A Hacked MoD and the Growing Threat of China

China has been accused of hacking the MoD, just months after another two attacks were blamed on the country’s increasingly capable adversaries. Kate O’Flaherty asks what businesses and government entities can do about it

The threat posed by China is already well-documented. So much so that world leaders have been cracking down on Chinese companies over the last few years.

This year, US President Joe Biden passed a law requiring ByteDance, the Chinese owner of social media site TikTok, to sell the app’s US operations or face a ban. It came after countries including the UK, US, and Canada banned TikTok on government-issued devices.

Meanwhile, multiple countries, including the UK, have moved to curb or block Huawei and ZTE equipment from 5G telecoms networks.

There’s no doubt Chinese cyber adversaries are capable and increasingly active. This month, China was accused of hacking the Ministry of Defence (MoD) after defence secretary Grant Shapps disclosed a data breach at a third-party contractor.

The incident impacted the personal data of 270,000 serving personnel, reservists and veterans of the Royal Navy, British Army and Royal Air Force.

Two months earlier, UK deputy prime minister Oliver Dowden blamed Chinese State-sponsored attackers for “malicious cyber campaigns”, including a 2021 hack of the UK’s Electoral Commission that exposed 40 million voters’ personal details.

So, how big is the current threat from China-backed nation-state adversaries, and what can businesses and governments do about it?

A short history of China’s adversarial aims

China is the first billed of the so-called CRINK (China, Russia, Iran and North Korea) adversaries – a term coined by Cyjax CISO Ian Thornton-Trump.

The country has growing capabilities: It is a “worthy competitor” in cyberspace, says Dakota Cary, strategic advisory consultant at security outfit SentinelOne. “The government has rolled out many new policies to improve the quantity and quality of their hackers over the last nine years. We are now seeing the impact of those in cyberspace.”

China is known for stealing military and business secrets to further its technological aims. The Chinese have been setting the conditions to use the cyber environment for intelligence purposes “for many years”, says Philip Ingram, MBE, a former colonel in British military intelligence. He calls Chinese adversaries “data hoovers, sucking up vast volumes of data from as many sources as they can”.

“Chinese adversaries [are]data hoovers, sucking up vast volumes of data from as many sources as they can” Philip Ingram

He says that particular areas of interest are high-tech industry and research establishments. “They try to get a development advantage through stealing intellectual property – designs of new kit, drugs and more.”

China is also interested in understanding current political thinking around economics and relationships with other countries. “Hence why there have been numerous cases around individuals with influence in Parliament,” says Ingram.

Defence is another area of focus. China wants to apprehend the UK’s actual capabilities and strength, which is why it is the likely culprit behind the hack of the defence payroll system, Ingram muses.

The country is also teaming up with other nation-states to further its aims. China is using its relationship with the other CRINK adversaries “to good effect”, helping them to avoid sanctions, says Thornton-Trump.

He says the Chinese are moving quickly to establish a global financial system outside of US influence. BRICS is an intergovernmental organisation comprising Brazil, Russia, India, China, South Africa, Iran, Egypt, Ethiopia, and the United Arab Emirates.

“This group has every potential to bypass American scrutiny and rules, allowing a nearly unregulated free flow of investment, currency exchange, banking services and trade among the member nations,” Thornton-Trump warns.

Chinese groups

One of the biggest China-linked groups operating at the moment is Earth Krahang. The group has been seen compromising government agencies, says Andy Swift, technical director of offensive security, at Six Degrees. “It abuses relationships between departments, state entities and other governments to launch attacks by exploiting the trust between them and evading detection.”

For example, the group has been observed using government infrastructure to host malicious payloads, route proxy attack traffic, and send spear-phishing emails to state-related targets using compromised government email accounts.

“Earth Krahang abuses relationships between departments, state entities and other governments to launch attacks by exploiting the trust between them and evading detection” Andy Swift

Hannah Baumgaertner, head of research at Silobreaker, names prominent groups to look out for, such as APT27, APT31, and BlackTech.”These groups primarily conduct espionage operations, aimed at government organisations and operational technology, as well as other industries to obtain trade secrets.”

Disinformation campaigns are also common, especially in the run-up to elections. “Chinese adversaries continuously adapt their techniques to evade detection, often targeting so-called ‘edge devices’ – security and network devices accessible to the internet – for initial access,” says Baumgaertner.

Meanwhile, she says that groups have been observed exploiting zero-day vulnerabilities in commonly used software to launch attacks.

Muddling Meerkat is another suspected Chinese state-backed group. “The group exploits short search domains that some companies use, allowing attackers to bypass security apparatus and infiltrate private networks,” says Manfred Kwek, regional security coordinator for Healix.

Another China-linked adversary, Volt Typhoon, has targeted companies and organisations involved in US critical infrastructure since 2021. Kwek says the group is well-known for “living off the land” and using servers and assets to steal confidential information. ”They can use routed traffic to steal credentials and compromise a legitimate account, making it challenging to identify and stop the group.”

Vetting third-party suppliers

The threat is certainly significant, especially for firms operating in specific sectors and government entities. State-sponsored attackers have the resources and patience required to identify and attack weaknesses across a target’s entire network, including their third-party suppliers, says Simon Bain, data security expert and CEO of OmniIndex. With this in mind, he says: “All vulnerable and valuable data must be kept secure throughout the chain, from source to third party.”

Companies or governments should have secure onboarding processes for third-party vendors, says Kwek. “These can include thorough checks on a vendor’s cybersecurity practices before onboarding them into a company’s network,” he advises.

Organisations must also be quick to report and disclose breaches to avoid further attacks and receive support, says Kwek. “Reporting such incidents does not harm a company’s reputation; it saves it from further attacks.”

At the same time, employees should be wary of any unexpected communication via email, SMS or social media, says Baumgaertner. “Regular cybersecurity awareness training should be provided to employees. This ensures all staff are confident in identifying potentially malicious behaviour and communication. They’ll also know who to report this activity to, so you can cut off unauthorised access as soon as possible.”

Nation-state adversaries, including China, pose a growing threat, especially to firms operating in impacted sectors. It’s essential to know your risk and take steps to safeguard your data, including robust policies when choosing third-party suppliers.