China as a Target of Cyberattacks: What China Says About Who Are in Their Systems
Whether you view China as an adversary, a competitor, or a business partner, it is beneficial to understand China’s own perspectives.
Recent reports from the New York Times, Moscow-based multinational cybersecurity firm Kaspersky, and Microsoft have depicted multiple Chinese advanced persistent threat (APT) groups targeting critical military, government and industrial infrastructure to “establish a permanent channel for data exfiltration”, using sophisticated techniques such as forging tokens for authenticating enterprise accounts. As Chinese APT groups - a term that usually refers to nation state-backed hackers - are keeping defenders busy, foreign APT groups also target China. Qi AN Xin (奇安信)(QAX), a top information security company in China with ties to the Chinese government, published its 2023 Mid-year Global APT Report (全球高级持续性威胁(APT)2023年中报告) in Chinese in July. The QAX report used data from QAX’s own Threat Intelligence Center (TIC) and from 177 publicly available APT reports. The report enumerates the top APT groups QAX has seen targeting Chinese organizations during the first six months of 2023, as well as global threat campaign trends. Natto Thoughts suggests reading the report with a grain of salt, because QAX likely had to take into account Chinese government sensitivities and messaging. However, the report provides a government-linked Chinese company’s perspective on cyberspace and on China’s political and security situations. Whether readers of Natto Thoughts consider China as an adversary, a competitor, or a business partner, it is beneficial to understand Chinese perspectives.
Natto Thoughts has three major takeaways from QAX’s Global APT, particularly from the sections about claimed APT groups targeting China.
The seven most active and seven most harmful APTs targeting China originate from Taiwan, Vietnam, India, North Korea, Russia, and the US
As reports from Chinese information security firms and the Chinese government constantly claim, “China is the world’s largest victim of cyberattacks.” The QAX report identified two sets of seven top APT groups targeting Chinese entities during the first half of 2023.
One set of groups was rated by the proportion of IP addresses in China suspected of belonging to computers thatAPT groups have compromised. This serves as an indication of how actively these groups have targeted entities in China. The list of the seven groups and their suspected percentage of controlled IP addresses in China were:
毒云藤 (a.k.a GreenSpot), 27%
海莲花 (a.k.a OceanLotus), 15%
APT-Q-29 (a.k.a Winnti) 14%
蔓灵花 (a.k.a Bitter), 8%
APT-Q-27 (a.k.a Dragon Breath), 7%
响尾蛇 (a.k.a SideWinder), 6%
Lazarus, 6%
Although the report only attributed APT groups to their geographic regions, Natto Team cross-examined publicly available reports and other Chinese-language sources, such as an APT list from DAS Security (安恒信息), to determine the likely origins of the mentioned APT groups from the perspectives of Chinese information security firms. These groups’ likely origins are:
毒云藤 (a.k.a GreenSpot): likely based in Taiwan
海莲花 (a.k.a OceanLotus): likely based in Vietnam
APT-Q-29 (a.k.a Winnti): defined by QAX as “an overseas group”; China-based sources give no information on its origin. See discussion below.
蔓灵花 (a.k.a Bitter): likely based in India
APT-Q-27: likely a Chinese-speaking group targeting the online video gaming and gambling industries, according to a report from Sophos, a UK based security company. QAX’s report identified the group targeted the gambling industry and conducted fraud activities. However, gambling is technically illegal in China, but the QAX authors may be referring to the targeting of illegal gambling or gambling in Macao or Taiwan.
响尾蛇 (a.k.a SideWinder): likely based in India
Lazarus: most likely based in North Korea
The report pointed out GreenSpot from Taiwan and OceanLotus from Vietnam have been targeting China for a long time. During the first six months of 2023, GreenSpot mostly used phishing attacks targeting universities and scientific research entities, while OceanLotus targeted China’s critical infrastructure.
The other set of APT groups drew on data from QAX’s security services team and its RedDrip research team. Based on victimology analysis, monitored equipment, and the APT groups’ tactics, technique and procedure (TTPs), the report gave a list of the most harmful groups targeting China in the first half of 2023. The list included the following groups and provided a short description of targeting details (note: Natto Team added the likely country attribution based on open source reporting):
APT-Q-31 (a.k.a OceanLotus): likely based in Vietnam. The group targeted IT and software companies and intended to conduct supply chain attacks. The group also targeted subsidiaries of Chinese state-owned entities in Hong Kong.
APT-Q-12 (a.k.a APT-C-60;伪猎者): likely based in North Korea. The group targeted foreign trade and education entities.
APT-Q-77 (a.k.a APT29, CozyBear, Nobelium): likely based in Russia. The group focused on China’s natural gas and military industrial base entities exploiting Nday vulnerabilities in edge devices and heavily used spear-phishing techniques.
APT-Q-78 (a.k.a Turla): likely based in Russia. The group mainly targeted geology- related fields.
摩诃草(a.k.a Patchwork): likely based in India. The group targeted universities, government, meteorology and science and research entities.
CNC: likely based in India. The group is less sophisticated in its attack method compared to other Indian groups.
APT-Q-94 (related to actors involved in Operation Triangulation): likely based in the US. Qi AnXin referenced the technical details of Kaspersky’s Operation Triangulation report and confirmed victims in China. The group leveraged iOS system’s iMessage 0-click 0day in its threat campaigns.
Is listing Winnti Group all about smoke and mirrors?
