INFOGRAPHIC: The CCP’s Cyberwar Machine

.

For many years, the U.S. government, as well as many cybersecurity experts, have considered China to be the greatest cybersecurity threat.

The Chinese Communist Party (CCP) uses an extensive network of hacker groups to collect intelligence and intellectual property as well as compromise critical systems as part of a hybrid warfare strategy meant to defeat the United States without necessarily engaging in kinetic war, experts say.

Cybersecurity companies have identified close to 200 hacker groups linked to China, most of them classified as Advanced Persistent Threats (APT). Some groups are part of the People’s Liberation Army (PLA), the CCP military. Some are part of the Ministry of State Security (MSS), China’s main intelligence agency. Others work from nominally private companies, usually under MSS control. Still others are freelancers, using their skills both for the CCP’s benefit as well as for personal gain.

“The danger in dealing with these state-sponsored actors is their almost limitless resources and the willingness to play the long game,” said Bob Erdman, an associate vice president for Research and Development at Fortra, a cybersecurity firm.

“They will spend years collecting information and setting the groundwork for their operations. They also have access to the entire intelligence apparatus, which can provide an excellent source of information but also a framework and infrastructure to carry out these operations.”

Access to China’s internet infrastructure allows for “man-in-the-middle” attacks “to exploit users whose internet traffic happens to transit infrastructure owned or built by China,” he told The Epoch Times in a text message.

Their main target is the United States: not just the U.S. government, but also private companies of strategic interest to the CCP. The list of targeted industries is long, from major military contractors to aerospace and aviation, computer software and hardware developers, telecom, electronics, engineering, mining, shipping, pharmaceutics, energy, and even education.

Some hacker groups have shown keen interest in detecting vulnerabilities in U.S. critical infrastructure including power grids and water supply. And some groups specifically target dissidents and CCP critics overseas.

“To the CCP, cyber is one of many methods of unrestricted war: weakening your enemy from the inside with no rules just short of conventional war,” explained Casey Fleming, a strategic risk and intelligence expert and the CEO of BlackOps Partners.

“The CCP’s cyber war machine is much greater than anyone realizes. They have the manpower, they are extremely focused, minimally fragmented under the totalitarian communist regime, and leverage AI and technology for maximizing their attacks,” he told The Epoch Times via email.

Even APTs that on the surface bear associations with other nations or no associations at all may be influenced by the CCP behind the scenes, he said.

.

Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses his computer at their office in Dongguan, Guangdong Province, China, on Aug. 4, 2020. Nicolas Asfouri/AFP via Getty Images

.

“The CCP is the puppet master. They collaborate with and train other nation states as axis partners against the West. The CCP also hires bad actors with their malware from the darknet.”

The U.S. government has been periodically indicting Chinese hackers implicated in major attacks, but that appears to barely scratch the surface.

As long as the hackers are located in China, they are “shielded from legal repercussions,” Erdman said.

A major problem is that vulnerabilities in computer systems aren’t just a matter of oversight, but also the result of how the big tech business model is setup, according to Rex Lee, a cybersecurity expert at My Smart Privacy who has advised major corporations and government agencies, including the Department of Homeland Security and the National Security Agency.

Threat Evolution

As victims of cyberattacks have wised up to hackers’ tactics, hackers have also become more sophisticated, taking advantage of new technologies and developing new attack vectors, Lee told The Epoch Times.

Reports of Chinese APTs exploded in the mid-2000s. Back then, smartphones and social media were in their infancy and most attacks followed a similar pattern. The hacker group would identify individuals who possess credentials to access the targeted computer system. An aeronautics engineer, for example, would likely have access to a computer system storing blueprints. The hackers would send the engineer emails prompting him to open an attachment infected with a malicious program, known as malware.

This method, called phishing, has been evolving, too. In the early days, the text of the email would be generic, likely in broken English. Over time, the tactic advanced into “spear phishing,” in which case the email would be personalized. It might appear to have been sent by a supervisor or the IT or HR department, and the attachment may look like a legitimate work-related document. Then, as companies adopted policies against opening unsolicited attachments, the hackers switched to sending hyperlinks that would take the user to an infected website.

.

