• They are attacking targets at home as well as overseas
• And are getting creative as government struggles to keep up
• For cybercriminals, it’s as easy as PII

Where cybercrime is concerned, it seems the Chinese government’s blunderbuss approach to state and cybersecurity means that it sometimes shoots itself in the foot as it introduces more and more restrictive legislation to further enhance its control over its already heavily surveilled population.

A detailed and very informative report from Insikt Group, the threat research division of Recorded Future, a private cybersecurity company based in Somerville, Massachusetts in the US that specialises in the collection, processing, analysis, and dissemination of threat intelligence, shows that part of the reaction to the layering of new restrictions on already deeply repressive legal foundations has resulted in Chinese cybercriminals resorting to imaginative, innovative ways to monetise their activities.

In the west, we are only too well aware that state-sponsored and independent hacker groups from the ‘usual suspect’ nations, such as China, Russia, Iran and North Korea, are constantly probing our network infrastructures in endless attempts to steal what they can, while trying to bring down our systems and disrupt our way of life. What we don’t consider very often is that China and its autocratic ilk are also being targeted, in many cases by home-grown underground cyberattackers.

The report analyses the structure of internet sources used by Chinese-speaking threat actors to facilitate cybercriminal activities, and focuses on advertisements, posts, and interactions on Chinese-language dark web marketplaces and cybercrime-related Telegram channels. It also cites some unique scams distributed around the Chinese cybercrime landscape and how they can be traced back to offerings available on dark web marketplaces.

The Chinese authorities may be keeping quiet about the proliferation of hacking in and on Chinese networks, but a major indication of just how worried they are is the enactment of the Personal Information Protection Law (PIPL) and Data Security Law (DSL). They have also banned cryptocurrency trading and crypto-mining, and have prohibited the advertising of crypto mining. New regulations have also been issued to prohibit money laundering together with new laws to combat telecom and online fraud.

The Insikt report stated: “China’s massive political drive toward a digital economy enabled by big data has opened up the attack surface for hackers and leaves data vulnerable, resulting in several high-profile data breaches leading to exposures of large amounts of PII [personally identifiable information] of Chinese nationals and international entities during the past year. It is highly likely that threat actors have harvested and analysed big sets of data, organising and parsing them into smaller sets of data that contain more specific groups and individuals to monetise them through cybercriminal sources.”

Despite the plethora of new laws and attendant swingeing penalties for those found guilty of breaking them, Chinese-language dark web marketplaces continue to evolve, as new entrants emerge to replace older ones that have gone offline.

Send me a Telegram

Telegram, the globally accessible freemium, cross-platform, encrypted, cloud-based and centralised instant messaging service that provides end-to-end encrypted ‘secret’ chats and video calls, is the communications method of choice for Chinese cybercriminals, who weaponise PII by compromising it and selling it on the dark web. All Chinese-language dark web markets use cryptocurrency to finance their operations.

China’s 14th Five-Year-Plan period (for the period 2021-2025) calls for a big data industry to be fostered as the industrial economy of the PRC transmutes into a digital economy. The big data industry had an average compound annual growth rate (CAGR) of more than 30% during the 13th Five-Year Plan period (2016-2020) and the government focused on building the big data industry via a new phase of “integrated innovation, rapid development, in-depth applications and structural optimisation”.

The push for big data increased markedly during the Covid-19 pandemic. However, as the Insikt report shows, “security is unable to catch up with the rapid growth of data collection, as evidenced by some high-profile data breaches reported during the past year".

These include July’s reluctantly admitted successful cyberattack on the Shanghai National Police database, which is believed to have netted the hackers the complete records of one billion citizens. Then, in August this year, a Chinese database holding the records of faces and associated vehicle registration plates was compromised and an unknown number, which was said to be in the many millions, were stolen and put up for sale. 

To give some indication of the sophistication and depth of data stolen, the Insikt report provides details of the listing of available products on the dark web. For example, in September last year, the Dark Web Chinese Market site set out its stall thus: “Paid Advertisements; Data: Various stolen data including PII, carding material and more; Tutorials: Hacking techniques, social engineering, fraud schemes and more; Physical Items: Mostly sets of 4 IDs that are standard for bank account access in China; Videos: Mostly adult content; Virtual Items: Carding tutorials, templates for counterfeit documents, and more; and software websites.” Postings listed were available both in bitcoin and US dollars.

The report concludes that the researchers expect “the majority of lower-level Chinese threat actors to continue to conduct cyberattacks against China’s domestic industries including healthcare, financial, government, and education entities for financial gain. More resourceful threat actors will move their cyber operations abroad or focus more on foreign data/access to diversity their portfolio, recruiting foreign cybercriminals to participate in cyberattacks against global entities.”

The report comes a matter of weeks after the PRC’s State Council announced that the country is to build and develop a national integrated government big data system. It said: “Data available to the government will also be expanded to include information on electronic licences, medical and healthcare, emergency management, and credit systems, and to incorporate them into the national integrated government affairs big data system.” 

Such a massive and massively integrated database will need the best cybersecurity available – and it will have to be constantly monitored and updated because many hackers will attempt to breach the defences to plunder the online gold mine. They will also target other state agencies that hold sensitive data and will use “data-fusion pools to analyse and break down the datasets into smaller data to weaponise them against individuals.”

In closing, the report stated: “The Chinese government’s push for an integrated system for their political and economic objectives will likely come with negative consequences, allowing the cybercriminal landscape to evolve and thrive with more threat actors devising new and innovative methods to weaponise and even manipulate PII to serve the needs of other criminal gangs and organisations in the event of future data breaches.” 

What's more, the authorities will not be quick to acknowledge when a probably inevitably successful attack happens. Given that the first and continuing reaction by any functionary, from the lowest to the highest levels in a Chinese organisation, to any problem that may involve loss of face or involve close scrutiny is to deny that anything has happened and then to construct an elaborate facade to cover-up the lies and obfuscations, it could be years before any major mistakes become apparent.