Latest Updates from China Digital Times
• China Joins in Global Hacking Spike Amid Pandemic
• Using Moscow’s Playbook, Beijing Sows Doubt into COVID-19 Narrative
• Grass-Mud Horse Lexicon: Digital Disobedience
Photo: Untitled, by Hsiuan Boyen
© Sophie Beach for China Digital Times (CDT), get_post_time('Y'). |
No comment |
Feed enhanced by Better Feed from Ozh
China Joins in Global Hacking Spike Amid Pandemic
Last week, U.S. cybersecurity firm FireEye published a report on "one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years," identifying its alleged perpetrator "APT41" as "one of the most prolific threats that FireEye currently tracks." From Christopher Glyer, Dan Perez, Sarah Jones, and Steve Miller:
[…] Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.
[…] There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.
[…] We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed.
[…] This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41. [Source]
FireEye released a detailed report on APT41 last August, describing it as "a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations."
[…] APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.
[…] Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.
[…] Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group’s consistent interest in targeting the video game industry for financially motivated reasons. The group’s capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.
APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41. [Source]
In a blog post later in August, the company described coming "toe-to-toe with APT41" following "suspicious activity on a publicly-accessible web server at a U.S.-based research university." In October, FireEye reported the apparent involvement of APT41 and "separate threat groups with suspected Chinese state-sponsored associations" in targeted tapping of text message conversations and phone call metadata from "political leaders, military and intelligence organizations and political movements at odds with the Chinese government." This was achieved by compromising network infrastructure, but "beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance." APT41 has also been linked to an attacker called Winnti Group, which has been accused elsewhere of "highly targeted" invasion of computers at two or more Hong Kong universities late last year amid the city’s long-running anti-extradition turned pro-democracy protests.
Over the past year, U.S. officials have complained that "since the announcement of Made In China 2025, the Department [of Justice] has brought trade secret theft cases in eight of the ten technologies that China is aspiring to dominate," claiming "probably about a thousand plus investigations" ongoing into actual or attempted theft of American IP, "almost all leading back to China." As FireEye alluded in its August report on APT41, such direct theft subsided following an agreement on commercially-motivated hacking between China and the Obama administration in 2015, but was later reported to have revived. The carefully narrow terms of the 2015 agreement somewhat complicate this picture, however.
In the realm of non-commercial espionage, meanwhile, the U.S. Department of Justice brought charges against four Chinese military officers in February for their alleged involvement in the 2017 breach of credit reporting agency Equifax. Reporting on politically driven hacks against Apple iPhone users and Australian political bodies last year suggested that some victims are choosing to keep quiet to avoid antagonizing China.
The attacks attributed to APT41 are just part of a spike in reported activity by both Chinese-sponsored and other government-linked and criminal hacking groups around the world amid the ongoing pandemic, which has prompted a coordinated response from the security community. Other recent incidents include attacks on the World Health Organization, including some tentatively linked to "Dark Hotel," an entity suspected to be linked with the South Korean government with "a long history of hacking North Korean and Chinese victims, with a focus on espionage." NBC’s Kevin Collier reported earlier this month on the prolific use of outbreak-related information as bait in phishing attacks.
“We’ve seen Russia use it against Ukraine, China use it against Southeast Asia, North Korea against South Korea,” said Ben Read, the senior manager for cyberespionage analysis at the cybersecurity firm FireEye.
FireEye analyzed emails from Chinese hackers to Vietnamese targets, and in one purporting to be reassurances from Vietnamese Prime Minister Nguyen Xuan Phuc that the government was doing everything in its power to contain the spread of the virus FireEye found malware that would compromise the computer of any user who downloaded it.
“These lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups, and then target people based on ‘this seems like a really interesting thing offering me more information in a time that has so much information,’” said Lindsay Kaye, who also researched coronavirus phishing emails for the cybersecurity company Recorded Future.
[…] “The story started in Asia, and has kind of migrated, so the threat actors are following the virus,” said Adam Meyers, CrowdStrike’s vice president of intelligence. “They go from China to surrounding areas around China, they start targeting Japan, they start targeting South Korea, they start targeting Europe.” [Source]
More from Patrick Howell O’Neill at MIT Technology Review:
Two hacking groups aligned with the Chinese government targeted Vietnam, the Philippines, Taiwan, and Mongolia, the cybersecurity firms FireEye and Check Point reported today. The hackers are sending email attachments with genuine health information about coronavirus but laced with malware such as Sogu and Cobalt Strike, according to Ben Read, a senior intelligence analyst at FireEye.
