China's MSS Doxxes and Threatens Taiwanese APT Operators

Editor's Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

China's MSS Doxes and Threatens Taiwanese APT Operators

China ramped up its name-and-shame cyber rhetoric this week when it identified and threatened four Taiwanese individuals it alleges are involved in cyber operations targeting the mainland. 

The four were named in a Chinese Ministry of State Security (MSS) Weixin post that published the names, passport-style photographs, birthdates, ID numbers, and job titles within Taiwan's Information Communication Electronic Force Command (ICEFCOM). The unit was set up in 2017 and brings together the Ministry of National Defense's communication, cyber, and electronic warfare units. 

This is the second time that the MSS has doxed Taiwanese military hackers. In September of last year, it published the identities of three other alleged cyber operators, but without some of the more granular identifying details.

This latest post also contains a direct threat, per ChatGPT translation: 

China's national security agencies warn that "Taiwan independence" is a dead-end road. The government will take all necessary legal measures to hold separatists accountable under the legal framework for punishing Taiwan independence-related crimes, enforcing lifelong prosecution for key figures. Cyber operatives aiding Taiwan's separatist agenda are urged to abandon their illusions and cease their criminal activities.

Nathan Attrill, a China analyst at the Australian Strategic Policy Institute, told Seriously Risky Business that being publicly identified by Beijing could have "serious and immediate consequences."

Attrill said the named individuals may face "tangible risks" particularly if they travel to Hong Kong or countries with strong ties to China. Then there's the implied threat that these operators would face punishment if China were to one day invade and annex Taiwan. 

"The recent case of Uyghurs being extradited to China from Thailand serves as a stark reminder of how China can exert influence over foreign governments to pursue individuals it targets," he said. 

When compared to U.S. indictments of PRC-based hackers, the MSS's posts are nowhere near as "good" from our cybersecurity nerd perspective. Department of Justice indictments provide enough detail to tell the story of PRC hacking campaigns in a way that reassures readers the U.S. authorities know what they're on about. MSS Weixin posts provide none of that and are instead filled with propaganda and invective. 

The MSS post this week was also bolstered by three PRC-based cybersecurity firms releasing related articles within a day. Qi'anxin, Antiy, and Anheng Information published their own reports on Taiwanese groups targeting mainland Chinese organizations. The reports don't draw explicit links to the individuals named by the MSS, but the timing suggests coordination between the MSS and the cybersecurity community. 

Dakota Cary, a China-focused consultant at SentinelOne, who has published extensively on Chinese cyber actors, told Seriously Risky Business this was a continuation of a strategy to "match what it sees as US attacks in the public opinion space." 

For nearly a decade, the U.S. has employed a "name-and-shame" approach to expose PRC hacking, publicly detailing cyber campaigns through criminal charges and indictments. Cary said the PRC government chose to respond in kind after a joint 2021 statement from allies, including the U.K., EU, and NATO, criticized its "malicious cyber activity and irresponsible state behavior." Its initial attempts to out U.S. cyber operations involved the recycling of material from old intelligence community leaks. Lame!

Cary described this week's efforts as "arguably" an improvement over using recycled U.S. leaks. 

Even so, in our view, most of the recent MSS publication is just propaganda. For example:

Under the guise of developing "asymmetric warfare capabilities," the DPP [Taiwan's ruling Democratic Progressive Party] has recklessly spent taxpayer money to build a cyber force aimed at attacking and infiltrating the mainland. However, this effort is futile, akin to an ant trying to shake a tree. Internally, the cyber army is plagued by mismanagement, corruption, and dysfunction.

The point of both the propaganda and the doxing is to intimidate. When the MSS names Taiwanese hackers, that has some bite. By contrast, the U.S. identifying PRC hackers in indictments feels like a symbolic gesture, albeit one that bolsters credibility.

It doesn't have to be this way for Taiwan's cyber operators. 

The PRC is an enduring U.S. intelligence target, and various Chinese authorities have published multiple reports about National Security Agency (NSA) hacking. But they have never outed an American cyber operator because of the agency's robust operations security (OPSEC). 

It's time for Taiwan's ICEFCOM to take a leaf out of NSA's book and really up its OPSEC standards. 

Russia Throws Bombs, but Europe Will Throw Packets

Russia is waging a sabotage campaign against Western interests in Europe. Destructive cyber operations have played only a minor role in these attacks, but retaliation in the cyber domain from Western countries is definitely in the cards. 

A new report from the Center for Strategic and International Studies (CSIS) describes Russia's "shadow war against the west." Per the report:

Russia is engaged in an aggressive campaign of subversion and sabotage against European and US targets, which complement Russia's brutal conventional war in Ukraine …. Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (or GRU), was likely responsible for many of these attacks, either directly by their own officers or indirectly through recruited agents. The GRU and other Russian intelligence agencies frequently recruited local assets to plan and execute sabotage and subversion missions. Other operations relied on Russia's "shadow fleet," commercial ships used to circumvent Western sanctions, for undersea attacks.

The report was based on a database of activity. This included "Russian attacks and plots that had (or were intended to have) physical effects, such as weapons and tactics using explosives, other incendiaries, firearms, and anchors for cutting undersea fiber-optic cables."

From a cyber perspective, the database captured destructive or disruptive cyber operations, but it excluded intelligence-gathering, election interference, or disinformation operations. 

