Date: 26/4/2024
Where:
China, Europe, North America, Asia-Pacific
Who’s involved:
State and non-state Chinese threat actors
Various international governments and businesses
What happened?
Chinese threat actors, both those linked to the government, as well as various criminal entities, have been increasing in activity, with numerous cyber campaigns being exposed since the end of 2023.
On April 19th, China formally announced the formation of its Information Support Force, effectively a cyber operations branch of its military.
On April 18th, the director of the US Federal Bureau of Investigation issued a warning that Chinese hackers were a major risk to national security. The emphasis of the warning was on the risk to critical infrastructure. The warning claimed to be pointed at both criminal and government threat actors.
On April 20th, German media investigations by Der Spiegel and ZDF announced that sensitive data on various intellectual properties and trade secrets had been stolen from Volkswagen via malicious access to the company’s networks between 2010 and 2015.
On April 11th, BackBerry Threat Intelligence researchers found evidence of a renewed Chinese deployment of its LightSpy spyware throughout Southern and Southeast Asia, including India and Singapore.
On March 26th, New Zealand’s Government Communications Security Bureau announced that it had found a Chinese Advanced Persistent Threat Actor present in parliamentary networks as far back as August 2021.
Analysis:
The threat to critical infrastructure has escalated, with China positioning its cyber capabilities to potentially disrupt critical systems in geopolitical adversaries, especially the United States. The CISA, along with other U.S. and international cybersecurity bodies, has identified and issued warnings about Chinese state-sponsored actors, such as Volt Typhoon, which have compromised systems across multiple critical infrastructure sectors including communications, energy, and water systems.
Many of these revelations have been coming out in the past several weeks. This correlates with promises of increased cooperation from The Philippines and Japan with the US, as well as a recently decided US aid package to Taiwan.
The LightSpy Spyware was prominently used on Hong Kong activists in 2020. The latest version discovered by Blackberry was shown to be capable of stealing files and data from apps broadly considered safe, such as Telegram and the iCloud Keychain, as well as web browser history from Safari and Google Chrome. This data includes contacts, text messages, location data, and sound recordings.
In February, a massive data leak from Chinese government and military contractor, I-Soon, showed that the company had been hired to compromise targets within at least 14 different governments. I-Soon was also contracted to spy on Chinese Universities, political organizations in Hong Kong, and offices of NATO.
There is an evident strategic shift in Chinese cyber activities, with a growing focus on positioning for potentially disruptive actions against global targets. This evolution reflects both a response to international cybersecurity defenses and an alignment with China’s broader geopolitical strategies, such as those seen in the South China Sea and Taiwan tensions
Economic difficulties within China, including impacts from the COVID pandemic and internal financial strains, are likely influencing a ramp-up in cyber espionage activities as a means to quickly gather valuable foreign technologies and intelligence that could bolster domestic industries.
Conclusion:
Chinese cyber operations have intensified. The recent formation of China's Information Support Force marks a significant formalization of its cyber capabilities, reflecting a deep commitment to integrating cyber operations within its national defense strategy.
Concurrently, global incidents—from the infiltration of Volkswagen’s networks to the targeting of Southeast Asian entities with advanced spyware—demonstrate the operational reach and sophistication of Chinese cyber activities.
These developments have not only heightened tensions but have also prompted a stronger international response, with increased cybersecurity cooperation among China's geopolitical rivals and heightened alerts about the threats to critical infrastructure. The revelations from the I-Soon leak further complicate the landscape, exposing the depth and breadth of China's targeting, which includes government, corporate, and even academic spheres.
However, it’s important to recognize that the actions taken by China’s neighbors and economic rivals in response to these revelations may have a spiraling effect. As more campaigns get uncovered, the risk of penalties to China increases, further incentivizing nefarious activities to maintain a competitive edge in the intelligence and economic domains.