[…] “You expect to get information from government sources, so it’s most likely that you will open and execute documents to see what it says,” said Lotem Finkelstein, head of threat intelligence at Check Point. “It makes it very useful to trigger an attack. The coronavirus outbreak serves threat actors very well, especially those that rely on phishing attacks to ignite attacks.”
[…] In addition to ongoing activity by government-sponsored hackers, cybercriminals are taking advantage of the chaos of current events. Hackers have previously used anxiety surrounding Ebola, Zika, and SARS to make money.
[…] “Attackers are also subverting internal businesses’ credibility in their attacks,” researchers from the cyber firm Proofpoint wrote. “We have seen a campaign that uses a Coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees … This email is extremely well-crafted and lists the business’ president’s correct name.” [Source]
The Washington Post examined the explosion in online scams on Thursday. Security issues such as phishing have become all the more pressing as information workers move en masse toward online remote work, putting many at greater risk than they might be on closely guarded corporate networks. This week, product recommendation site The Wirecutter published its first guide to "The Best Security Key for Multi-Factor Authentication," which offer "the strongest protection against phishing attacks" for accounts with platforms like Google, Facebook, and Twitter. Google’s own Titan security keys, whose Chinese manufacturing has provoked some suspicion, were not The Wirecutter’s top choice, for unrelated reasons. For more on security keys and how to use them, see user guides at TechSolidarity.org.
© Samuel Wade for China Digital Times (CDT), get_post_time('Y'). |
No comment |
Post tags: cyberespionage, cybersecurity, digital security, economic espionage, espionage, hacking, intelligence
Feed enhanced by Better Feed from Ozh
Using Moscow’s Playbook, Beijing Sows Doubt into COVID-19 Narrative
When the novel coronavirus first began circulating in Wuhan, Chinese authorities were quick to censor news and to punish doctors and others who shared information about the deadly new virus. The government’s obfuscation and censorship of news about the virus’ risk has been widely blamed for contributing to its later spread throughout China and around the world, where it has now infected close to a million people and killed more than 45,000. Now that COVID-19 cases have slowed in China following stringent containment measures, and cases are currently exploding throughout Europe and the U.S., Chinese officials have launched a disinformation campaign seeding a conspiracy theory that the virus was created and spread by the U.S. military. The Chinese charge was notably levied by Zhao Lijian, deputy director of Foreign Ministry Information Department, on his Twitter account:
Cui Tiankai, Chinese Ambassador to the U.S., later disavowed these claims, but Zhao’s initial statements appear to be part of a broader and often covert campaign being waged from Beijing. Vanessa Molter and Graham Webster track the origins of the Chinese disinformation campaign around COVID-19 for Stanford’s Cyber Policy Center:
Groundless speculation about the origins of the pandemic did not begin with Zhao, but the case of his eye-catching tweets reveals how China’s changing propaganda tactics have interacted with mangled news reporting, social media conspiracy theorizing, and underlying U.S.-China tensions—all resulting in high-profile misinformation about a public health crisis.
An examination of social media posts across Weibo, Facebook, Instagram, Twitter, YouTube, and Reddit in English, Chinese, and Japanese reveals the context and pathways that brought this particular conspiracy theory to Chinese state media and diplomatic channels. Weeks of speculation and online conspiracy theorizing about military links to the virus’ origins or emergence, combined with a broadening uncertainty about the circumstances of Wuhan’s outbreak and increasingly brittle U.S.-China rhetoric, laid the groundwork for Zhao’s inflammatory tweets and the reaction that followed.
[…] Speculation or conspiracy theory writings about a potential role for the U.S. military in Wuhan’s outbreak circulated weeks before Zhao, the Foreign Ministry spokesperson, amplified the idea on Twitter. [Source]
While Zhao Lijian’s Twitter campaign was in no way covert or even subtle, the Chinese government’s use of Twitter, which is banned in China, to spread propaganda and disinformation through fake or hacked accounts has gained attention in recent months, especially during Hong Kong pro-democracy protests last year and now again during the coronavirus outbreak. Jeff Kao and Mia Shuang Li reported on such use of Twitter for ProPublica:
ProPublica’s research tracked how the government-linked influence accounts that had targeted political dissidents and the Hong Kong protests turned their focus to the coronavirus outbreak. During the height of the epidemic in China, many of them became cheerleaders for the government, calling on citizens to unite in support of efforts to fight the epidemic and urging them to “dispel online rumors.”
With the epidemic spreading across the world, these accounts have sought to promote the Chinese government’s image abroad and shore up its support at home. One typical recent tweet in Chinese proclaimed: “We were not scared during the outbreak because our country was our rearguard. Many disease-fighting warriors were thrust to the front lines. Even more volunteers helped in seemingly trivial yet important ways.”
[…] We found a pattern of coordinated activity among the fake accounts that appeared to be aimed at building momentum for particular storylines. Central accounts with more legitimate-looking histories such as Keegan’s would make eye-catching posts; for example, a political message accompanied by a bold graphic or a meme, or a provocative video. An army of obvious fake accounts would then engage the posts with likes, reposts and positive comments, presumably to boost their visibility in Twitter’s algorithms.
Posts also used hashtags about trending topics such as the coronavirus outbreak or the Hong Kong protests to gain visibility for an account that had few followers. Other posts would use hashtags unique to the influence network, presumably to try to make them trend on Twitter. Remarkably, some of the fake accounts accumulated hundreds, and, in a few cases, thousands of followers (It’s not clear whether the fakes were being followed by real people or other fake accounts.) [Source]
The COVID-19 pandemic has revealed new Chinese government tactics in pushing questionable conspiracy theories abroad along with specific propaganda and disinformation narratives, similar to techniques long used by Russia. Julian E. Barnes, Matthew Rosenberg, and Edward Wong report for The New York Times:
China has a long history of propaganda and efforts to cajole the world into following its own narrative on geopolitical issues like Taiwan, Tibet or Hong Kong. While it pushes its policies and views, some openly anti-American, it rarely puts enormous resources behind fringe conspiracy theories.
But that has changed during the pandemic, intelligence officials and outside experts said. In a highly coordinated campaign, Chinese officials and institutions have spread talking points centered on two narratives: that the United States is to blame for the origins of the virus and that the Communist Party has successfully contained the virus after a hard-fought campaign, affirming the superiority of its system.
[…] After remaining relatively quiet early in the year, Chinese Foreign Ministry officials have in recent weeks amplified conspiratorial stories as the coronavirus outbreak has spread globally while China has claimed to have wrested it under control in the city of Wuhan where it originated.
[…] The tactics are “a significant departure from how the Chinese have operated in the past,” said Laura Rosenberger, the director of the Alliance for Securing Democracy, a project of the nonpartisan German Marshall Fund of the United States.
“Russia has long spread multiple, seemingly contradictory disinformation narratives and then said, ‘How can we know for sure what happened, how can we know the truth?’” she added. “We have never really seen China do that externally before. But now we see Chinese officials and media trying out those typically Russian tactics.” [Source]
The Alliance for Securing Democracy has added a feature on Chinese government disinformation to its Hamilton 2.0 Dashboard, which “captures content from more than 150 Chinese diplomatic and media accounts on Twitter, five state-sponsored news websites, CGTN America and CCTV+’s channels on YouTube, and official statements made by the Permanent Mission of China to the United Nations. […] Collecting data since November 2019, the China section of the dashboard has captured official government messaging on topics like the Hong Kong protests, Xinjiang, the trade war with the United States, the implementation of Huawei technology in Europe, and, most notably, the global outbreak of COVID-19.” Jessica Brandt and Bret Schafer of the ASD wrote up some of their initial findings in “Five Things to Know About China’s Disinformation Campaign”. Like other researchers and reporters, they found that Beijing’s tactics are becoming increasingly similar to Moscow’s, focusing more on pushing forward the government’s own narratives rather than just censoring others that they disagree with:
China’s more confrontational posture on COVID-19 represents a clear departure from its past behavior and signals a move toward a style of information manipulation more like Russia’s.
