Geopolitical tensions rise with China.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Adam Marre: Yeah, so it came to our attention with the indictment from the United States Justice Department really outlining what APT31 has been up to. And just the revelations really in detail about their specific operations, who and what they were targeting, and how successful they were at that.
Dave Bittner: That's Adam Marre, Chief Information Security Officer at Arctic Wolf. Today, we're diving into geopolitical tension with China, including APT31, iSoon, and TikTok. [ Music ] Well, can you share some of the details there? I mean, what are the revelations that we had when it comes to this group?
Adam Marre: Really, I think it's useful to understand these indictments if we go back a little bit and understand the past indictments that have come out about the Chinese Communist Party and the PRC conducting cyber operations around the world. There wasn't always that the United States Justice Department put out these very detailed indictments and name individuals and organizations for, you know, possible prosecution if they're able to get their hands on these people. I think it was back in 2014 when one of the first of these happened where the U.S. Justice Department indicted five Chinese hackers, at that time, for stealing information from companies in the energy, metals, manufacturing areas. And they really outlined in that indictment, this was, you know, 10 years ago.
Dave Bittner: Right.
Adam Marre: Of things that they were doing. And so, then, you bring it forward a few years. And in 2018, that's when we started talking about APT10 and the massive IP theft that was conducted by APT10 around the world. And what was really interesting about that one was it was really a supply chain attack where they were attacking MSPs and then using that access as a one to many to conduct this IP theft of all kinds of organizations. Then, fast forward a few more years, and in 2020, the U.S. DOJ indicted another four Chinese hackers. And this time, they put together, what had seemed like four disparate, large-scale computer intrusions, including the OPM hack, which if you remember, was that's the organization that conducts background checks for top secret security clearances for the U.S. government.
Dave Bittner: Right.
Adam Marre: That organization was hacked, all that information was taken. Equifax, Anthem, and Marriott and this indictment connected all four of those and named four specific Chinese hackers. So, I think understanding sort of that history as you come to this one really helps you understand what's going on, the pattern, and how widespread across so many different sectors, across governments, that these Chinese cyber operations are. And so, in this case, the indictment specifically talks about an organization that they call Wuhan XRZ and the computer intrusion activities that it conducts at the behest of the PRC government. So, it names specific individuals and it's always interesting to me now that they include images of those individuals in the indictment itself that wasn't something that the U.S. government did in the past. Now they do. They include those actual photographs maybe to underscore the level of accuracy that they believe that they have reached in this indictment. And then, you know, specifically outlining APT31 or Zirconium, Judgment Panda, Violet Typhoon, all the different names that we come up for these groups. And then, they begin to outline what they did. And that's where it becomes, I think in this case, really interesting. Where these are network intrusion activities and one of the things they were doing was targeting work and personal email accounts, cloud storage accounts, and telephone records of millions of Americans. And I think, you know, one thing that I've always taught when I teach security awareness or I go into organizations and talk to them about what, you know, our organization Arctic Wolf flags, the things that we have found. I like to talk about how we like to think of our own personal attack surface as being just in my organization and then at home. And of course, and we've seen this across many different revelations like this, but in this particular indictment, we see that the attackers don't look at it that way. They're going to attack your personal and your work or your government email address, for example, in a phishing campaign or your personal network, they will do this because any told they can find, they will use to try to then, you know, pivot and increase their access and do the traditional things that we see in the, you know, attack chain. And even in this case, there was some wives and other family members of targeted individuals that they, you know, sent their phishing or spear phishing email campaigns to. So, it really showed sort of the breadth of that activity, but it wasn't just, you know, spear phishing campaigns, social engineering campaigns to gain a toehold, the indictment also talks about very specifically sophisticated types of custom malware that they created to do things like DLL sideloading to get remote access and to conduct other operations using zero day exploits. So, it really goes across the breadth of different types of activities that hackers use to get into networks and computers that they don't have access to. And so, and it outlines this activity over a decade. So, it really just underscores how persistent, how large and large-scale this is, how many - the infrastructure and the resources that they bring to bear to conduct these operations.
Dave Bittner: Can you give us some context as to how this fits in when we look at espionage? You know, it's my understanding that espionage is sort of put in a different category when it comes, you know, nation to nation. The fact that we're issuing indictments here when presumably we assume we're never going to bring these folks to justice, but the indictments themselves are a political message. They're a diplomatic message. Is that fair to say?
