Nation of Thieves: Chinese Ministry of State Security Behind APT3

This is the first time researchers have been able to attribute a threat actor group with a high degree of confidence to the Ministry of State Security.
By Insikt Group

Key Takeaways

• APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the Chinese Ministry of State Security (MSS).
• On May 9, a mysterious group called “intrusiontruth” attributed APT3 to a company, Guangzhou Boyu Information Technology Company, based in Guangzhou, China.
• Recorded Future’s open source research and analysis has corroborated the company, also known as Boyusec, is working on behalf of the Chinese Ministry of State Security.
• Customers should re-examine any intrusion activity known or suspected to be APT3 and all activity from associated malware families as well as re-evaluate security controls and policies.

Introduction
On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.

Recorded Future timeline of APT3 victims.


Screenshot of a blog post from “intrusiontruth in APT3.”

“Intrusiontruth” documented historic connections between domains used by an APT3 tool called Pirpi and two shareholders in a Chinese information security company named Guangzhou Boyu Information Technology Company, Ltd (also known as Boyusec).

Registration information for a domain linked to the malware Pirpi. The details show the domain was registered to Dong Hao and Boyusec.

APT3 has traditionally targeted a wide-range of companies and technologies, likely to fulfill intelligence collection requirements on behalf of the MSS (see research below).

Recorded Future has been closely following APT3 and has discovered additional information corroborating that the MSS is responsible for the intrusion activity conducted by the group.

Recorded Future Intel Card for APT3.

Background
APT3 (also known as UPS, Gothic Panda, and TG-011) is a sophisticated threat group that has been active since at least 2010. 

APT3 utilizes a broad range of tools and techniques including spearphishing attacks, zero-day exploits, and numerous unique and publicly available remote access tools (RAT). 

Victims of APT3 intrusions include companies in the defense, telecommunications, transportation, and advanced technology sectors — as well as government departments and bureaus in Hong Kong, the U.S., and several other countries.

Analysis
On Boyusec’s website, the company explicitly identifies two organizations that it cooperatively partners with, Huawei Technologies and the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC).

Screenshot of Boyusec’s website where Huawei and Guangdong ITSEC are identified as collaborative partners.

In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing. 

According to the Pentagon’s report, the two companies were working together to produce security products containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” 

The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.

Boyusec is located in Room 1103 of the Huapu Square West Tower in Guangzhou, China.

Boyusec’s work with its other “cooperative partner,” Guangdong ITSEC, has been less well-documented. 

As will be laid out below, Recorded Future’s research has concluded that Guangdong ITSEC is subordinate to an MSS-run organization called China Information Technology Evaluation Center (CNITSEC) and that Boyusec has been working with Guangdong ITSEC on a joint active defense lab since 2014.
Guangdong ITSEC is one in a nation-wide network of security evaluation centers certified and administered by CNITSEC. 

According to Chinese state-run media, Guangdong ITSEC became the sixteenth nationwide branch of CNITSEC in May 2011. 

Guangdong ITSEC’s site also lists itself as CNITSEC’s Guangdong Office on its header.
According to academic research published in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise. 

CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. 

CNITSEC’s Director, Wu Shizhong, even self-identifies as MSS, including for his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.
Recorded Future research identified several job advertisements on Chinese-language job sites such as jobs.zhaopin.com, jobui.com, and kanzhun.com since 2015, Boyusec revealed a collaboratively established joint active defense lab (referred to as an ADUL) with Guangdong ITSEC in 2014. Boyusec stated that the mission of the joint lab was to develop risk-based security technology and to provide users with innovative network defense capabilities.


Job posting where Boyusec highlights the joint lab with Guangdong ITSEC. The translated text is, “In 2014, Guangzhou Boyu Information Technology Company and Guangdong ITSEC cooperated closely to establish a joint active defense lab (ADUL).”

Conclusion
The lifecycle of APT3 is emblematic of how the MSS conducts operations in both the human and cyber domains. 

According to scholars of Chinese intelligence, the MSS is composed of national, provincial, and local elements. 

Many of these elements, especially at the provincial and local levels, include organizations with valid public missions to act as a cover for MSS intelligence operations. 

Some of these organizations include think tanks such as CICIR, while others include provincial-level governments and local offices.
In the case of APT3 and Boyusec, this MSS operational concept serves as a model for understanding the cyber activity and lifecycle:

• While Boyusec has a website, an online presence, and a stated “information security services” mission, it cites only two partners, Huawei and Guangdong ITSEC.
• Intrusiontruth and the Washington Free Beacon have linked Boyusec to supporting and engaging in cyber activity on behalf of the Chinese intelligence services.
• Recorded Future’s open source research has revealed that Boyusec’s other partner is a field office for a branch of the MSS. Boyusec and Guangdong ITSEC have been documented working collaboratively together since at least 2014.
• Academic research spanning decades documents an MSS operational model that utilizes organizations, seemingly without an intelligence mission, at all levels of the state to serve as cover for MSS intelligence operations.
• According to its website, Boyusec has only two collaborative partners, one of which (Huawei) it is working with to support Chinese intelligence services, the other, Guangdong ITSEC, which is actually a field site for a branch of the MSS.

Graphic displaying the relationship between the MSS and APT3.

Impact
The implications are clear and expansive. 

Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. 

Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.
APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the MSS. 

Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. 

In this real-life David versus Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence.
APT3 is not just another cyber threat group engaging in malicious cyber activity; research indicates that Boyusec is an asset of the MSS and their activities support China’s political, economic, diplomatic, and military goals.
The MSS derives intelligence collection requirements from state and party leadership, many of which are defined broadly every five years in official government directives called Five Year Plans. 

