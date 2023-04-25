SAN FRANCISCO Eight years ago, the United States and China reached a historic treaty agreement that was intended, in part, to end a continuing barrage of cyberattacks targeting American companies to steal their trade secrets and intellectual property.

At the time, President Barack Obama rented the agreement during a joint press conference with Chinese President Xi Jinping, saying it marked a common understanding between the two nations that neither the United States nor the Chinese government will knowingly conduct or support the cyber theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.

Eight years later, that feeling has aged like warmed over milk.

Chinese hackers have not stopped targeting American companies, but according to Google security experts, they have evolved to become significantly more aggressive and innovative in the years since.

I’ll tell you, investigations into intrusions orchestrated by Chinese threat actors today are very different from investigations into intrusions before the Obama/Xi treaty agreement in 2015, said Charles Carmakal, director of technology at Google Mandiant, during an April 24 briefing held during RSA. 2023 Conference in San Francisco.

Prior to the deal, hackers associated with China were broad and vague about the companies they were hacking. Today, a range of threat groups operate in China or work directly on behalf of Beijing to target valuable players and specific industries with laser-like precision, including defense contractors, telecommunications companies, government agencies and technology companies. Most of these industries tend to manage, own or operate blocks of IT infrastructure on behalf of hundreds, thousands or millions of customers, which means they can provide a potential route to infect downstream customers. , as Chinese hackers did in the 2021 Microsoft Exchange attacks.

Strategies and tactics of Chinese threat groups change since 2015 deal

These have also changed their strategies and tactics to increasingly target peripheral devices such as virtual private networks (VPN) and other remote access solutions, firewall And hypervisors with zero-day vulnerabilities. Since these devices typically don’t support newer security technologies like endpoint detection and response (EDR), many businesses simply don’t have the visibility to realize they’ve been compromised.

Carmakal said that each month, Mandiant publishes at least one to two threat research focused on vulnerabilities or exploits on edge devices. Researchers will contact vendors when they see malicious traffic coming from a network device and request a hard drive image for further analysis. Often they are easily able to quickly identify that there was very new malware living on those devices and no one else could find it because no one was investigating those devices.

What we have found is that these actors deploy more malware on those devices that do not support EDR solutions like VMware hypervisors, like Fortinet firewalls, because it is very difficult for a company to to identify that there really is a problem, that there is in fact malware in these devices, Carmakal said.

John Hultquist, head of Mandiant Threat Intelligence at Google Cloud, said Chinese hackers have also become much better at hiding and diversifying the infrastructure they use to carry out attacks.

The researchers were able to trace the Chinese attacks to specific cities where the offices of the Office of Technical Reconnaissance (support for intelligence agencies that conduct hacking, signals intelligence and other activities on behalf of the Chinese government), which makes attribution relatively straightforward.

Today, most groups rely on proxy networks or route their business through small home office SOHO routers that allow them to better conceal their presence and identity.

It really reduces your ability to track some of these things, because obviously infrastructure is such an important part of your attribution and your aggregation. It’s a real innovation in operational safety, Hultquist said.

Less Spammy, More Targeted Malicious Chinese Campaigns

In 2015, the United States was already in the pillory with online disinformation and influence operations from countries like Russia ahead of the 2016 presidential election. In the years that followed, countries like China, the Iran and others have waged similar campaigns against American consumers.

One of the most notable campaigns targeting the 2022 midterm elections, which Mandiant and Google Threat Analysis Group (TAG) called DRAGONBRIDGE, was designed to discredit the American political system and sow division among its allies. While Mandiant assessed with great confidence that DRAGONBRIDGE’s goal was ultimately to advance the political interests of the People’s Republic of China, Sandra Joyce, vice president of Google Cloud and Mandiant Intelligence, noted that they had not yet officially awarded the group and its work to the Chinese government.

Kristen Dennesen, Reports Analyst at TAG, said DRAGONBRIDGE’s activity was rather low volume and spammy, reflecting the ambiguous purpose and impact of many digital influence operations, but it needed all to even blocking 50,000 YouTube channels and disabling 100,000 Google accounts used by the group.

And in situations where there was a clear Chinese interest at stake, such as when former House Speaker Nancy Pelosi, D-Calif., visited Taiwan over the past year, a subset of DRAGONBRIDGE’s content has become much more specific and focused.

It’s very disparaging of the United States, promoting interests and defending China, and in some cases we’ve seen it to be quite high quality in terms of content and at times very consistent, Dennesen said.