Adam Marre: Absolutely. I think when it comes to espionage and a lot of the classified means that are used to try to interdict espionage and combat it, it becomes difficult to really prove that adversaries are conducting operations and how they're conducting operations. So, one way is to use a law enforcement agency such as the FBI that does both counter espionage operations and, you know, criminal investigations and using their tools along with the U.S. DOJ to bring an indictment like this because then, you can send a clear message and provide evidence through the conduct of such an indictment to say, this is what we see them doing. And to say it in a very specific way. That's difficult to do when you're just talking about espionage or, you know, it can be seen as throwing accusations around. This is much different when they're outlining this kind of evidence and talking about very specific things in there. The names of malware, specific locations, specific accounts, businesses, and when you get that level of specificity, the information becomes a lot easier to verify and, therefore, a lot easier to trust for, you know, anyone around the world to see this.
Dave Bittner: Yeah, it's interesting too that our law enforcement folks are showing their cards here, you know, say revealing what they know.
Adam Marre: Yeah, and I think that signals, first of all, they've got plenty of other tools out there, but also, I think it really signifies the importance of sending this message. We've seen Jen Easterly, you know, the director of CISA and director Wray of the FBI out there talking with various organizations, the press, and really emphasizing the increase in activities from the PRC and the CCP conducting hacking operations across all kinds of things, especially infrastructure. And I think when you get that message, you know, being sent, it does hit one level of awareness for people and one level of credibility. But then, when you add an indictment like this, it's a whole another level of credibility that's added to it which really underscores it. And hopefully, is a motivation to people to really look at what they're doing, you know, for their own security and really understanding what the threat is.
Dave Bittner: You know, right around the time when this batch of revelations about APT31 came out, we also had this leak of information from this iSoon organization, this Chinese organization. Can you give us some of the story when it relates to that and how it all interweaves?
Adam Marre: Yeah, it's actually really interesting how similar it is to what we were just talking about with ATP31 and those operations when we have the iSoon leak, what we're really talking about is a glimpse into the world of cyber contractors in China. So, you know, these sort of quasi or semi-private organizations that are set up and then, they're providing services to the Chinese government for pay and then, paying their employees and they're doing it, you know, conducting operations all over the world, again, you know, getting remote access, hacking, using social engineering, all the same kinds of things we talked about. But they're doing it as a private company. I mean, it should be noted that countries all over the world, including the United States, many other western nations do the same thing where they outsource some of their cyber activities to contractors, government contractors that conduct that work for them. And so, it's interesting in this case to see that China is doing the same thing as sort of an APT for hire situation where they're using this organization to conduct those activities. I think one of the more interesting things about it in this case is also that, you know, this was a leak of documents. So, unlike an indictment or some other, you know, government reveal of evidence, this was ostensibly an internal employee leaking this information so that people around the world could see it. And any of it included, you know, internal messaging where the employees were complaining about their level of pay and how hard they were working. So, I think that is really interesting, adds the human element to this. And that, you know, governments all over the world deal with this situation when they're using outsourced contractors. So, I think that was something that was very interesting.
Dave Bittner: When you and your colleagues there at Arctic Wolf are looking at something like this, how do you evaluate the motivation of a leak like this?
Adam Marre: Yeah, it's really interesting. I think it helps to look at both what was leaked and how it was leaked. And those two things can lead you to understand. And what information is there and is emphasized, I think, can really help you understand what the motivations are here. Again, at the end of the day though, it's analysts doing their best to understand something if it's not expressly stated by the person who leaked it. But in this case, you know, we're probably looking at an organization or someone within an organization that wanted to bring light to some of the things, and possibly there was some sort of struggle for power where they were saying we want more pay, or we want better working conditions. And this just showed the power that they have to be able to leak this information. And by the way, obviously, this is not just limited to, you know, a contracting company in China, this could be any company, so it really underscores the insider threat risk for any company around the world, that especially for employees that have a lot of access and access to, you know, specialized confidential type information that you've got to have an insider threat program and make sure that you have, you know, high morale and are addressing things in the proper way so that employees aren't motivated to do something like this. [ Music ]
Dave Bittner: We'll be right back. [ Music ] >> Yeah, it's a really interesting point, I mean, I think, you know, as you alluded to earlier, it's so easy for people and organizations to think to themselves, well, there's nothing that a nation state would be interested in when it comes to us. But it seems certainly with the Chinese that that's not necessarily true.
Adam Marre: Absolutely. And this is a point that bears repeating again and again and again is it's very easy to dismiss something like this. If you're, you know, ABC corporation and you say there's no way that China, a nation state like that would be interested in us. And I think there is nothing that is further from the truth. And these recent revelations, and including the additional indictments I talked about for the past 10 years, if nothing, have shown that the breadth and variety of companies that have been targeted include companies from every vertical, every industry in almost every company around the world. So, it really is more likely that you may be targeted than not. And you really should think of it that way as opposed to trying to say, well, I'm just going to rely on security through obscurity and figure that we're not going to be targeted. Because it could be, you know, something as I remember I was involved in an investigation or at least aware of one when I was still working for the government myself where Chinese actors targeted a company that made sprinkler systems, both commercial and residential sprinkler systems to steal the IP. And that company never thought in a million years they would have been targeted by China. And, indeed, they were. So, there's that. But then, also companies have customers, and they have vendors that they do business with. And looking at the way that there's pivoting from one company to another, it could be that you're not the target, but a company that you integrate with is the target.
Dave Bittner: Right.
Adam Marre: And because you didn't have the proper security, they're going to get into your organization, pivot, and try to get into that next organization.
Dave Bittner: Right. That sprinkler system company may be providing a third party contractor who happens to have the contract to install sprinklers at the Pentagon.
Adam Marre: One hundred percent. Things like that can happen and they may just be interested in the IP, you know, the intellectual property of that actual company. So, I think it really behooves all of us to look at ourselves and say, okay, well what am I going to do to defend against this? But the good news there is the things to do to defend against it are the same cyber hygiene and things that we need to do to defend against all types of attacks. But just maybe with a little bit more focus, a little more budget, and understanding the seriousness can really help you get over the hump in trying to make sure that you've secured your business or your organization.
Dave Bittner: You know, the other I'd say newsworthy discussion that's going on right now when it comes to China is about TikTok and, you know, whether or not we're going to see a ban, whether or not that would really do anything. You know, I'm curious on your insights here. I mean, how much of this do you think is practical? How much do you think is posturing? What's your take?
Adam Marre: Much like people in organizations not thinking that they are going to be targeted by a nation state like China, I think we have a similar type of thought process going on when it comes to TikTok. It's very difficult for people to imagine that this fun app that they like to use, or they use for their business, is a potential espionage and influence operation tool of a foreign government. But the fact of the matter is it very much is or can be that. And therefore, we need to really understand this application in the context of the history that I outlined earlier, going back over a decade of these very specific indictments showing what the Chinese government is willing to do. Then, you add to that some recent revelations that came out in a report by Microsoft that showed that the Chinese government, or at least alleges, that the Chinese government was backing various influence operations in elections that are currently going on in places like India and Taiwan, in particular, they're using AI to help with those. It just shows that this government is willing to do so many different things, utilize so many different tactics to try to, you know, increase their influence and their power around the world. And why wouldn't you use this application that over a hundred million U.S. citizens use every single day? Why would you not use it?
Dave Bittner: Right.
Adam Marre: I mean, that doesn't make any sense to me. And then, you add to that, this is an application capable and, you know, we've seen reports of people doing research in looking at all the different types of information that the application collects on the user, including location information, things copied into the clipboard, everything else in addition to the app's usage data. All of that is very useful and if you combine it with the understanding that these various APT groups and contractors use information like that to create targeted spear phishing campaigns, other social engineering campaigns, and use it to find good targets to get into organizations that they want to get into and vector and pivot to the real information that they want, show that the collection of this kind of information. And I mean, just imagine, add that to the OPM, Equifax, Marriott, and Anthem information that they already have, then you add this information to it, they have probably the biggest collection of information on individual citizens in the United States that has ever been collected by a foreign government. That is pretty incredible. Now, we can argue about whether or not they're sharing information, but the fact of the matter, it's possible. It is possible for that information to be easily shared that's all been collected. And there was a recent article in "Fortune" where some good journalism reporting talking to former employees of TikTok talking about other ways that the information was being shared, maybe not directly through the server, but through spreadsheets and things like that. So, even if there's the risk that this is happening, the danger to the United States is massive. I do think a lot of users think of the risk to just themselves. And they say, oh well, I don't care if someone has that information. Who cares if ByteDance knows where I go and, you know, drive my kids to soccer practice or whatever it is? But what they don't understand is that isn't necessarily what they're after, they're after who you might be connected to or your husband or your wife and their, you know, high level executive job or something like that could be the way that they pivot. And when you're doing this at scale, it just gives the optionality to the attackers to choose from anyone who uses that application. And none of that is to focus on the influence, the power of influence operations