Natto Team noticed Winnti Group was on the list but could not locate any attribution information from Chinese information security firms’ reporting. Winnti Group is known with Chinese origins that has been active since at least 2010, according to a group description from MITRE ATT&CK Groups. First outlined in reports published by three security firms outside China from 2013 to 2017, the group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. A number of other Chinese groups, including Axiom, APT17, and Ke3Chang, are closely linked to Winnti Group that conducted cyber espionage activities. Some reporting from Western information security firms also considered Winnti Group as APT41, such as Operation Cuckoobees conducted by the Winnit Group (APT41) for cyber espionage and intellectual property theft according to a 2022 report from Boston-based cybersecurity firm Cybereason. Massachusetts-based firm Recorded Future has reported on a group it calls TAG-22 that used Winnti malware against targets in Taiwan and Hong Kong - activity that QAX may have had in mind when it highlighted Winnti activity affecting China.
QAX’s report identified Winnti Group as an “overseas group” and said it targeted the Internet industry, financial services, and technology industries in China. As QAX did not disclose how they clustered threat campaigns, Natto Team cannot determine the degree of threat activity overlapping between APT-Q-29 and the China-based Winnti Group activity that global researchers have described. However, Natto Team is certain that QAX is aware of overseas reporting about China-based cyber espionage campaigns that use Winnti. It is possible that this was a smoke and mirrors trick by QAX to deny Winnti Group’s possible Chinese origins and connections as a state-backed APT group.
China’s geopolitical tensions with neighboring countries manifest in cyberspace
In QAX’s report, most of the active APT groups mentioned, except for one group it claims is US-based, originated from China’s neighboring countries. This reflects geopolitical tensions in the region translated into active cyberthreat activities. During the first six months of 2023, four of thirteen most active and harmful APT groups were likely from India. These groups targeted Chinese entities in government, military, the military-industrial base, scientific research, and education. The heavy targeting from Indian APT groups aligns with continuing tensions between the two countries, including a border dispute. After a fatal clash in the Galwan Valley erupted in June 2020, the long-standing India-China border dispute has escalated to another level. Clashes occurred again in December 2022; forces on both sides reportedly sustained injuries. Experts from the United States Institute of Peace expressed worries that the China-India border dispute could get “harder to manage” and risk strategic instability in Asia. In cyberspace, the fact that four of the most active and harmful APT groups targeting China in QAX’s list were from India likely indicates that the tensions between China and India have not been eased during the first six months of 2023.
QAX has been highlighting Vietnamese APT group OceanLotus since in 2015 (note: QAX was part of Qihoo 360 at that time) and has traced threat activities from OceanLotus targeting China as early as in 2012. OceanLotus’s Chinese targets included ocean affairs agencies; the department in charge of China’s territorial waters; research institutes; and aviation, aeronautics, and shipping companies. These targets have significance related to territorial disputes in the South China Sea.
North Korea-based Lazarus and APT-Q-12 (APT-C-60) have been probing Chinese foreign trade and education entities. Although the Lazarus group may have connections in China, such as two Chinese men who allegedly worked from China and Hong Kong to help Lazarus launder stolen virtual currencies, the group seems to have undertaken cyber espionage against China as well.
Notorious Russia-based APT29 and Turla group did not ignore targeting China, particularly aimed at Chinese energy and military industrial base sectors. Russia and China’s “no limits” friendship seems not to apply in cyberspace. Russian APTs’ cyber espionage activities targeting Chinese energy sector and military industrial base likely provided intelligence advantage for Russia in its cooperation and competition with China in these fields.
Lastly, QAX’s Global APT report identified Greenspot, a Taiwan-based APT group, as the number 1 most active group during the first six months of 2023, saying it targeted Chinese military, government, technology and education entities. Greenspot as the most active group suggests China does not shy away from acknowledging the increasing tension with Taiwan. At the same time, an alleged Taiwanese APT group on the top spot could be a deterrence tactic showing “we know who you are, and we are watching you.”
“Overseas APT groups used a large number of 0day and Nday vulnerabilities targeting China”
The last section of QAX’s Global APT report discussed the increasing global exploitation of 0day vulnerabilities in APT attacks. Drawing on mostly secondary sources, this section of the report claimed, “overseas APT groups used a large number of 0day and Nday vulnerabilities targeting China.” However, it only gave one example related to a 0-click 0day vulnerability of the iMessage messaging service in the iOS system, dubbed Operation Triangulation, which the Kaspersky company disclosed. QAX reported that it had “confirmed a large number of domestic victims,” without giving any other details. QAX analyzed the target scope, complexity, techniques and spanning time of attacks exploiting iMessage 0-click 0day vulnerability, which it characterizes as a single campaign and “a top APT attack campaign of the last decade.” The QAX authors may be aware that Russia’s Federal Security Service has accused Apple of leaving a backdoor for the US National Security Agency to exploit its product for surveillance against targets in Russia, an unproven allegation that has nevertheless gained ground in cybersecurity-related social media.
QAX also stated that vulnerabilities related to Microsoft, Google and Apple products showed triple domination and said that close to 30 total 0day vulnerabilities were exploited in the wild. This number was higher than in the same period of last year. Users within China do not generally use Google products but might fall victim to attacks that exploit some of these vulnerabilities in Microsoft and Apple products.
Further reading
The Japan Cybersecurity Innovation Committee (JCIC), a Tokyo-based independent not-for-profit think tank, published a report titled “China as a Target of Cyber Attacks” (in Japanese language) in April 2023. The report studied APT groups and threats, as reported by Chinese information security companies covering the period from 2016 -2022. The JCIC said it wrote the report to “understand trends in cyberspace and what problems China is facing” and to show that, whereas many cybersecurity vendors portray China solely as an aggressor, it can be a target as well.