China Joins the Name-and-Shame Game
In a new twist, multiple Chinese government agencies are taking the lead in loudly attributing malicious cyber activity to US cyber-spies.
Among the various high-profile activities at China’s annual Cybersecurity Week this year, the National Computer Virus Emergency Response Center (CVERC), a “national cyber defense agency of China” and Qihoo 360, one of China’s top cybersecurity companies, claimed to have identified the “true identity” of the US National Security Agency (NSA) personnel responsible for launching a cyberattack against Northwestern Polytechnical University (NPU), a leading Chinese aviation university, when the NPU reported the incident in June 2022, according to Chinese state media outlet Global Times. Global Times cited “relevant sources” who said the real identities of these individuals “will be disclosed through the media in due course.” The CVERC and Qihoo 360 allegedly extracted “multiple samples of the spyware named SecondDate” which was used in the attack and described some of the functionalities of the SecondDate spyware. The report cited “relevant sources” as stating that the investigation involved “collaborative efforts of partners in various countries,” but it gave no details of the partnered countries.
Already, in a two-part investigative report in September 2022, China’s CVERC had attributed the cyber incident at NPU to the NSA. The report listed SecondDate spyware as one of the six “weapons for the persistence control type.” It is interesting that after a year China picked up the NSA-NPU case again to show “US government-backed cyberattacks.”
Public cyber attribution and a “name-and-shame” strategy are a relatively new foreign policy tool for the Chinese government. Looking into China’s public cyber attribution cases since 2019, Natto Team has seen new patterns in China’s use of public cyber attribution.
Formerly initiated by cybersecurity companies, public cyber attribution is now government-led
China’s practice of publicly calling out alleged US government-backed hacking activities, started in 2019 with several major cybersecurity companies producing threat reports. On September 30, 2019, Qi An Xin (QAX), a top Chinese company with ties to the Chinese government and serving mostly Chinese government and military clients, published a Chinese-language report accusing the CIA of hacks against Chinese aviation targets between 2012 and 2017. This was the first time that a Chinese cybersecurity company called out US hacking activities. Since then, Qihoo 360 published two reports, one in March 2020 and another in March 2022, about alleged hacking activities it attributed to CIA and NSA respectively. Qi An Pan Gu lab, a subsidiary of QAX group, published a February 2022 report discussing technical details of a backdoor the NSA Equation Group had allegedly used, and follow-up technical report on the same backdoor in September 2022.
By September 2022, however, Chinese government agencies had also joined the blame game. For the first time, the CVERC, a Chinese government agency conducted public attribution against the NSA, cooperating with Qihoo 360 in the aforementioned two-part report about the NPU hack. In fact, Pu Gu lab’s September 2022 report, published a week after the CVERC’s NPU hack report, also mentioned that its report was a result of cooperation with the CVERC but the CVERC did not claim the lead.
Thus, it took exactly three years for the practice to evolve from cybersecurity company-centered public attribution to an explicitly government-led public attribution with cooperation of cybersecurity companies after September 2022. (See figure below. The titles in black type are reports produced by cybersecurity companies, whereas titles in red type are government-led reports.)
From one agency to multiple agencies, particularly Ministry of State Security
The CVERC was the first Chinese government organ to initiate public cyber attribution, through China’s Ministry of Foreign Affairs often echoed and amplified the public attribution messages. Recently, however, the Chinese Ministry of State Security (MSS) joined the force, not only amplifying published cyber attribution reports but also adding new information to those reports.
Less than a week after the CVERC’s reveal of SecondDate spyware in September 2023, the public WeXin account of China’s Ministry of State Security (MSS) followed up with a post (hxxps://mp.weixin.qq[.]com/s?__biz=Mzk0OTUyOTc1Ng==&mid=2247484470&idx=1&sn=9209e4ac867460263014fb32120b9e76) entitled “uncovering US intelligence agencies’ main despicable means of cyberattacks and secret theft.”(WeXin (微信) is the largest Chinese social media platform. For users outside of China the app’s English version is called WeChat). The post listed 3 “tricks” that it said US intelligence agencies used, including “building an arsenal of cyberattack weapons; forcing relevant technology companies to open back doors to cooperate, and confusing right and wrong and calling on the thief to catch the thief.” In particular, the report accused the NSA’s Tailored Access Operations (TAO) group of carrying out attacks against the servers of Chinese tech giant Huawei since 2009. It also attributed the NPU attack to the TAO but did not provide technical details. This was the first time that the MSS, through its own online platform, openly accused the US of alleged cyberattacks. The allegations are not new; Western media reports, based on the leaks of former NSA contractor Edward Snowden, had said an NSA “covert program against Huawei” existed since at least 2007 and that TAO had breached Huawei systems by 2010. The MSS posting of September 2023 contains few new revelations but appears designed, rather, to denigrate the US in the minds of the global Chinese-speaking audience of WeChat users.