where we don't even know well how the algorithms work on U.S. based social media companies, let alone one that's controlled by a company in, you know, a foreign country. Could they be using that algorithm to, you know, put their thumb on the scale and make all the users feel just a little bit worse about the U.S. and about things that we do, or the West, in general? Absolutely, that's possible. I don't know that we have proof that they're doing it, but they could absolutely be doing it. And this is one of the reasons for many, many decades we had laws that said, if you're going to own a major broadcasting company, television broadcasting company in the United States, you had to be a United States citizen which is why Rupert Murdoch had to become a U.S. citizen in order to own Fox News Corp. Now, there's been some weakening of that in the United States and we don't treat, you know, social media apps like TikTok the same way we do as television broadcasters, but maybe we need to understand it in that same light. The reason that we don't do that, we don't allow that foreign ownership is because there could be undue foreign influence through those television channels. We thought it was such an issue that we created laws around it. I would argue that we should have those same kind of laws for this kind of application which is arguably much more influential than a television station. So, there's lots of reasons to be concerned about this application. If we're really honest with ourselves and can remove the, you know, the addictive entertainment value or even if you're running a business, to really look at is as is this something we should be concerned about. Now, if we pivot to the issue of the ban, is that effective? I think if we're really just trying to do a ban against a specific application, I think that would be really hard to make work and make happen. But because they give the option to ByteDance to just divest and sell, and they stand to make a tremendous amount of money doing that, and they can still have some connection to this new company, I think makes this much more palatable and possible. Although, there are, you know, legal hurdles that this would have to pass, especially since ByteDance has said they will challenge it in court, I think it does remain to be seen if the current law as it's written, if it is passed, would be able to pass those legal tests. So, there's a question there. But really, I think addressing the question of should we be concerned about the app and should we be doing something, in my mind, that's an absolute yes. Is the way this ban's happening the best way to do it? It is a way to do it. I don't necessarily think it's bad because of the ability for ByteDance to sell it, but will it be effective is still a question that remains to be seen.
Dave Bittner: Yeah. Before I let you go, I mean, taking a look at a high level here as an observer of these geopolitical tensions between the U.S. and China, how do you see them trending? Is it getting worse? Are we in a steady state? Are things getting better? Where do we stand?
Adam Marre: That is a great question. And I think currently the trend is one where relations between the United States and the PRC government will continue to deteriorate. And I think that's over various issues and is very complicated, but I think, as there is this continued, I mean, it's beyond saber rattling, it's this continued increase in network and computer intrusions, especially, into things like infrastructure. As long as that continues, I think this relationship is going to deteriorate and it shows no sign of stopping the apparent goals of the Chinese government are to increase their power on the world, but specifically, around the subjects of Taiwan and the South China Sea. And I think as Director Wray of the FBI pointed out the other day in an interview that China plans to be ready by 2027 to have a serious deterrent to the U.S. getting involved in a conflict that would happen between those two nations, China and Taiwan. And in addition to that, they want to just continue to erode U.S. and Western influence around the world. And they're doing that through these, you know, blows to civilian infrastructure to try to induce panic to really lower America's willingness to resist, especially among the citizenry. So, I think it's not directionally optimistic at this point. I think things will continue to deteriorate. Hopefully, though, you know, the better angels or nature can ultimately win out here and we can have a, you know, a softening, a thawing of relations between the two nations. But especially as China continues to conduct the operations that they are, I don't see that happening in the short term.
Dave Bittner: Yeah. I mean, it really strikes me that you don't want to risk being breathless in your warnings, but at the same time, vigilance is in order.
Adam Marre: Absolutely. I don't think we're at like the, you know, 11:59 of the, you know, doomsday clock or anything like that.
Dave Bittner: Right.
Adam Marre: But I do think there is sometimes a misunderstanding or a lack of willingness to really believe that the threat and the risk exists at the level that it does. And I think it really is at that point. We don't want to be ethnocentric or jingoistic or anything like that, but we do want to understand our adversaries and really appreciate the threat. And then, look for solutions to try to solve these issues. I mean, it also should be said that China is a wonderful nation with a lot of different kind of people in it. And they have dissidence and problems internally and they've got some population issues with a lot more single men than women in the country, which is something that, like, not just China, but everyone should be worried about because that never leads to good things. And so, there are other issues to worry about and be concerned about here. But we are hoping that the government can take a turn to a more open society, and they can deal with these issues in a way where other nations around the world can help them. So, I'm hoping and optimistic for that. You're right, we don't want to be just breathless about the warning, [Background Music] but we do want to be honest with ourselves about the risk that we face today. And about what the PRC and CCP are willing to support when it comes to cyber operations around the world. [ Music ]
Dave Bittner: Our thanks to Adam Marre from Arctic Wolf for joining us. He recently published a blog post on today's content. We'll have a link in the show notes. [ Music ] And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben, our executive editor is Brandon Karpf. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]