In the early stages of the outbreak, official Chinese messaging largely focused on human-interest stories and on Beijing’s efforts to respond to the crisis. But as the virus spread rapidly to Europe and the United States over the past month, that approach shifted. From February 27 to March 26, four of the ten most engaged-with articles on Facebook from China’s state media outlets featured content that was critical of the Trump administration’s handling of the outbreak. This appears to be one component of Beijing’s broader information strategy, which entails highlighting the chaotic nature of democratic political systems, in contrast to its own.
Meanwhile, on Twitter, Chinese diplomatic and embassy accounts promoted conspiracy theories from fringe websites and China’s Embassy in Brazil engaged in a public spat with Brazilian President Jair Bolsonaro over statements he made about China’s role in the pandemic.
Using official channels to amplify conspiracy theories and to sow doubt about established facts in the context of major political events is a tactic often used by Moscow — whether to deflect blame, dent democracy’s appeal, or both. Beijing, which has long tended to be more risk averse in its approach to information manipulation, has tended to focus on censoring criticism — suppressing critical content rather than seeding conspiratorial material that is false, polarizing, or misleading. Beijing’s more confrontational posture surrounding COVID-19 could signal a broader shift in its approach. [/securingdemocracy.gmfus.org/five-things-to-know-about-beijings-disinformation-approach/">Source]
A report from European External Action Service which tracks disinformation aimed at Europe during the COVID-19 outbreak from both China and Russia says that Chinese “state media and government officials promote not proven theories about the origin of COVID-19. Chinese coverage highlights displays of gratitude by some European leaders in response to Chinese aid.” Propaganda and disinformation about COVID-19 has also been found in advertisement features from Chinese state media in newspapers including the U.K.’s Daily Telegraph.
© Sophie Beach for China Digital Times (CDT), get_post_time('Y'). |
No comment |
Post tags: coronavirus, diplomacy, disinformation, propaganda, Twitter
Feed enhanced by Better Feed from Ozh
Grass-Mud Horse Lexicon: Digital Disobedience
The following term comes from the Grass-Mud Horse Lexicon, a glossary of terms created by Chinese netizens and encountered in online political discussions. These are the words of China’s online “resistance discourse,” used to mock and subvert the official language around censorship and political correctness. CDT is expanding its China Digital Space (CDS) wiki beyond the Grass-Mud Horse Lexicon to include short biographies of public intellectuals, cartoonists, human rights activists, and other people pushing for change in China. CDS is a work in progress.
wǎngmín bù fúcóng 网民不服从
English version of censored interview with Ai Fen (Source: CDT Chinese)
Online protest and/or circumvention campaigns; play on “civil disobedience” (gōngmín bù fúcóng 公民不服从). Came into usage during a 2020 campaign that used translation, transcription, inversion, and other visual and typographic distortions to preserve and circulate a censored magazine interview with Wuhan Dr. Ai Fen. The interview, originally published in People (Renwu 人物), covered her censure for circulating a report on an early case of the novel coronavirus (COVID-19).
The People interview, published in March 2020 as President Xi Jinping set off on his first trip to Wuhan since the outbreak, quickly disappeared from the People website and from social media. Chinese netizens, who are well-versed in censorship evasion techniques such as using code words and sharing screenshots of text, in this case innovated ingenious workarounds to keep the article alive.
Translations appeared in English, German, Vietnamese, Hebrew, classical Chinese, Cantonese, Sichuanese, Wu, Elvish, Klingon, and Martian script. There is a version in Braille, another in a font that mimics Mao Zedong’s handwriting, and another written in nucleic acid notation. There is a Star Wars version. One iteration in particular captures the spirit of digital disobedience, placing the People interview in superscript above the Baidu Baike definition of internet safety. Dozens of examples are archived at CDT Chinese.
Can’t get enough of subversive Chinese netspeak? Check out our latest ebook, “Decoding the Chinese Internet: A Glossary of Political Slang.” Includes dozens of new terms and classic catchphrases, presented in a new, image-rich format. Available for pay-what-you-want (including nothing). All proceeds support CDT.
© Josh Rudolph for China Digital Times (CDT), get_post_time('Y'). |
No comment |
Post tags: censorship, coronavirus, online activism, whistle-blower, wuhan
Feed enhanced by Better Feed from Ozh