Research Saturday 2.27.21
Ep 172 | 2.27.21

Shining a light on China's cyber underground.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Maurits Lucas: We basically track the cyber underground all across the globe. Looking at our reporting, we saw that the Russian-speaking underground is sometimes somewhat overrepresented, and there's less information on the Chinese cyber underground. And so we thought we'd try and shine a light on that.

Dave Bittner: That's Maurits Lucas. He's Director of Intelligence Solutions at Intel 471. The research we're discussing today is titled, "No pandas, just people: The current state of China's cybercrime underground."

Dave Bittner: Well, take us through some of the basics here. I mean, when we're talking about the Chinese underground, can you describe to us what it's made up of?

Maurits Lucas: Yes, of course. I think what it's made up of is actually very similar to other parts of the globe. Actors seem to be – the actors that are active in the cyber underground seem to have very much the same type of motivations. There's just a couple of things that kind of set them apart from what we see in other areas of the world, especially if we look at the Russian-speaking cyber underground, we can compare it with that.

Dave Bittner: What are some of the differences?

Maurits Lucas: Some of the key differences – they all have to do, of course, with the kind of unique situation in China, where there is extremely active and pervasive surveillance activity going on. And so that has its effect on Chinese underground actors. They are very acutely aware that the government may take a dim view of what they do, and so they kind of try and – certainly they're very much focused on remaining anonymous. They definitely do not want you to know their real-life identity, as it were. And at the same time, they may be very cagey about what types of activities they're engaged in and to what level they're engaged. So, if you look at the very, kind of the top-tier actors, if you look at the Russian-speaking underground, they're very active, they're very open, they're eager to prove that they are – that they're kind of top-tier actors, whereas in the Chinese one, they're trying to keep a very, very low profile.

Dave Bittner: Now, I hear people speak often about the Great Firewall of China. What part does that play in these people's efforts?

Maurits Lucas: It plays a large part. There's actually – the firewall of China, apparently, from what we can see, it's just one part of a larger puzzle. It's actually a separate entity. There's a separate – there's actually another project called "Golden Shield," whose aim it is to create a, in the words of the Chinese government, a safe cyberspace for China. And that's all about surveilling and monitoring what's going on on the Internet within China. The Great Firewall then shields that from the rest of the world.

Maurits Lucas: So, from a perspective of the underground actors, they're trying to evade the surveillance from the Golden Shield project, but at the same time, if they want to access stuff kind of international, for want of a better word – things such as tools or techniques that are being discussed in other parts of the Internet – they need to find a way around or through the Great Firewall of China. Not all of them are able to do that. Some of them actually also do that because they want to conduct their activities – so, Chinese actors talking to Chinese actors – not within China, they want to do it on infrastructure hosted somewhere else, or Tor services that kind of escape that surveillance. So, they're very much focused on the Great Firewall of China, trying to get around that.

Maurits Lucas: It also serves as some kind of barrier. So, one interesting thing that we see is some actors are able to bypass the firewall. They will then take tools or open-source tooling from other parts of the world and then repackage it or start spreading that in China, sometimes modifying it, renaming it, building their own versions based off of it. But because the firewall makes it difficult for kind of their fellow actors to kind of get their hands on what's out there, they form this – kind of this gatekeeping function, or this conduit. And they're able to modify them and sell these modified versions.

Dave Bittner: What level of sophistication does it take to circumvent something like the Great Firewall? Are we talking – are these tools readily available to average people who want to use them, or does this take a little more technical know-how?

Maurits Lucas: I think it takes a little more technical know-how. However, the Internet being the Internet, guides and information are available. I think for a lot of people doing it, the risk that they're trying to – the balance they're trying to strike is you need to do it right. So you not only want to bypass the Great Firewall, you don't want them to detect that you are doing it, because that could have real-life repercussions. I think if you want to look at one of the things that really sets the Chinese underground apart, it is this acute realization by all of the actors involved that if they're found out, that could have real-life repercussions.

Maurits Lucas: On the other hand, so many people are doing it, not even for the most, what we would term, "criminal reasons." Some just want to watch foreign TV or watch foreign media or stream foreign movies, et cetera, that aren't available within China. And so they're looking to do it to bypass the firewall for those reasons.

Dave Bittner: Well, let's go through some of the various markets that you all have listed here in your research. You start out by talking about the DeepMix Market. What's going on there?

