Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases. This blog provides an assessment of one company’s foray into the popular APT outing trend in the context of China’s cyber buildup and what that could mean for future U.S. cyber espionage endeavors.
Outing state-sponsored cyber activities has become commonplace over the last few years since the release of Mandiant’s watershed APT1 report. As researchers across a diverse pool of companies disclose apparent state-sponsored activities, there has been a dearth of U.S. state-sponsored disclosures – until recently.
Prior to last year, the only substantive revelations of possible U.S. cyber activity came when Stuxnet was first discovered in mid-2010, marking a red line shift in public knowledge of what state-sponsored threats were actually capable of doing. However, flash forward to 2015, and Kaspersky published the first full-on overview of “Equation Group” espionage activity presumed to be U.S. state-sponsored. It didn’t take long before media outlets and other security companies were combing through Kaspersky Lab’s research and the infamous Snowden Leaks to find possible links between the two. Kaspersky Labs, along with FireEye, Symantec, TrendMicro and PaloAlto Networks, are global leaders when it comes to trendy APT reports.
China Enters the Scene – Establishing a New Cyber Presence
China has long endeavored to keep up with the United States and Russia in most aspects of warfare. In 1993, China began a systematic long-term effort to modernize their military and close the gap with the other world powers. In 2011, laws governing conscription were changed, allowing for college grads to more effectively serve. Moving cyber forward, in 2014, China established their Cyberspace Administration (CAC). CAC is in charge of all censorship, oversight and general control of the Chinese Internet for the PRC. Keeping in stride with major reform, China completely overhauled its military structure, beginning anew on December 31, 2015. This overhaul saw the creation of a more centralized military cyber engagement element called the Strategic Support Force (SSF).
Finally, continuing their aggressive charge to invigorate their cyber operations and possibly outpace their perceived adversaries, China created the CyberSecurity Association of China (CSAC) in March 2016. This newest element in the cyber arena was established as a non-profit organization underneath the CAC and designed to be an industry association bridging the gap between Government and Industry. Additionally, the organization will provide China a seemingly non-government face for use in handling international cybersecurity issues as seen early this year with GitHub. Their official mandates include:
- “Laws and regulations helping to build out the new information and communications technology (ICT) legal regime,
- Technology support helping to boost the domestic ICT industry,
- Public opinion supervision to help in information control and propaganda,
- Security and stability of information systems, products, and services (conventional cybersecurity),
- Protecting core Chinese interests under globalization, and promoting globally competitive Chinese IT companies.”
CSAC board members consist of thirteen individuals from prominent Chinese organizations. Included in this leadership board is the proverbial ‘Father of the Great Firewall of China’, Fang Bingxing and individuals from Antiy Labs, Qihoo 360, Baidu, Alibaba, Xian Jiatong University, Tencent, Huawei, and a few additional faces. The makeup of this leadership implies an inherent focus on information access and defense specialties.
Antiy Labs – A New Mouthpiece?
Until recently, U.S. companies and Russian Kaspersky Labs have mostly led the charge in exposing APT related activities with a few other, predominately European, companies following suit. A Chinese anti-virus company, Antiy Labs, has now joined the party. They recently published a purported Equation Group APT related disclosure. Antiy Labs has published a limited amount of APT related research articles over the past three years but have not received the level of international press coverage that their western counterparts have.
Looking at the report, Antiy researchers claimed to have found Equation Group related malware. The research is fairly in-depth, but researchers provided no hash values, limiting efforts to validate their findings by outside analysts. However, using the data provided, some of their research initially seems to correlate with prior Equation Group data first disclosed by Symantec, focused on the now infamous Grayfish malware.
Antiy Labs is a very prominent company in China’s network defense. They have dabbled in APT related research in the past but, as mentioned previously, they were limited in quantity and exposure. If not previously established, Antiy now has the potential to generate more broad information sharing procedures within the confines of the mandates governing the CSAC. The formation of the CSAC has officially brought together major communications partners and potentially large-scale data sharing access with companies looking to discover and disclose state-sponsored activities.
The formation of the CSAC and the evolving involvement of prominent Chinese companies such as Antiy in APT research likely signals an escalation of efforts from China to find and expose state-sponsored cyber operations working within China, especially those from U.S. or Russia. It is also extremely likely that other Chinese companies will follow suit bringing additional APT research to light.