With China’s economy foundering, it’s likely to carry out more aggressive cyber espionage campaigns, designed to steal foreign intellectual property, over the next year, according to a new report.
According to a white paper from threat intelligence firm Cyjax, the country’s economy is still suffering from the effects of Covid-19, its manufacturing industry is shrinking and its property sector is over-leveraged, thanks to an aggressive borrowing strategy. And as a result, predicts Cyjax, it’s likely to ramp up its existing practice of attempting to steal intellectual property from Western companies, use subsidies and non-tariff barriers to build businesses and then create a protected domestic market to give them a global advantage.
“China is a far more complex and nuanced territory than generally portrayed. Its internal pressures are likely to lead to increased cyber espionage activity, rather than slowing it down,” said Ian Thornton-Trump, CISO at Cyjax.
“The PRC’s approach to cyberspace has always been to use it to advance its business interests, extracting technologies from Western companies and creating a protected domestic market for these industries, giving them an advantage in the global market.”
The report highlights a number of threat groups that Cyjax expects to see increasing their activities over the next year.
The Gallium group, active since at least 2012, is part of Operation Soft Shell, which targets global telecoms and Microsoft Exchange servers. The group targets and steals intellectual property from telecommunication, financial and government entities in Southeast Asia, Europe, Africa and the Middle East. Operation Soft Cell has also been linked to the notorious APT41, a financially motivated Chinese state-sponsored espionage group which has been active since 2012.
More recently discovered is the Sandman group, which targets telecoms providers in the Middle East, Western Europe and South Asia. It uses a novel backdoor that abuses the LuaJIT platform to deliver malware. Once it gains access to a system, the group carries out various activities, including creating limited amounts of files and directories and installing its Lua-based custom backdoor.
MustangPanda, meanwhile, has been actively targeting countries with which Beijing has clashed, and in particular several Southeast Asian governments. It’s been linked, for example, to a cyberattack that successfully compromised a Philippines government organization for five days in August last year. It also targeted the Taiwanese government and diplomats in December 2023.
Finally, Cyjax is predicting increased activity from VoltTyphoon, believed to have been operating since 2021, and responsible for a large number of high-profile attacks. It appears to target critical infrastructure organizations for intelligence-gathering purposes, at the behest of the Chinese government. It uses Living off the Land Binaries to remain undetected.
Last October, the intelligence chiefs of the Five Eyes nations—the U.S., the U.K, Australia, New Zealand and Canada—issued a joint advisory warning about the group, which they said represented an “unprecedented” threat. VoltTyphoon, they warned, was stealing secrets particularly in the fields of AI, quantum computing and synthetic biology.
Says Thornton-Trump: “With a better understanding of the country’s internal forces, and how these relate to its cyber strategy, we can plan better defences against PRC cyber espionage.”
forbes.com