While much of the cybersecurity world’s focus has been on attacks related to the Russian-Ukraine war, there is an urgent need to raise awareness about the growing threat of a barrage of “digital strikes” by China against the United States, particularly if the conflict over Taiwan deepens, suggests Congressional Rep. Mike Gallagher (R-Wis.), chair of the House Select Committee on China. In line with our ongoing tracking of the threat of Chinese cyber attacks, we agree that it is critical to take note of a cyber strategy by China to target critical infrastructure on U.S. soil such as military and transportation networks as well as in the energy, water, financial markets, and business sectors, as mentioned in this recent Politico article.
In our April post we underscored the tension between China and the West playing out in the news and posited that this could be the start of a new cold war. This past week the Chinese Ambassador to France, Lu Shaye, made remarks questioning the sovereignty of former Soviet states, possibly indicating China’s real views of sovereignty (in spite of China’s having disavowed Lu’s comments later in the week as “personal comments”).
In a potential cyber cold war, what do we expect could be China’s objectives?
1. Avoid a hot war while still achieving its geopolitical ambitions;
2. Minimize impacts on its own economy, especially with respect to sanctions; and
3. Pursue a strategy that maximizes reputational damage to the U.S.
China can achieve these objectives by strategically garnering support from, and neutralizing, those who would be against them, as well as conversely by harming those who would be opposed.
On the latter point, one such opportunity as we have highlighted is to create reputational harm against the U.S. and countries with whom we are allied, through high profile failures in critical infrastructure (i.e., energy, water, space development) accomplished in such a way that would be difficult to attribute directly to China. The advantages of using cyber to accomplish this are obvious.
A second and more economically defensive opportunity is to create new allies, hoping to minimize the impact from sanctions that would be imposed in the wake of cyber or overt military aggression.
Below is a list of China’s top trading partners in terms of export sales (the countries importing the most Chinese shipments by dollar value during 2022 and percentage of total Chinese exports), which reflects that nearly two-thirds (63.7%) of Chinese exports in 2022 was supported by the following countries:
1. United States: US$582.8 billion (16.2% of China’s total exports)
2. Hong Kong: $297.5 billion (8.3%)
3. Japan: $172.9 billion (4.8%)
4. South Korea: $162.6 billion (4.5%)
5. Vietnam: $147 billion (4.1%)
6. India: $118.5 billion (3.3%)
7. Netherlands: $117.7 billion (3.3%)
8. Germany: $116.2 billion (3.2%)
9. Malaysia: $93.7 billion (2.6%)
10. Taiwan: $81.6 billion (2.3%)
11. United Kingdom: $81.5 billion (2.3%)
12. Singapore: $81.2 billion (2.3%)
13. Australia: $78.8 billion (2.2%)
14. Thailand: $78.5 billion (2.2%)
15. Mexico: $77.5 billion (2.2%)
Monitoring China’s approach in this regard to achieve its objectives in a cyber cold war is our approach to better understanding levels of risk over the next few months.
In terms of cyber developments this past month, we would highlight:
North Korean cyber activity
3CX Intrusion - A supply chain attack within a supply chain attackIn late March, it was reported there was a supply chain attack on a widely used voice and video calling desktop client called 3CX, where installers for several recent Windows and Mac versions of the software were compromised and modified by the attackers to deliver additional info-stealing malware to a user’s computer.
Over the past month, more information about the intrusion has been released, revealing one of the first instances of a software supply chain attack leading to another software supply chain attack.
Mandiant researchers found the 3CX intrusion was enabled through a prior supply chain attack where the threat actors had previously implanted malicious software on the website of a company called Trading Technologies. The malicious package, which was disguised as X_Trader software, was then downloaded by a 3CX employee, allowing the threat actors to gain access to the 3CX networks and subsequently the company’s downstream customers.
In addition to the 3CX compromise, researchers also uncovered that the X_Trader software supply chain attack impacted several organizations beyond 3CX, leading to attacks on two critical infrastructure organizations in the energy sector and two finance organizations.
The 3CX intrusion and supply chain attacks have been attributed to North Korean threat actors broadly categorized as The Lazarus Group (but referred to by Mandiant as UNC4736).
As a result of the 3CX attack, several cryptocurrency customers were reportedly compromised, indicating a potential financial motivation. These cascading supply chain compromises indicate North Korean actors are attempting to be more creative and persistent in how they exploit network access and distribute malware – aiming to have standby access to various target networks that can support North Korea’s strategic goals.
Russian APT activity