Many APT3 victims have fallen into sectors highlighted by the most recent Five Year Plan, including green/alternative energy, defense-related science and technology, biomedical, and aerospace.

U.S. 3.8 Million Chinese Spies

This Is How Chinese Spying Inside the U.S. Government Really Works
By Peter Mattis

The Department of Justice on March 29 unsealed a criminal complaint against Candace Claiborne, an office-management specialist with the U.S. Department of State, who is now facing charges related to concealing a relationship with Chinese intelligence. 

The extended fifty-nine-page affidavit catalogues Claiborne’s relationship with the Ministry of State Security, or MSS, China’s civilian intelligence service.

The MSS is a sprawling organization centered in Beijing. 

It has provincial departments and municipal bureaus all over the country. 

The central ministry does run intelligence operations, but the subnational departments and bureaus almost certainly include most of the ministry’s personnel. 

The main task of these departments is to protect state security inside their operational jurisdiction. However, some of them also run operations against foreign targets to support national policymakers.
The MSS unit with which Claiborne became involved was the Shanghai State Security Bureau (SSSB). 

Largely unknown outside of the small group of people who look at Chinese intelligence operations, the SSSB has surfaced only a few times in public. 

In 2009, the SSSB raided the China offices of Australian mining firm Rio Tinto. 

The office director, Stern Hu, came under investigation, because his aggressive approach to investment cost the Chinese government and state-owned enterprises several hundred million dollars. A year later, the FBI arrested Glenn Duffie Shriver, who applied to work at the State Department and CIA in exchange for $70,000. 

The SSSB recruited Shriver in Shanghai when he responded to an essay contest on U.S.-China relations and encouraged him to take a position in the U.S. government.
The affidavit reveals that the SSSB can operate all over China and the world, not just in Shanghai. 

In communications with Claiborne, her SSSB contacts—identified only as Co-Conspirator B and Co-Conspirator C—offered to meet her in Beijing as well as any third country if and when she left the United States. 

Co-Conspirator B also made references to business trips in Italy and Africa.
Despite the possibility of meetings anywhere, the case still exhibits the China connection that is distinctive of nearly every espionage case. 

The SSSB’s spotting and assessing work most likely took place in China. 

The affidavit states that Claiborne knew the SSSB officers at least since 2007 if not before. 

In 2007, Claiborne was stationed in Buenos Aires and had been away from China for two years. 

Her second tour in China was at the U.S. Consulate General in Shanghai from 2003–05.
The SSSB also operates with some unusual cover arrangements that suggests in some cases individual officers develop their own cover. 

Some of the normal MSS covers inside the country include unnamed, numbered government offices (e.g. Shanghai Municipal Government Office number seven), think tanks and businesses. 

Co-Conspirator B operated an import-export company, and he also owned a spa and a restaurant. 

In addition to allowing Co-Conspirator B to appear as ordinary businessman, these businesses were used to provide employment to Co-Conspirator A. 

The affidavit does nothing to describe Co-Conspirator C apart from his SSSB affiliation.
A caveat on Co-Conspirator B’s cover arrangements perhaps is in order. 

He may be what the affidavit calls a “cut out” or a “co-optee” of the SSSB. 

The affidavit describes this role in some detail as part of the background but it is mentioned nowhere else. 

The affidavit states “A cut-out or co-optee is a mutually trusted person or mechanism used to create a compartment between members of an operation to enable them to pass material and/or messages securely. A cut-out or co-optee can operate under a variety of covers, posing as diplomats, journalists, academics, or business people both at home and abroad. These individuals are tasked with spotting, assessing, targeting, collecting, and running sources.” 

Co-Conspirator B could easily be a co-optee from the description of him and his business activities. His role in handling Claiborne fits completely within the above definition, and the affidavit contains nothing to clarify his position.

Co-Conspirator A and his relationship with Claiborne illustrates the creative ways in which the MSS will develop emotional leverage over an agent. 

The affidavit does little to describe Co-Conspirator A apart from making it clear that the young man is someone important to Claiborne, probably a relative, because he lived with her in China from 2001–05. 

Her relationship with the SSSB was not simply an exchange of money for information, of dollars for documents. 

Much of the money dispensed by the SSSB went to pay for Co-Conspirator A’s college tuition, provide him with work, a furnished apartment, and pay for his travel rather than Claiborne directly. 

In several different emails, she told Co-Conspirator A to extricate himself of his relationship with the SSSB, because she did not want herself or him to continue to be indebted to Chinese intelligence.
Building a relationship with an agent almost appears to more important than collecting intelligence information. 

The SSSB paid out “tens of thousands of dollars in gifts and benefits” to Claiborne and Co-Conspirator A, but the return appeared minimal. 

For example, in 2011, at least four years into the relationship, the SSSB tasked Claiborne with gathering internal evaluations of the U.S.-China Strategic and Economic Dialogue. 

They specifically wanted to know about Chinese yuan exchange rates and what pressures Washington would be prepared to bring if China’s adjustments were insufficient. 

The SSSB officers complained of one of Claiborne’s responses that “It is useful but it is also on the Internet. What they are looking for is what they cannot find on the Internet,” believing that the publicly available information was not necessarily representative of U.S. government thinking.
There is little exotic in how the SSSB handled Candice Claiborne if the case ultimately holds up in court as described. 

They built psychological leverage through Co-Conspirator A. 

They exploited Claiborne’s greed through small payments and the promise of more—she believed the SSSB could pay as much as $20,000 per year. 

The only thing strange appears to be the callousness with which the SSSB treated her concerns about security and the seeming absence of any plans to end the relationship productively. 

Countering Chinese intelligence, then, is not about a dramatic departure from past practice, but rather a commitment to counterintelligence fundamentals and professionalism.