Cyber Silk Road: Tracing China’s Stealth Turn

For the past two decades, when Chinese government employees hacked foreign networks, the process was often the physical world equivalent of a “smash and grab” for sensitive data. It was noisy. Usually, “wake up the neighbors” noisy. The digital artifacts were numerous and readily available when defenders were available to observe. The infrastructure and tools were often reused, leaving the same digital fingerprints on every virtual surface. 

China rarely, if ever, cared when cyber intrusions were attributed, with high confidence (in public or private), to the People’s Liberation Army (PLA), Ministry of State Security (MSS), or a loosely affiliated contractor. The rehearsed public denials from official channels were always warm and ready for deployment at the next press conference. The narrative usually contained three points (we’re paraphrasing): attribution across the internet is difficult, China is a frequent target of foreign cyber intrusions, and healthy indignation that anyone would dare suggest that the Chinese government sponsored or executed cyber intrusions. 

Now, in 2023, does China care when its hand is identified reaching into the foreign proverbial cookie jar? We think they do, and this Chinese government's shift in attitude has significant implications for security professionals and risk executives. 

The shift began around the mid-2010s. Sensing the opportunity to present an alternative to the US-led rules-based international order, China has been expanding its diplomatic engagement, from the Belt and Road Initiative investments in 150 countries to brokering normalization talks between historic rivals in the Middle East. The growing interest in global affairs means that intelligence is more important than ever - but it also raises the political stakes of getting caught spying. 

Timeline courtesy of Recorded Future’s Insikt Group

A recent example of cyber activity potentially derailing geo-political goals is China’s reported cyber targeting of Middle East telecommunication companies shortly before the 2023 BRICS summit. During that time, China had been leading the push for BRICS expansion to multiple Middle Eastern countries. The group voted to include Iran, Saudi Arabia, the United Arab Emirates, and Egypt. China is unlikely to receive direct comments on the activity, but behind closed doors, the move can only fuel mistrust. Public attribution for intrusions is not a good look when building consensus toward an improved economic coalition.

A shifting geo-political mission requires a change in cyber tactics. How does China move from “smash and grab” cyber intrusions to “stealth and undetected”? The short answer is to ensure the tools and tactics are quiet.

In early September 2023, Recorded Future observed a domain - scb.vmpsoft[.]com - communicating with a known Chinese government-controlled command and control (C2) server. Recorded Future tracks this particular threat actor group as TAG-67. 

VMPSoft is a Russian-based software company; as such, it issues code-signing certificates. These certificates are essential because they provide digital devices with a signal of legitimacy. In short, a program signed with a third-party certificate raises fewer security flags during installation and operation. Different flavors of certificates are a core component of trust in modern computing and internet security.

One benefit of using a Russian software company’s digital certificates is in the event of attribution, China can revert to the first point in its denial narrative - cyber attribution difficulty. Presumably, a Russian actor(s) is behind intrusions that involve a Russian software company’s digital certificates. 

Recorded Future’s Insikt Group previously reported on TAG-67 using a stolen code signing certificate originally belonging to VMPSoft to sign their malicious code (the malware is called “SysUpdate”). TAG-67 previously compromised multiple networks belonging to numerous Middle Eastern governments. The current targets of TAG-67’s intrusion campaigns remain opaque, but the intrusion at VMPSoft suggests they may be reloading their cache of stolen code signing certificates. 

Now, of course, one tactic does not equate to stealth, but TAG-67 is also “trojanizing” (back door insertion) legitimate applications and using communication channels (DNS tunneling) across the internet that are less likely to be discovered by cyber defenders. Other Chinese government-sponsored threat actor groups have gone one step further to rely on living-off-the-land techniques post-breach, meaning they use existing programs on a target system to elevate privileges and exfiltrate data. These techniques leave little to no trace of malicious activity, casting further doubt on any attempts at definitive attribution.

Additionally, recent excellent Insikt Group reporting points out that Chinese government-sponsored groups are employing zero-day vulnerabilities in Internet-facing devices (firewalls, SOHO routers, VPNs, email security gateway appliances, etc.) that are often incapable of running EDR (Endpoint Detection and Response) software which limits defender visibility. 

Known zero-day vulnerabilities exploited by Chinese state-sponsored groups from 2015 to 2023; Source: Recorded Future

Insikt Group has also observed these groups compromising third-party software supply chains to further their geopolitical, security, and economic objectives while obfuscating their intrusion activity.  

Recorded Future’s intelligence signals a significant shift in Chinese state-sponsored cyber tactics. What does it mean for organizational risk? The answer depends on your business. If you’re a not-for-profit or foreign diplomatic mission with even tangential links to China or China’s global interests (e.g., the Vatican), the risk of intercepted and stolen communications equals future diminished capacity to plan or negotiate with China. 

Suppose you’re part of a vendor/supplier ecosystem for broad access (e.g., cloud networks or multi-factor authentication) or monitored industries (e.g., online gambling). In that case, the risk is diminished confidence in the integrity and confidentiality of your services due to Chinese subversion and spying. 

Finally, suppose you are a critical infrastructure provider (e.g., Indian electrical power stations). In that case, the risk is that Chinese government-sponsored actors are quietly establishing persistence in your networks in preparation for any future kinetic conflict toward disabling services for large segments of a population.  

Select the image to zoom in on the Timeline of Chinese state-sponsored threat activity in response to geopolitical events from 2019 to 2023; Source: Recorded Future.

These scenarios are where CISOs have an opportunity to tie their technical control adjustments (additional network segmentation, proactive hunting for difficult-to-detect artifacts like web shells, and increased logging in cloud environments) to the larger story of risk impacts. The risk(s) won’t resonate with business executives unless the impacts are well articulated and clearly tied to control gaps, where appropriate.