Cyber operations are often touted as the tool of choice for modern-day sabotage. But electronic attack and cyber operations made up just 15 percent of attacks, and only a single paragraph is dedicated to them in the report: 

Russian agencies utilized electronic attack and cyber operations with physical effects against transportation targets. Estonia, Finland, Lithuania, Norway, and Poland all reported specific incidents of deliberate GPS signal jamming from Russia, which led to navigation errors, flight deviations, and communication breakdowns—endangering the lives of those on board. Several countries, such as Poland, also reported cyberattacks against transportation targets, such as rail lines. More broadly, Russian-linked actors conducted hundreds of cyberattacks against targets in Europe, the United States, and other regions to collect intelligence, deface websites, orchestrate a denial of service, and occasionally conduct sabotage, according to a broader CSIS database of cyber incidents between 2006 and 2025 where losses were greater than a million dollars.

By contrast, other examples cited in the report include fires and explosions at manufacturing facilities that supply weapons or communications equipment to Ukraine, cutting submarine cables, and even assassination attempts.

Several were assassination plots that failed: one in Poland targeting Ukrainian President Volodymyr Zelensky; one in Austria against Bulgarian investigative journalist and director of the Bellingcat investigative reporting group Christo Grozev; and one in Germany targeting Armin Papperger, the chief executive officer of Rheinmetall, a large producer of artillery and tanks that had sent shells to Ukraine. The assassination plot against Papperger was one of the first instances in which Russia attempted to take lethal action against a Western citizen who had no previous connection to Moscow.
There were several other attacks against individuals. One was the assassination in Spain of Maksim Kuzminov, a Russian helicopter pilot who defected from Russia in August 2023. Another was the 2024 assault in Lithuania on Leonid Volkov, a Russian citizen and former close aide of now-deceased Russian opposition leader Alexei Navalny. The assailants, who Lithuanian intelligence assessed were likely "Russian organized," broke Volkov's arm but failed to kill him.

Several GRU entities, including its sabotage and assassination group, Unit 29155, conduct cyber operations. But when it comes to killing people, guns and poison are easier options than keyboards. 

The report calls for an active and aggressive campaign in response, with one element being "conducting targeted offensive cyber operations against important Russian military and commercial targets, including the networks of Russia's energy sector that are vital to Russia's economy." 

This is wrapped up in a larger question of whether Western governments should respond with their own destructive sabotage campaign. The report addresses this directly:

Unlike authoritarian countries such as Russia, this logic [not responding in kind] assumes that democratic countries cannot—or should not—conduct forceful actions against Russia because they are not involved in a declared war. Yet these concerns are largely fallacious, and they reflect a mindset of self-deterrence. Russia, not Europe or the United States, chose to escalate a shadow war in Europe. In fact, a failure to respond will likely increase the likelihood of a protracted Russian campaign.

If you agree, the question to us is: Why respond with cyber? Why not hire some local bomb throwers like Russia does? Russia gets amazing bang for its ruble by recruiting local criminals to carry out destructive acts. The West could do the same.

We don't think it will, though. If Western governments run a counter-campaign, we suspect they'll prioritize stealth and deniability. In that case, destructive cyber operations fit the bill. Slower, more expensive, and lower impact, but more deniable and less on the nose.

Three Reasons to Be Cheerful This Week:

1. Cybersecurity layoff reprieve: The White House has told federal agencies that cybersecurity jobs are national security-related and should therefore be exempt from layoffs. CISA is also reaching out to reinstate probationary employees who had been fired, after a judge issued a temporary restraining order against the terminations. 

2. A responsible cryptocurrency exchange: The OKX cryptocurrency exchange took steps to prevent abuse after detecting North Korean hackers trying to misuse its services. OKX temporarily suspended its decentralized exchange (DEX) aggregator services so that it could implement measures including detecting and blocking hackers' latest addresses in real time. We are still cynical about OKX's motivations and cryptocurrency in general, but this is a hell of a lot better than the typical crypto theft story. 

3. End-to-end encryption for RCS: The GSM Association has announced specifications for Rich Communication Services (RCS) that include end-to-end encryption (E2EE). That may one day mean that people will be able to send E2EE text messages directly between iOS and Android phones. 

Shorts

Don't Panic Everyone, the FCC Has a Plan

Federal Communications Commission (FCC) Chair Brendan Carr has announced the formation of a National Security Council within the agency. 

The council's goals are to: 

1. Reduce the American technology and telecommunications sectors' trade and supply chain dependencies on foreign adversaries. 

2. Mitigate America's vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries.

3. Ensure the U.S. wins the strategic competition with China over critical technologies, such as 5G and 6G, artificial intelligence, satellites and space, quantum computing, robotics and autonomous systems, and the Internet of Things.

These are worthy goals. 

The day before Carr's press release last week, the FCC announced a "massive deregulation initiative" and published a "Delete, Delete, Delete" public notice that requested input on "every rule, regulation, or guidance document that the FCC should eliminate for the purposes of alleviating unnecessary regulatory burdens." 

We imagine improving security will require regulation, so it'll be interesting to see how these conflicting imperatives play out. It will certainly be a win if the FCC can replace unnecessary regulations with ones that meaningfully improve security.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about how offensive cyber operations could do so much more than just "deny, disrupt, degrade and destroy." Grugq thinks this thinking is rooted in military culture, and he wonders why cyber operations are always so mean.

 From Risky Biz News:

GitHub supply chain attack prints everyone's secrets in build logs: A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.

The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.

The action works by analyzing pull requests and detecting what files were changed in a pull request of commit. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it had become one of GitHub's most popular actions.

It's still unclear how the attacker compromised Changed-Files, but once they were inside, they added malicious code to every action version—meaning that repos using old versions were also impacted.

[more on Risky Bulletin]

FBI warns of online file converters that distribute malware: The FBI says that cybercriminals are using free file format and document conversion tools to scrape personal data and deploy malware and even ransomware.

The warning applies to online websites that convert files between different formats but also apps that users download on their devices.

[more on Risky Bulletin]