Maurits Lucas: So, I think DeepMix is one of the most well-known Chinese marketplaces. There's actually – they come in two versions: DeepMix, One and DeepMix Two. DeepMix One was the original, but as I said, there are, not just Golden Shield, but also regular projects or schemes run by the government, kind of where they're cleaning up the Internet. You'll be able to find announcements where they've arrested so many cyber criminals or people selling fraudulent products, et cetera, et cetera. The first iteration of the DeepMix market went offline after it suffered a sustained distributed denial-of-service attack, and then resurfaced a little bit later on, but with some added DDoS protections and also some modifications, some enhanced protection for its users. And so we refer to that as a kind of DeepMix market, the second version, or DeepMix market two.

Maurits Lucas: And that's where underground actors can basically – you can create an account and you can buy and sell – it's an underground marketplace. And again, most of the focus from what we see is trading kind of virtual goods, things that you can transfer digitally. There is a – obviously with all the surveillance, and an actor's trying to stay anonymous, anything that requires them to physically deliver something to the seller or the buyer to get something from the seller is something that they're a little less enthusiastic about. But digital or virtual goods are very much what we see there.

Dave Bittner: And what are some of the other markets that you all are tracking here? What are the other ones that catch your eye?

Maurits Lucas: Well, there's basically kind of variations of DeepMix, meaning markets that do the same thing. So you have the United Chinese Escrow Market. It was established as one of the other kind of variants of DeepMix Market. We have Tea Horse Road, again, basically similar to the United Chinese Escrow Market and DeepMix. And Free City is another one of the well-known marketplaces that we track.

Dave Bittner: Hmm. And then you also mention that there are some efforts to have open web forums, but I suppose the government has its eye on those.

Maurits Lucas: Yes, absolutely. There are some. One of the – and some of what we see about the open web forums, they exist, but then they'll get shut down as they run afoul of the authorities. Quite often, what they try and do is position themselves as being kind of research hubs for people interested in security or interested in hacking. It's just people who want to learn more about it, but not necessarily want to be engaged in it, or want to learn how to protect themselves from hacking. But of course, all of the tools and all of the knowledge you learn there to quote unquote protect yourself against hacking can also be used for what will be their primary use. But they try and evade the ire of the authorities by presenting themselves as more research or only for people who are interested in learning more about it. But of course, if they overdo it and they actually do start to look too much like a real cyber underground forum, but in the open web, then quite often you'll see the authorities react and it gets taken down.

Dave Bittner: Hmm. You know, there's a sense with some of these criminal undergrounds that sometimes governments will turn a blind eye. And I'm thinking specifically of the Russians. Do we see evidence of that sort of thing with the Chinese, as well? This idea that perhaps folks whose day jobs are working for the state, they're moonlighting on the side?

Maurits Lucas: We see some evidence of it sometimes, but actually, exactly the point that you raise, we see in China, it's actually mostly the opposite. Actors – most actors are acutely aware that for the most part, the government will probably take a very dim view of what they do, so they are very much focused on guarding their anonymity, keeping their real identity private, et cetera. Having said that, there's a group called the "Honker Union," which actually comes from the Chinese for hóngkè, which means – interestingly enough, it means "red guest," because the Chinese for "hacker" is actually "black guest," an uninvited guest. So what this means is, is Red Hackers, it is basically the Red Hacker Union. And these have been engaged in – mostly in international relations, if one country makes disparaging remarks about China, or if companies, for instance, list either Taiwan or Hong Kong as separate countries to mainland China – which is obviously very often something that will get you a sternly worded letter, at the very least – you sometimes see them launching DDoS attacks, defacement attacks, et cetera. 

Maurits Lucas: Within the Honker Union group, we have seen some voices say that they want to be – kind of have closer ties to the state. You can see that they can be useful as sort of proxy forces in that sense. And there are some – you do see some similarities sometimes where you see the Chinese government protests, and then the Honker Union also try launching their kind of attacks. But I think that's the extent of it.

Dave Bittner: Can you give us a sense for how a Chinese citizen would go down this path? And I'm thinking about, you know, how do you hide your IP address? How do you go about doing the – if this is something you're interested in, how do they typically go about it and still maintain their anonymity?

