Cybersecurity & Tech

The PLA's Cyber Operations Go Dark

Tom Uren
Friday, November 22, 2024, 8:01 AM
The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.
An army in the Forbidden City, Stability AI

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

The PLA’s Cyber Operations Go Dark

A new report describes the evolution of China’s cyber capabilities over the past 30 years, including the incorporation of independent hacktivists into state-linked groups and the rise of the Ministry of State Security (MSS) as a hacking force. Most interestingly, the report examines the reorganization of the People’s Liberation Army (PLA) and the decline in reports of operations linked to the country’s military hackers since 2017.

The report, from security firm Sekoia, describes three primary state actors that carry out cyber operations for the Chinese Communist Party (CCP): the MSS, the PLA, and the Ministry of Public Security (MPS).

Several years ago, the PLA was China’s major cyber espionage actor. Mandiant’s groundbreaking 2013 report, for example, linked the operations of a prolific actor it dubbed APT1 to a specific element in the PLA’s General Staff Department, Unit 61398. Mandiant said the unit was responsible for stealing hundreds of terabytes of data from nearly 150 organizations spanning 20 major industries, and tied the organization to a specific 12-story building in Shanghai.

PLA operations appear to have declined in number since then, for reasons that are not clear.

Factors that might have contributed include the APT1 report itself; the U.S. government strategy to publicly denounce unacceptable behavior, including indicting hackers associated with Unit 61398; and a 2015 cybersecurity agreement between Chinese President Xi Jinping and President Obama to not “knowingly support cyber-enabled theft of intellectual property … with the intent of providing competitive advantages to companies or commercial sectors.”

The PLA also underwent significant reform over that time. In 2015, its cyber units were brought alongside space and electronic warfare elements under a Strategic Support Force command (SSF). In April of this year, the SSF was dissolved and its cyber elements elevated to a Cyberspace Force.

Nowadays, the MSS is the big kahuna and, since 2021, has been linked to the majority of cyber operations attributed to the PRC.

Sekoia floats a number of hypotheses to explain the apparent decline of the PLA’s hacking relative to the MSS. One is that the MSS stepped up and assumed more responsibility for the worldwide strategic “steal all the intellectual property”-style campaigns that the PLA had been carrying out. Of course, what would that leave all the PLA’s hackers doing? Sekoia’s conclusion here is that the PLA has been retasked to directly support military operations.

Military and government organizations are typically security-conscious hard(er) targets and long-term access is highly desirable, so these types of operations place a premium on stealth. Additionally, victims are also less likely to publicly disclose incidents in which they have been successfully targeted.

Although the report doesn’t mention Volt Typhoon, the behavior of this group is entirely consistent with Sekoia’s hypothesis. Volt Typhoon is the Chinese group that appears to be developing the capability to disrupt U.S. critical infrastructure in the event of military conflict and uses difficult-to-detect “living off the land” techniques. As an aside, a Washington Post report cites U.S. and industry security officials linking Volt Typhoon to the PLA, although there are no publicly available official reports that confirm this.

Mandiant reckoned in 2013 that APT1 (aka the PLA’s Unit 61398) was a large organization with “at least dozens, but potentially hundreds of human operators.” These hands-on keyboard operators would need to be supported by “linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.”

In retrospect, it may be significant that in 2014, Xi called for China to become a “cyber power.” Unit 61398 is just one of the PLA’s cyber units and has essentially disappeared from open-source reporting. How much critical infrastructure disruption does hundreds of APT operators buy you?

While there are operational drivers that encourage the PLA to hack quietly, there is a different dynamic at play when it comes to the MPS cyber operations. The MPS is China’s national police force, and Sekoia hypothesizes that the ministry’s focus on internal security threats such as dissidents and the CCP’s “five poisons” (advocates for democracy, Taiwan and Hong Kong independence, Uyghurs, and Falun Gong) doesn’t overlap all that much with the interests of Western cybersecurity firms. Another confounding factor is that both the MPS and the MSS outsource operations to China’s cyber contracting companies, so that public security operations could end up being linked by cybersecurity firms to the MSS because they both used the same cyber contractor, for example.

The report provides a high-level overview of the Chinese hacking ecosystem, but of course the threat actor to be most worried about is the one you hear the least about.

Malicious Actors Quick to Jump on Zero-Days

Rapid exploitation of zero-day vulnerabilities is the new normal, warns a joint advisory issued by Five Eyes cybersecurity authorities.The advisory says that in 2023 “the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day.” This is a shift from previous years when the most exploited vulnerabilities tended to be unpatched older ones.

Risky Business News notes:

CISA’s list complements another recent report from Google’s Mandiant division that found that of the 138 vulnerabilities disclosed last year, 70% were first exploited as zero-days—before patches were available.
A conclusion that can be drawn from both reports is that threat actors are investing in exploit development more than they have in the past, hoping to go on massive hacking sprees before patches are available.

This doesn’t look like a trend that is going to go away anytime soon. Last week, zero-day vulnerabilities were reported in Palo Alto networks firewall appliances and Fortinet’s Windows VPN client. (Note: Risky Business News described the Fortinet vulnerability as a design flaw rather than a zero-day.)