U.S. Deputy Attorney General Rod Rosenstein speaks at a press conference about Chinese hacking with (L–R) U.S. Attorney for the Southern District of New York Geoffrey Berman, FBI Director Christopher Wray, and Assistant Attorney General for National Security John Demers at the Justice Department in Washington on Dec. 20, 2018. The U.S. Justice Department announced indictments of Chinese government hackers who allegedly targeted scores of companies in a dozen countries. Nicholas Kamm/AFP via Getty Images

.

In contrast to regular online scammers, who may try to trick their target into entering his login details into a fake website, typically an online banking site, state-sponsored hackers take a long-term, methodical approach.

The first malware they try to sneak in only surveils the targeted system. It collects detailed information about the system, such as what apps, versions, and configurations it uses. The most important feature, however, is a keylogger, a function that records everything the user types on the keyboard. Sooner or later, the user types his user names and passwords for various parts of the system, including the part storing restricted information. The hackers then use the stolen credentials to search for and exfiltrate the targeted data.

Sometimes, hackers take an indirect route. Instead of the company or government agency itself, they go after IT contractors with access to their systems. Some Chinese APTs have managed to compromise Managed Service Providers (MSP), which are companies that provide computer and network solutions to other companies. Many large corporations outsource their IT to MSPs. Thus, hacking a major MSP can provide access to multiple high-value targets.

While CCP hackers have been highly successful using spear phishing, their effectiveness has eroded as users become more suspicious of links and attachments of any kind.

Hacker groups have started to rely more often on “watering hole” attacks. With this method, they first try to create a psychological profile of their targets to determine their online behavior. The goal is to pinpoint specific websites that the targets are likely to visit. The hackers then search for security weaknesses on those websites and plant malware on them. Then they wait for their targets to visit the website and infect their computers.

In recent years, CCP hackers have successfully exploited yet another tactic, targeting network infrastructure such as routers, switches, and firewalls. Security flaws in the firmware of such devices are routinely patched by their producers, but end users don’t necessarily keep them up to date.

The large-scale attack on telecom companies in America and around the world that was discovered in 2020 was enabled by just such vulnerabilities.

.

U.S. Deputy Attorney General Jeffery A. Rosen talks about charges and arrests related to a hacking campaign tied to the Chinese regime, at the Department of Justice in Washington, on Sept. 16, 2020. Tasos Katopodis/AFP via Getty Images

.

“Investigations associated with these APT actors indicate that they are having considerable success exploiting publicly known common vulnerabilities and exposures (CVEs) and other avoidable weaknesses within compromised infrastructure,” said a September report on the attacks jointly produced by cybersecurity and signals intelligence agencies of the United States, Canada, the United Kingdom, Australia, Germany, Japan, and several other nations.

The hackers were able to access call records data, communications of government officials and politicians, and law enforcement wiretaps.

Spy by Design

The latest trend in hacking attacks, according to Lee, comes from cellphone apps.

Smartphone users have become used to giving apps permission to access basic phone functions, such as the camera, keyboard, microphone, and location services. The app functionality often depends on such permissions. But the implications are extensive, Lee warned.

Any app with standard permissions can literally see and hear through the phone, as well as record what the user types. It can also monitor the user’s movement through GPS, Bluetooth, Wi-fi, cell tower connection, and even through the phone’s in-built accelerometer, Lee said.

Many apps go even further, requesting permission to access user photos, emails, and text messages, bundling together all the dream malware features, he pointed out.

Cellphone producers necessarily allow apps to collect such data because the entire tech sector draws massive revenues from data collection and data brokering.

.

TikTok's request to access camera and microphone is displayed on a smartphone in New York on Nov. 26, 2024. PixieMe/shutterstock

.

“They sell access to you to other app developers,” Lee said. “It’s the surveillance technology that supports the surveillance capitalism business model that’s behind it all.”

While the system is set up to collect personal data in order to produce targeted advertising, it’s easy for malicious actors to exploit the same system.

Regime-backed hackers with substantial resources can create legitimate-looking app developer companies, develop seemingly legitimate apps, and then wait for high-value targets to download them.

On the surface, the app could be almost anything—a game, or even a cybersecurity app, Lee said.

Tech companies have been removing apps used for malicious purposes, but new ones are being pumped out all the time.

The only way to truly secure data, he said, is to store it on a separate system that doesn’t use any of the operating systems that enable data mining. Some companies, including major defense contractors, have already moved down that road, he said.

.