Maurits Lucas: So, there's a couple of ways of going about it. One, obviously, is to find some kind of open WiFi. I think the first, again, the first qualifying remark is that if you're engaged in something which is kind of something the Chinese authorities would take a very, very dim view of, then most of these measures, you'd need to do much, much more. But for an average Chinese citizen, finding a coffee shop, getting on the WiFi or any other open WiFi, using those VPNs – we can also see that some Chinese actors, when they use their home Internet connection, if you power cycle your modem or your cable modem or whatever, you may get a fresh new IP address. So they'll go online, do what they need to do, and then quickly make sure that they get assigned a new IP address and then engage in their regular activity.

Maurits Lucas: None of that is foolproof, of course. If someone were to go to their ISP and look at logs and forms, you'd be able to see when they had that IP address. They do it for activity where no one is going to go to that much trouble to kind of track them down. Other things that we see is people talking about using kind of satellite Internet or satellite services even, especially when looking for – when you want to watch foreign movies, if you can get a dish. But if you get a dish, I think you're supposed to get a license, so many people try and put some cover over them, disguise them as air conditioning units, for instance. But it's just a box with a dish in it. So those are the types of – I think there's actually an Instagram account where people publish pictures where they've spotted a disguised dish. So those are the kind of tricks that people get up to.

Dave Bittner: And is there a specific type of malware, of goods and services that the Chinese folks seem to be focused on?

Dave Bittner: There's a lot of focus on brute-forcing, DDoS, exploitation tooling. There's a particular focus on anything to do with exploits for vulnerabilities, so think web servers, Apache, Microsoft servers. Cryptocurrency mining and also stealing and brute-forcing of cryptocurrency wallets, we see a lot of – as I said, you see kind of local variations of well-known remote access Trojans or pentesting tools, things like Cobalt Strike, Anubis, njRat, Ghost, and then we see these local versions that are being traded. A lot of focus on illegal gambling and hacking of illegal gambling sites. Sometimes some other activities around kind of what they call the other vices, so looking for activities around that. And a major focus on ripping other actors off, which is kind of logical. If you're – if this is kind of a closed-off pool and you're restricted to that section, sometimes you start just scamming each other.

Dave Bittner: No honor among thieves, I suppose.

Maurits Lucas: No. Or very little.

Dave Bittner: (Laughs) Where do you see this going? I mean, is there a sense of equilibrium here, in terms of what the government does and what these actors do? Is this an ongoing game of whack-a-mole? Where do you think we're headed in the future with this?

Maurits Lucas: That's a very good question. I think there's always going to be a certain equilibrium. I mean, this system will find some point of equilibrium around how much effort the authorities are putting into doing this versus the activity of the actors there. At the same time, I think it goes – it ebbs and waves, as it were. You see these – they're almost annual announcements of these operations to sweep the Internet, and then you get this focus on how many cybercriminals, for instance, are arrested, or people committing fraud. I think a lot of them are tied around kind of stuff that is playing in Chinese society at large. So, the last one, for instance, had a particular focus on people making fraudulent offers around anything to do with COVID-19, or spreading rumors.

Maurits Lucas: And I think, from the government perspective, this – what we would classify as cybercrime is one of the things they're trying to stop. They're also trying to keep a lid on many other types of things, like discussing politically sensitive subjects, making disparaging remarks about the government or the Communist Party, which are the same thing in China, they're one and the same. So they're basically looking to keep a lid on all those kinds of things. Cybercrime is just one aspect of it.

Maurits Lucas: At the same time, the Golden Shield, that project to kind of make sure that Chinese cyberspace is safe, I think will continue and will become more and more kind of larger and invasive and better. One of the things that we found in our reporting, of course, is that looking at the Internet is just one part of it. They're also looking at all aspects of behavior of citizens. And these things are linked. So, if you step out of line, for instance, in public life, do something there, all of that would – all of it goes back into I think what they call their social credit score, and if you lose too many credits, you will be limited in your activities. There was talk of people not being allowed to travel. You can't go on holiday, you can't travel internationally, for instance, or even domestically if your social credit score is not good enough.

Maurits Lucas: And all of these activities on the Internet, if you get caught out doing something there, will also have negative consequences for that credit score. Sounds very 1984 and very totalitarian. So this is just one part of that larger – what seems to be a much larger endeavor. And I think they're still very much that work on building that out.

Dave Bittner: Our thanks to Maurits Lucas from Intel 471 for joining us. The research is titled, "No pandas, just people: The current state of China's cybercrime underground." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.