China's global theft of commercial secrets

China hacked Norway's Visma to steal client secrets

By Jack Stubbs

LONDON -- Hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients, cybersecurity researchers said, in what a company executive described as a potentially catastrophic attack.
The attack was part of what Western countries said in December is a global hacking campaign by China's Ministry of State Security to steal intellectual property and corporate secrets, according to investigators at cybersecurity firm Recorded Future.
China's Ministry of State Security has no publicly available contacts. 

The foreign ministry did not respond to a request for comment.
Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.
Cybersecurity firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.
Reuters reported in December that Hewlett Packard Enterprise Co and IBM were two of the campaign's victims, and Western officials caution in private that there are many more.
At the time IBM said it had no evidence sensitive corporate data had been compromised, and Hewlett Packard Enterprise said it could not comment on the Cloudhopper campaign.
Visma, which reported global revenues of $1.3 billion last year, provides business software products to more than 900,000 companies across Scandinavia and parts of Europe.
The company's operations and security manager, Espen Johansen, said the attack was detected shortly after the hackers accessed Visma's systems and he was confident no client networks were accessed.

"PARANOIA HAT"
"But if I put on my paranoia hat, this could have been catastrophic," he said. 

"If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it's a given fact."
"I'm aware that we do have clients which are very interesting for nation states," he said, declining to name any specific customers.
Paul Chichester, director for operations at Britain's National Cyber Security Centre, said the Visma case highlighted the dangers organisations increasingly face from cyber attacks on their supply chains.
"Because organisations are focused on improving their own cyber security, we are seeing an increase in activity targeting supply chains as actors try to find other ways in," he said.
In a report https://www.recordedfuture.com/apt10-cyberespionage-campaign with investigators at cybersecurity firm Rapid7, Recorded Future said the attackers first accessed Visma's network by using a stolen set of login credentials and were operating as part of a hacking group known as APT 10, which Western officials say is behind the Cloudhopper campaign.
The U.S. Department of Justice in December charged two members of APT 10 with hacking U.S. government agencies and dozens of businesses around the world on behalf of China's Ministry of State Security.
Priscilla Moriuchi, director of strategic threat development at Recorded Future and a former intelligence officer at the U.S. National Security Agency, said the hackers' activity inside Visma's network suggested they intended to infiltrate client systems in search of commercially-sensitive information.
"We believe that APT 10 in this case exploited Visma networks to enable secondary operations against Visma's customers, not necessarily to steal Visma's own intellectual property," she said. "Because they caught it so early they were able to discourage and prevent those secondary attacks." 

Rogue University

Tsinghua University linked to Chinese cyber espionage
Targeting of Daimler, state of Alaska and Tibetan groups traced to college computer 
By Yuan Yang in Beijing

Cyberwar: An IP address at China's Tsinghua University is the origin of numerous recent cyber-attacks on targets around the world.

China’s top engineering university, Tsinghua University, was the origin of multiple recent cyber-espionage campaigns targeting groups such as the Tibetan community in India and the Alaskan state government, new research has found.
 Attacks originating from Tsinghua University's infrastructure also targeted the German carmaker Daimler a day after it issued a profit warning blaming the US-China trade war, according to cyber security company Recorded Future.
 Chinese cyber espionage against the US is increasing, US security firms say, giving credence to Washington’s fears that Beijing is stealing technology from US companies — fears that have in part pushed both countries into a global trade war.
 Although cyber security firms had previously seen a lull in attacks following a 2015 bilateral agreement to end government-sponsored hacking for commercial purposes, attacks are now back at or above the pre-accord level, experts say.
 Recorded Future found that from March this year, a series of attacks emanated from an IP address — an identification number given to every computer connecting to the internet — that belongs to Tsinghua University.
Tsinghua is among the world’s best computer science universities, and owns companies and projects tied to Beijing’s industrial policies, which pursue technological upgrading.
 Tsinghua was not immediately available for comment due to the university holiday season.
 The IP address in question had engaged in “aggressive scanning” of networks including the government of the US state of Alaska and the Kenyan Ports Authority.
 It also attempted to attack a server used by the Tibetan community in India, which had previously been the target of Chinese surveillance as a result of Beijing’s attempts to undermine supporters of the Dalai Lama, the Tibetan spiritual leader reviled by the Communist party leadership as “a wolf in monk’s clothing”.
 Recorded Future said that the activity was “conducted by Chinese state-sponsored actors in support of China’s economic development goals”.
 Scanning the ports on a network is usually the first step in an attempt to penetrate the network by seeing what openings there are. 
However Recorded Future did not find evidence the attacker had successfully obtained sensitive information.
 “It makes sense that spy activities are more common now, given the tense economic situation,” said one Chinese security professional, who wished to remain anonymous.
However, he questioned why the attackers did not cover their tracks at all.
 Public “Whois” records show the IP address in question was first registered in 1993 as part of a block of IP addresses belonging to the domain tsinghua.edu.cn, with a street address belonging to Tsinghua University.

Hackers in China are part of massive government group

Hacks that were previously thought to be the work of unrelated groups have actually been coordinated by China since at least 2009

BY ZOEY CHONG

There's a Chinese proverb that roughly translates to "One chopstick is easily broken, but a bundle of chopsticks is unbreakable."
Multiple hacking groups in China previously thought to be individual actors are actually part of a larger, long-running, state-sponsored umbrella group, according to threat research group 401TRG at Denver-based security company ProtectWise.
The larger group, which 401TRG dubbed the Winnti umbrella, is an "advanced and potent threat" with a primary long-term mission that is politically focused, the researchers warn in a report released last week. 

Winnti refers to a "custom backdoor used by groups under the umbrella," 401TRG said in its report.
Hacking activities are not uncharted waters for China. 

According to a report earlier this year from security company Recorded Future, the Chinese government lied about belatedly informing the Chinese public of security flaws in order to hide exploits it was using in attacks.
The state-sponsored campaigns stretch back to 2009, with some reports of potential activity as far back as 2007, 401TRG said. 

These include some highly visible operations uncovered by Kaspersky Lab in 2013 and Trend Micro in 2017, as well as attacks targeting journalists reported by the Citizen Lab.
People working for the umbrella group typically begin by phishing users who may provide a stepping stone to a target network, according to the report. 

Data is then harvested using malware, though "campaign themes have matured" this year with "code signing certificates and software manipulation" becoming more popular.
"Gaming studios and high tech businesses" in China, Japan, South Korea and US have been the group's initial targets
While Winnti umbrella attackers usually use their own command-and-control servers to mask their actual location, 401TRG said, they have occasionally made "sloppy" mistakes that provide clues to their Chinese origins. 

In these cases, they "mistakenly" accessed machines using IP addresses linked to a China Unicom network in the Xicheng District of Beijing.
The group continues to function, the report said.

Nation of Thieves: Chinese Ministry of State Security Behind APT3

This is the first time researchers have been able to attribute a threat actor group with a high degree of confidence to the Ministry of State Security.
By Insikt Group

Key Takeaways

• APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the Chinese Ministry of State Security (MSS).
• On May 9, a mysterious group called “intrusiontruth” attributed APT3 to a company, Guangzhou Boyu Information Technology Company, based in Guangzhou, China.
• Recorded Future’s open source research and analysis has corroborated the company, also known as Boyusec, is working on behalf of the Chinese Ministry of State Security.
• Customers should re-examine any intrusion activity known or suspected to be APT3 and all activity from associated malware families as well as re-evaluate security controls and policies.

Introduction
On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.

Recorded Future timeline of APT3 victims.


Screenshot of a blog post from “intrusiontruth in APT3.”

“Intrusiontruth” documented historic connections between domains used by an APT3 tool called Pirpi and two shareholders in a Chinese information security company named Guangzhou Boyu Information Technology Company, Ltd (also known as Boyusec).

Registration information for a domain linked to the malware Pirpi. The details show the domain was registered to Dong Hao and Boyusec.

APT3 has traditionally targeted a wide-range of companies and technologies, likely to fulfill intelligence collection requirements on behalf of the MSS (see research below).

Recorded Future has been closely following APT3 and has discovered additional information corroborating that the MSS is responsible for the intrusion activity conducted by the group.

Recorded Future Intel Card for APT3.

Background
APT3 (also known as UPS, Gothic Panda, and TG-011) is a sophisticated threat group that has been active since at least 2010. 

APT3 utilizes a broad range of tools and techniques including spearphishing attacks, zero-day exploits, and numerous unique and publicly available remote access tools (RAT). 

Victims of APT3 intrusions include companies in the defense, telecommunications, transportation, and advanced technology sectors — as well as government departments and bureaus in Hong Kong, the U.S., and several other countries.

Analysis
On Boyusec’s website, the company explicitly identifies two organizations that it cooperatively partners with, Huawei Technologies and the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC).

Screenshot of Boyusec’s website where Huawei and Guangdong ITSEC are identified as collaborative partners.

In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing. 

According to the Pentagon’s report, the two companies were working together to produce security products containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” 

The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.

Boyusec is located in Room 1103 of the Huapu Square West Tower in Guangzhou, China.

Boyusec’s work with its other “cooperative partner,” Guangdong ITSEC, has been less well-documented. 

As will be laid out below, Recorded Future’s research has concluded that Guangdong ITSEC is subordinate to an MSS-run organization called China Information Technology Evaluation Center (CNITSEC) and that Boyusec has been working with Guangdong ITSEC on a joint active defense lab since 2014.
Guangdong ITSEC is one in a nation-wide network of security evaluation centers certified and administered by CNITSEC. 

According to Chinese state-run media, Guangdong ITSEC became the sixteenth nationwide branch of CNITSEC in May 2011. 

Guangdong ITSEC’s site also lists itself as CNITSEC’s Guangdong Office on its header.
According to academic research published in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise. 

CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. 

CNITSEC’s Director, Wu Shizhong, even self-identifies as MSS, including for his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.
Recorded Future research identified several job advertisements on Chinese-language job sites such as jobs.zhaopin.com, jobui.com, and kanzhun.com since 2015, Boyusec revealed a collaboratively established joint active defense lab (referred to as an ADUL) with Guangdong ITSEC in 2014. Boyusec stated that the mission of the joint lab was to develop risk-based security technology and to provide users with innovative network defense capabilities.


Job posting where Boyusec highlights the joint lab with Guangdong ITSEC. The translated text is, “In 2014, Guangzhou Boyu Information Technology Company and Guangdong ITSEC cooperated closely to establish a joint active defense lab (ADUL).”

Conclusion
The lifecycle of APT3 is emblematic of how the MSS conducts operations in both the human and cyber domains. 

According to scholars of Chinese intelligence, the MSS is composed of national, provincial, and local elements. 

Many of these elements, especially at the provincial and local levels, include organizations with valid public missions to act as a cover for MSS intelligence operations. 

Some of these organizations include think tanks such as CICIR, while others include provincial-level governments and local offices.
In the case of APT3 and Boyusec, this MSS operational concept serves as a model for understanding the cyber activity and lifecycle:

• While Boyusec has a website, an online presence, and a stated “information security services” mission, it cites only two partners, Huawei and Guangdong ITSEC.
• Intrusiontruth and the Washington Free Beacon have linked Boyusec to supporting and engaging in cyber activity on behalf of the Chinese intelligence services.
• Recorded Future’s open source research has revealed that Boyusec’s other partner is a field office for a branch of the MSS. Boyusec and Guangdong ITSEC have been documented working collaboratively together since at least 2014.
• Academic research spanning decades documents an MSS operational model that utilizes organizations, seemingly without an intelligence mission, at all levels of the state to serve as cover for MSS intelligence operations.
• According to its website, Boyusec has only two collaborative partners, one of which (Huawei) it is working with to support Chinese intelligence services, the other, Guangdong ITSEC, which is actually a field site for a branch of the MSS.

Graphic displaying the relationship between the MSS and APT3.

Impact
The implications are clear and expansive. 

Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. 

Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.
APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the MSS. 

Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. 

In this real-life David versus Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence.
APT3 is not just another cyber threat group engaging in malicious cyber activity; research indicates that Boyusec is an asset of the MSS and their activities support China’s political, economic, diplomatic, and military goals.
The MSS derives intelligence collection requirements from state and party leadership, many of which are defined broadly every five years in official government directives called Five Year Plans. 

Many APT3 victims have fallen into sectors highlighted by the most recent Five Year Plan, including green/alternative energy, defense-related science and technology, biomedical, and aerospace.