The joint cybersecurity advisory contains the usual advice to end-user organizations to “be prepared to patch quickly.” This recent Palo Alto bug is a case study in the difficulty of this approach. It is a preauthorization remote code execution bug on the firewall’s web management interface—so it is bad—but despite being aware of its possible existence, Palo Alto Networks wasn’t able to do anything about it. Per Risky Business News:

The Palo Alto zero-day is believed to be related to an alleged exploit sold on the Exploit hacking forum earlier this month.

Source: @phantmradar on X


Until last week, Palo Alto engineers couldn’t prepare a patch due to the limited information about the “supposed” exploit or if it existed. With confirmed attacks, we expect the company to have something out throughout the week.

Once a patch is issued, end users must then spring into action, so there is obviously a window of opportunity for cyber crooks here. Given the inherent delays in patching, it simply isn’t possible to patch our way out of widespread zero-day exploitation. Another part of the advisory recommends that vendors implement practices that will result in more secure products. What a grand idea! We are struck by how often the same vendors of enterprise products appear on these most exploited lists. If only there were some way to introduce financial incentives that would encourage vendors to improve their products…

With that framing in mind, we can’t help wondering if Palo Alto Networks should have just bought the exploit in the first place. If you squint (a lot), it would be the exact same as a bug bounty program, except the reward would be set by (black) market forces. So capitalist!

Three Reasons to Be Cheerful This Week:

  1. AI scam-buster I: Google is rolling out scam detection technology to some Android devices. Google says this feature is “powerful on-device AI to notify you of a potential scam call happening in real-time by detecting conversation patterns commonly associated with scams.” The device can then warn its user that the call is potentially a scam.
  2. AI scam-buster II: British telecommunications company Virgin Media O2 has announced it has developed an AI granny persona it calls Daisy to waste scammers’ time by keeping them talking on the phone for as long as possible with “human-like rambling chat.” O2 says it “has put Daisy to work around the clock answering dodgy calls” and that she has “successfully kept numerous fraudsters on calls for 40 minutes at a time.” Here is a video about Daisy.
  3. Making software repositories safer: The Python Package repository PyPI now supports “digital attestations.” These improve on traditional PGP signatures because they are more automated (so user error is less likely), provide stronger provenance assurances, and are signed with identities and not private keys (so private keys can’t be lost or stolen). Trail of Bits has more detail.

Shorts

Changing of the Guard at CISA

Both Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and Deputy Director Nitin Natarajan are expected to leave their posts when President-elect Trump is sworn into office next year. Their replacements could have a significant impact on CISA’s direction. Writing for Wired, Eric Geller polls experts who say Trump’s second term will mean less regulation, abandoning human rights concerns such as abusive spyware and aggressive responses to cyber adversaries.

Bitfinex Hack Couple Sentenced

Ilya Lichtenstein has been sentenced to five years in prison for money laundering relating to the 2016 theft of 120,000 Bitcoin from cryptocurrency exchange Bitfinex. Lichtenstein stole the funds and then subsequently involved his wife, Heather Morgan, in laundering the Bitcoin. She was sentenced to 18 months for her involvement in the money laundering.

We first mentioned Lichtenstein in 2022, after the pair was arrested and $3.6 billion in cryptocurrency seized. The ability to track cryptocurrency flows as described in the indictment was amazing. The stolen Bitcoins were worth $71 million at the time of the hack and are now worth over $10.5 billion.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about what cyber weapons really are and why use of the term is counterproductive.

From Risky Biz News

Microsoft announces Quick Machine Recovery, a feature to fix future CrowdStrike disasters: At its Ignite developer conference this week, Microsoft announced a new feature for its Windows 11 operating system that will allow admins to remotely fix PCs with booting issues. The company developed the feature as a way to tackle future cases like the CrowdStrike incident that crashed over 8.5 million PCs in July this year.

The new feature is named Quick Machine Recovery and will allow a company’s IT administrators to tap into the Windows Update system to deliver fixes for boot-related bugs that normally require physical access to a machine.

[more on Risky Business News including more security-centric announcements at Ignite]

The United States’s Microsoft dependency: A ProPublica investigation looks at how Microsoft offered the U.S. government free cybersecurity upgrades in 2021 and ensnared the U.S. government IT apparatus into its closed ecosystem, making it harder to switch to other solutions due to high migration costs:

The White House Offer, as it was known inside Microsoft, would dispatch Microsoft consultants across the federal government to install the company’s cybersecurity products — which, as a part of the offer, were provided free of charge for a limited time. But once the consultants installed the upgrades, federal customers would be effectively locked in, because shifting to a competitor after the free trial would be cumbersome and costly, according to former Microsoft employees involved in the effort, most of whom spoke on the condition of anonymity because they feared professional repercussions. At that point, the customer would have little choice but to pay for the higher subscription fees.

Source: Chris Bing on X

Pakistan preparing VPN ban: Pakistan’s religious advisory board has ruled that the use of VPN apps is against Sharia Law. The announcement from the Council of Islamic Ideology comes weeks after the government announced plans to ban VPNs. VPN use exploded in Pakistan after the government deployed a national firewall in July to block access to unwanted information. [Additional coverage in VOA News]


Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare