While the public discourse around state-backed hackings has primarily focused on Russia, experts warn that China is the culprit behind numerous recent attacks.
Dating all the way back to 2013, China targeted countries in Southeast Asia, argues Palo Alto Networks’ threat intelligence team Unit 42. (Not so) coincidentally, these countries, which include Myanmar, Taiwan, Vietnam, and Indonesia, have strained relationships with China.
Using PlugX malware inside ZIP files, the group, commonly known as PKPLUG is suspected to be the group behind these ongoing attacks.
“Researchers have revealed a previously undocumented threat actor of Chinese origin,” says The Next Web’s Ravie Lakshmanan. This group has run at least six different cyberespionage campaigns in the Southeast Asian region, he says.
While the motive behind these continuous attacks is still unclear, the sophistication in which they are carried out is worrisome.
“This group (or groups) has a long history and series of creating custom tools which imply they are persistent, and well-resourced,” Unit 42’s Alex Hinchliffe explains to The New Web. “For example, the creation and use of a custom Android malware […] may indicate their targets require unique attention based on prevalent operating systems used or that they need that capability generally. This group(s) is patient in what they work toward.”
More recently, CrowdStrike, a cybersecurity provider, reported that “Chinese state-sponsored hackers conducted as many ‘intrusion campaigns’ against vertical industries in the first half of 2019 than Russia, Vietnam, North Korea, and Iran combined.”
Specifically, they found that in 1H 2019:
“…Malicious campaigns hit 13 of 19 vertical sectors…including aviation, financial, law enforcement, technology, and telecommunications. Chinese hackers also attacked the technology and telecom verticals. By comparison, activity by Russian bad actors was confined to non-governmental organizations. Threat actors from Vietnam targeted only the automotive industry, while Iranian hackers focused on the aviation, transportation and logistics verticals.”
CrowdStrike’s 2019 Overwatch Mid-Year Report also identified PsExec, ProcDump, and PC Hunter as the most commonly used non-native tools for nation-state attacks.
One specific instance of a suspected nation-state attack on Airbus this past year raised more concerns about “Chinese supply chain risk.”
“…With these seemingly state-sponsored attacks taking place [is it] safe to allow Chinese technologies into core industries, critical infrastructure and even the military itself…” asks Forbes’ Zak Doffman.
This attack brings up “the vulnerability of aerospace and defense supply chain to attacks from nation-state actors,” he argues. “Supply chain compromise is a major threat right now, and for risks to one introduced in the design and production phase for products that find their way into service causes grave concern.”
While these are serious issues with enormous consequences, there are steps you and your business can take to protect yourselves from such attacks.
CrowdStrike suggests implementing User awareness programs, asset management, and software inventory, as well as multifactor authentication.
More specifically, Unit 42 reiterates how important it is to avoid downloading apps from third-party Android stores. They also emphasize the need to secure your network’s endpoints, and this includes evaluating your company’s “bring your own device” policy.
Knowledge is power and we must, as individuals, do what we can to protect ourselves, our businesses, and our country.