## Achievement Unlocked

###### Nalani Fraser and Kelli Vanderlee


-----

##### § Decline in Chinese cyber
###### espionage activity beginning in mid 2014

##### § Observed Chinese cyber threat
###### activity from 2013-2015

 – High volume

 – Majority in US

 – IP theft


-----

#### Chinese Cyber Espionage in 2019 is Significantly Different

##### § Tempo

 § Active Groups

 § Geographic focus

 § Industries targeted most frequently

 § TTPs

 § Goals


-----

### Chinese Domestic Context

###### urbanizing population

 § Slowing economic growth

 – Made in China 2025

 – Belt and Road Initiative (BRI)


-----

-----

###### September December February
 Early 2014 April 2017
 2015 2015 2016

 § PLA reform § Official § SSF § Chinese Military § Even further discussions announcement establishment Commission reorganization;
 at military ceremony officially entire PLA was parade in replaced the streamlined Beijing military region
 system


-----

-----

##### § PLA, General Staff Department’s (GSD) 3rd department

###### – 12 operational bureaus, each with distinct mission

##### § APT1 (2nd Bureau; MUCD Unit 61398)

###### – Political, economic, military intelligence

 – Feb 2013: Mandiant report

 – Early 2015: Last known activity

##### § APT2 (reportedly 12[th] Bureau; Unit 61486)

###### – Satellite communications and space-related surveillance


-----

##### § Under the former PLA, each service/military region maintained its own TRB

###### – Responsible for signals intelligence & cyber espionage

##### § Unclear how the TRBs have been incorporated into the SSF

###### – Indications that they have been transferred into the SSF?

##### § Naikon Team (suspected Unit 78020)

###### – Government and military targeting in ASEAN countries

 – Late 2016: suspected Naikon Team observed with ASEAN lure doc


-----

##### § Tonto Team (possibly Unit 65017)

###### – Shenyang Military Region Technical Reconnaissance Bureau

 – Targeting of South Korea, Russia, and Japan

##### § Suspected Tonto with same targeting pattern:

###### § Early 2016: suspected Tonto targeting South Korea

 § Mid 2017: suspected Tonto targeting Russia

 – (possible pause in activity)

 § Early 2018: suspected Tonto targeting South Korea


-----

##### § Responsible for domestic counter-intelligence, non-military intelligence,
###### political / diplomatic security
##### § Reportedly has taken on more robust role. Possible MSS reorganization in
###### 2018.

 APT3 APT10 APT26

§ Boyusec, an MSS contractor § Huaying Haitai Science and § Associated with the Jiangsu
§ Stole satellite mobile device Technology Development Ministry of State Security
technology Company, associated with (JSSD), foreign intelligence

MSS arm of MSS

§ Nov 2017:

§ Oct 2018: last observed § Mid 2017: last observed

§ US DOJ indicted 3

activity

members § Oct 2018: US DOJ indicted 2

§ Dec 2018: US DOJ indicted 2 members

§ De-registered website

members § Conspiring to steal aviation

§ Last observed activity


-----

###### Sept 2015: Official announcement of SSF

 PLA reform discussions


-----

-----

##### § Observed cyber threat activity
###### focused in Asia Pacific
##### § Most frequently targeted
###### countries:

 1. United States

 2. South Korea

 3. Hong Kong

 4. Germany

 5. Japan

 6. India

 7. Taiwan


-----

### Industries Most Frequently Targeted

##### 1. Telecommunications

 2. Government

 3. High Tech

 4. Media & Entertainment


-----

##### § Targeting observed across the
###### telecommunications ecosystem

##### § SMS and call record data
###### exfiltrated

##### § Increased operational maturity


-----

##### § Primary motivation: maintain
###### regional supremacy

##### § Secondary motivation:
###### Chinese economic ambitions (BRI)

##### § FireEye anticipates more
###### aggressive efforts to influence public opinion in the future


-----

##### § Prominent actors, campaigns:

###### – APT41

 – Mongolian targeting

 – ASEAN targeting


-----

##### § Prominent actors:

###### – APT10

 – APT41

 – APT40


-----

##### § 3rd party compromise

 § Military and dual use IP

 § PII collection

 § Prominent actors, campaigns:

###### – APT19

 – DOORJAM / WARP phishing campaign

 – APT40

 – APT41


-----

##### § Use of Poison Ivy declined § Use of Chinese specific malware declined § Shift towards more broadly used malware


-----

###### Windows / Linux Windows / Mac OS

2011-2015 2015-2019

2011-2015 2015-2019

   - SPXSPY (public webshell)    - SPXSPY (public webshell)

                                   - ERA (backdoor)                                    - ETWIRE (public

   - IMIKATZ (public credtheft)    - LFGATE (public disruption)

backdoor)

                   - ETWIRE (public backdoor)

   - MDSOCKS (tunneler)   - UPYRAT (public backdoor)

                                              - CEFOX.OSX

   - HOTO (backdoor)   - HPSPY (public webshell)

(backdoor -
available on

                  - ESSAGETAP (dataminer) forums)

                  - HOTO (backdoor)                  - AKECLOG

                   - UICKFLOOD (disruption) (tunneler)

                  - AKECLOG (tunneler)                   - ERA (backdoor)

##### § Use of malware with multi-platform capabilities increased § Some of this is due to use of publicly available tools


-----

##### § Rise in modular malware cases, mostly
###### attributed to APT41
##### § Other actors consistent:


-----

##### § “Fileless persistence” § Malware runs in memory and is
###### not saved to disk
##### § Evades antivirus

2011-2015 2015-2019

    - IGHNOON    - OWTRUCK

    - OCKETSHIP     - ABBITPUNCH

    - ELLWOOD    - RONTSHELL

    - OWTRUCK    - OCUSFJORD

    - AFERSING     - VORA

    - OMBATBOOT    - oison Ivy

    - OSTCAUSE     - SCOOKIE

    - UICKBALL     - ITRECOLA


-----

##### § Continued reliance on spear-phishing


-----

##### § In June 2018, a utility to update ASUS
###### computers was compromised

 – Kaspersky reported more than 50,000 systems installed the malicious update

##### § Guardrail #1:

###### – Utilized MAC address whitelisting to limit download & execution of 2[nd] stage malware (APT41 POISONPLUG)

##### § Guard rail #2:

###### – POISONPLUG sample matches C: drive volume serial number to limit execution to 1 system


-----

##### § PII was the most commonly
###### observed type of data stolen

##### § IT data was stolen as well

 § Military application IP theft
###### continues

##### § No direct evidence of theft of IP
###### with purely commercial applications


-----

-----

### Chinese Cyber Espionage in 2019

##### § Tempo: normalizing § Active Groups: APT41, APT40, APT19, new
###### activity sets
##### § Geographic focus: Asia, but still globally diverse § Industries targeted most frequently:
###### Telecommunications
##### § TTPs: stealthy, more sophisticated § Goals: aligned with top state political and
###### defense priorities


-----

### Development Hint at Future Capabilities


-----

# Questions?


-----

-----