Natto Team noted that the MSS set up its WeXin public account only about two months ago on August 1, 2023. Chinese media reported that this was the first time in the 40 years since the establishment of the Ministry of State Security that the MSS had officially opened a public social media account. The first article posted on the account was titled “Counter espionage requires the mobilization of the whole society.”
Increasing intensity and pace
In 2023, China has increased the intensity and pace of public cyber attribution. From the first public cyber attribution report published by QAX in September 2019 to the March 2022 Qihoo360 report, Chinese cybersecurity firms published a total of four reports with public attribution over two and half years. However, after the CVERC’s first report on the NPU hack in September 2022, Chinese government agencies working with Chinese cybersecurity firms have called out alleged US hacking activities at least four times in 2023.
On May 4, 2023, the CVERC and Qihoo 360 jointly released “the first part of an investigative report on the US Central Intelligence Agency’s cyberattacks against other countries, including China.”
In July 2023, Wuhan city’s emergency management bureau reported, “The Wuhan Earthquake Monitoring Center has recently suffered a cyberattack launched by an overseas organization.” On August 4, the CVERC and Qihoo 360 attributed the hack to US intelligence agencies, stating that this was “a planned and premeditated cyber military reconnaissance action.”
On September 14, 2023, the previously mentioned report by the CVERC and Qihoo 360 claimed to have determined “the true identity” of US NSA personnel responsible for the cyberattack against the NPU.
On September 19, 2023, the Chinese MSS accused US NSA of hacking Huawei.
China’s Use of Cyber Attribution: Learning, Mirroring, and Progressing
China changed its tone of public discourse after the CVERC’s public cyber attribution on the NPU hack in September 2022. True, China has long criticized the US for public attributions of cyber threat activity to the Chinese government; Chinese sources claim the US is disseminating a so-called “cyberattack threat from China theory (中国网络攻击威胁论)” as a political tool for global influence. A commentary dated in September 30, 2022 in the Chinese version of state media Global Times explicitly recognized that state-vs-state cyber attribution has become a weapon in “cyber power competition for all countries and directly reflects their internal and external political demands”. Now the Chinese government has explicitly joined in this competition.
The Global Times commentary also noted, “Safeguarding the security of the global cyberspace requires continuously conducting effective cyber attribution while improving our technical capabilities.” To improve its own cyber attribution capability China has significantly invested in research and development since at least 2020. One example is the increase of published research on cyber attribution. Before 2020, it was rare to notice academic research on cyber attribution. A Leiden Asia Centre study on “the Evolution of Chinese Perspectives on Cyber Deterrence and Attribution” examined journal articles on China National Knowledge Infrastructure (CNKI), database of the monopoly Chinese academic journal publishing company, under the academic discipline “computer technology” on cyber attribution and noticed an uptick in 2020. In 2016-2019, the Leiden researchers found around fifty published articles every year that contained the keyword “cyberattack attribution”(网络攻击溯源), whereas 142 articles that contain the same keyword were published in 2020, 117 in 2021, and another 109 in 2022.
As to the public cyber attribution reports published by relevant Chinese government organs and cybersecurity companies, many of them mirror aspects of Western cyber attribution practices. For example, as the Leiden Asia Centre study pointed out, the CVERC’s NPU hack report used analytic techniques such as pointing out that hacking activity aligned with the American working schedule and public holidays and using “American-English” linguistic features to substantiate their claim that the attack originates from the NSA. Many US cybersecurity companies use linguistic and schedule-related evidence, as well as more technical data, to establish attribution.
Another example of the mirroring of Western practice in public cyber attribution is a post on MSS’s newly established WeXin public account that listed tactics and strategies used by nation state actors; the list resembles those in Western public attribution reports. The post (hxxps://mp.weixin.qq[.]com/s/XOlhw2TdT19OqvT14GTleA), titled “Where do ‘digital’ spies come from? What are their tactics?”, claimed “China has become a primary victim of Advanced Persistent Threat (APT) attacks.” Chinese state security agencies “have identified dozens of espionage and intelligence agencies from different countries and regions conducting cyberattacks within our borders,” the MSS post said. The tactics these agencies used included “setting up ‘front companies,’” “establishing specialized organizational forces,” or “outsourcing services to instruct professional companies, institutions, and hacker groups to carry out the attacks.”
Lastly, China seems very content with the progress of its public cyber attribution capability, even offering to help other nations to conduct public attribution. Describing “the successful extraction and tracing of the spyware sample of SecondDate,” the Global Times report mentioned at the beginning of this post cited an unnamed source who stated that China’s cyber attribution capability “proves that China has a ‘visible’ foundation in cyber technology, which can effectively assist our country and other nations in perceiving risks, identifying threats, and resisting attacks, thereby exposing state-sponsored hacker attacks to the public.”
Oh, before we end this post, “collaboration needed”: as the “relevant sources” told the Global Times, the SecondDate spyware investigation involved “collaborative efforts of partners in various countries.” Who could those partnered countries be?