Russia and China lead on offensive cyber skills

Analysis

The United Kingdom on July 16 attributed breaches of Oxford-based COVID-19 vaccine research facilities to APT-29, a hacking group linked to Russia's Foreign Intelligence Service, the SVR (see INTERNATIONAL: COVID-19 alters focus of cyberespionage - June 11, 2020). The UK statement was backed up by Canada and the United States, which are also part of the Five Eyes intelligence sharing alliance together with Australia and New Zealand.

Oxford researchers supported the attribution when they revealed the same day that they had noticed their Russian counterparts were taking a similar approach to vaccine development.

Also on July 16, the UK foreign secretary revealed that Russia had tried to interfere with the 2019 general election by stealing and leaking documents on UK-US trade discussions online.

On July 21, a UK Intelligence and Security Committee report called Russia an "urgent" national security threat due to its willingness to deploy its sophisticated cyber capabilities "in a malicious capacity" (see INT: UK report on Russian meddling has broad impact - July 21, 2020).

These public attributions have drawn attention to Russian offensive capabilities.

Russian capabilities

According to the UK National Cyber Security Centre (NCSC), APT-29 enters digital networks by using publicly available 'exploits' to scan them; the purpose of this is to obtain authentication credentials that can give hackers deeper access into the networks.

It uses a broad targeting method, meaning it likely maintains a store of credentials, which may not be relevant presently but could be useful in the future. In the case of COVID-19 vaccine research facilities, APT-29 ran a basic vulnerability scan against the IP addresses owned by the facility, after which it deployed public exploits against the vulnerable services that it had identified.

In some cases, it also used custom-built malware that the NCSC has named WellMess and WellMail. This malware was previously not known in the public domain and had not previously been used by Russian state-actors. This underlines the sophistication of the new tools Russia is developing and deploying against the high-stakes target.

APT-29 receives little publicity compared with other Russian threat actors because it focuses on covert intelligence collection. In contrast, APT-28, which is reportedly linked to Russia's GRU military intelligence agency, has conducted much bolder and more destructive campaigns.

APT-28's operations indicate that it employs skilled developers and frequently uses 'zero days' -- vulnerabilities that are unknown and for which patches do not exist.

APT-28 and APT-29 are believed to be two of the most capable cyber actors in the world. They were also linked to the breaches of the US Democratic National Committee (DNC) in 2016. APT-28 has been linked to the hack of French TV station TV5 Monde in 2015.

China's skills

The US government on July 21 indicted two Chinese hackers, who worked with the Ministry of State Security (MoSS), for conducting a decade-long operation against companies engaged in high-tech manufacturing, pharmaceuticals and gaming software development.

The indicted persons are said to have also targeted dissidents, clergy and human rights activists in the United States, China and Hong Kong. Their latest mission was to probe vulnerabilities in the networks of companies working on COVID-19 vaccines, treatments and testing technology.

The indictment is significant in that it describes the hackers as working partly for personal financial gain and partly as state proxies.

From the information provided in the indictment, their methods do not seem especially sophisticated: to gain access to the target networks, the hackers exploited known vulnerabilities in popular web server software. They were effective because the vulnerabilities had only recently been publicly revealed, and many companies and users would not yet have had a chance to install new patches.

'Cloud Hopper'

Chinese cyber theft of Western intellectual property is a longstanding concern. The most notorious cyberattacks include the 2015 hack of the US Office of Personnel Management and the 'Cloud Hopper Operation' discovered in 2018. The latter involved several Chinese operatives including a highly skilled MoSS unit known as APT-10.

These groups conducted a multi-year operation in the systems of the world's leading cloud service providers, including Ericsson, Hewlett Packard, IBM and Fujitsu, for gathering economic intelligence and intellectual property. However, the capabilities of the units involved varied considerably, with some seemingly stealing files at random.

The 'Five Eyes' group of intelligence-sharing governments attributed the operation to China in December 2018. Many details of the breach have been withheld at the request of the corporate victims, who fear reputational damage and loss of client confidence. This reluctance hinders attempts to deter the adversary and stop future attacks.

China is leveraging this reluctance as it builds its cyber capabilities; currently it lags Western skills in many areas, including innovation capabilities, cyber military strength and the coherence of the national cyberspace strategy.

President Xi Jinping wants China to become a 'cyber superpower'. Beijing has also created the Strategic Support Force under the People's Liberation Army (PLA). The unit is still being developed but could eventually prove to be one of the PLA's most valuable capabilities.

Western strategy

Western states boast highly sophisticated cyber capabilities, as shown by the Stuxnet operation, believed to have been launched jointly by the United States and Israel. In 2018, Washington adopted a new strategy which allows US Cyber Command to conduct persistent operations to challenge adversarial activities, including by reaching into the networks of hostile countries.

UK agencies have also conducted offensive cyber operations against Islamic State actors.

However, Western state-linked actors face transparency and accountability pressures from which their Russian and Chinese counterparts are free. Western actors also lack the same incentives to steal intellectual property.

Consequently, Western governments have focused on attribution since 2017, with limited impact (see PROSPECTS H2 2020: Cybersecurity - June 4, 2020).

The Russian ambassador to London rejected the most recent UK allegation about Russian hacking, even though the NCSC said it was 95% certain in its attribution of the Oxford hack. With this kind of certainty, cyberattacks are no longer plausibly deniable.

Attribution without proportionate retribution -- most of the penalties for cyberattacks have been economic and diplomatic sanctions with limited consequences -- risk portraying Western countries as soft targets that lack resolve.

Outlook

This means that offensive Russian and Chinese cyber campaigns will continue increasing as these states' capabilities develop. Russia's operations indicate that its units are more skilled at sabotage; operations often have political goals. China's focus remains on intellectual property theft and espionage for economic gain, although Russia's APT-29 is also skilled at the latter.