability exploitation, third party compromise, and software supply chain compromise exemplify both the scale of Chinese state-sponsored threat activity and the strategic evolution in use of tactics to maximize efficiency and impact,” said Kelli Vanderlee, senior manager of strategic analysis with Mandiant threat intelligence.

The Future of Chinese Cyber Espionage Activity

Researchers also pointed to China acquiring network infrastructure behind devices like the Internet of Things (IoT), which raises concerns that it could “create a pervasive system that can be exploited by China for both internal and external reconnaissance and surveillance campaigns.”

“This strategy has already proven successful as Beijing is able to target hardened, more challenging targets indirectly through various supply chain and third-party victim compromises to extract political, economic, defense and surveillance information,” said researchers.

Asia and the U.S. are the top regions targeted by these Chinese espionage groups, with 15 percent of their victims being U.S. entities. At the same time, seven of the current 36 APTs have collected sensitive data from public entities, showing that governmental organizations continue to be the most targeted sector. This has caused concerns by U.S. governmental organizations: An Annual Threat Intelligence report by the Office of the Director of National Intelligence assessed that China “presents the broadest, most active and persistent cyber espionage threat” to U.S. government and private sector networks.

In March, a report showed that the APT41 group compromised at least six U.S. state government networks between May and February in a “deliberate campaign” that reflects new attack vectors and retooling by the prolific Chinese state-sponsored group. Also in March, the Google Threat Analysis Group (TAG) issued a warning that they detected a phishing campaign by China-linked espionage group APT31 targeting “high-profile Gmail users affiliated with the U.S. government” in February. Researchers said that espionage targets are carefully selected and derived from governmental priorities, including China’s Five-Year plans, policy platforms or national defense strategies.

“Given the more aggressive nature of Beijing’s international diplomacy, along with the broader cyber espionage campaigns conducted by China-nexus threat actors, we anticipate that cyber espionage activity in support of China’s national security and economic interests will continue to accelerate in the coming year,” said Mandiant researchers.