Major U.S. adversaries and competitors are enhancing and exercising their military, cyber, and other capabilities, raising the risks to the nation, the Office of the Director of National Intelligence (ODNI) reported in its 2021 Annual Threat Assessment. In its public report, ODNI highlighted China’s push for global power, as well as the activities of several other nations.
MeriTalk recently connected with Devin Thorne, a threat intelligence analyst at Recorded Future, to discuss China’s evolving intelligence operations and increasingly sophisticated state-sponsored cyber activities. Recorded Future is the world’s largest provider of intelligence for enterprise security.
MeriTalk: Let’s talk about state-sponsored cyber activities. What are some of the biggest developments you’ve seen in recent months?
Thorne: The spate of attacks on Microsoft Exchange servers stands out. The timeline and details of those attacks suggests the possibility of increasing coordination between China-based advanced persistent threat (APT) groups. At least five China-linked APTs were exploiting the vulnerability in Exchange servers prior to Microsoft’s patch. This suggests they all had access to the same zero-day exploit.
The discovery that APT31 – which Recorded Future tracks as Red Bravo – acquired, cloned, and exploited a tool developed by the U.S. National Security Agency as early as 2014, is also important. Although we don’t know exactly how the group acquired this tool, it drives home the fact that Chinese state-sponsored threat actors are highly capable, and they are set to become more capable.
MeriTalk: The Annual Threat Assessment from ODNI called out activities coordinated by the Chinese government, North Korea, and others. What are the biggest things in that report that folks should pay attention to?
Thorne: The ODNI’s public assessment concludes that China’s information influence capabilities are considerable, and its assessment of China’s counter space platforms and intention is also important. That pertains to disrupting or eroding U.S. military information dominance by taking out satellites or otherwise obstructing our information systems. The ODNI also highlighted that the Chinese Communist Party (CCP), as well as the People’s Liberation Army (PLA), are able to conduct effective cyber espionage operations and they possess significant cyberattack capabilities.
Ongoing reforms to China’s intelligence community and the military that started in 2013 and 2015, respectively, are pushing the professional intelligence services and the PLA to become more effective. I expect that the capability gap between the U.S. and China is narrowing in cyberspace and a number of other domains, in line with ODNI’s assessment.
MeriTalk: How is cyber espionage similar or different from exploits on IT systems?
Thorne: We can differentiate cyber espionage in two ways: motive and tactics. Looking at motive, cyber espionage is the application and exploitation of computer networks to further espionage goals. Specific to China, cyber espionage is conducted to advance the goals of China’s professional intelligence services. Looking at tactics, I focus on three trends:
- Targeting and bulk collection of personally identifiable information;
- Sidelong attacks against shared network infrastructure and services to compromise specific targets; and
- High-level compromise of telecommunications infrastructure.
The Microsoft Exchange Server attacks are an excellent example of a sidelong attack. Managed service providers, non-cyber related entities including law firms, journalists, news organizations, and others are all potential targets because of their connections to other groups with access to relevant intelligence. Once compromised, these organizations become vantage points from which threat actors can pursue their real targets.
MeriTalk: Looking at our near-peer adversaries, the Chinese government seems to stand out in the cyber espionage arena. What is China doing differently than other nation states?
Thorne: Many countries engage in espionage and cyber espionage. Even economic espionage and technology transfer are not unique historically. But China’s economic growth and ambition to achieve very rapid increases to its national power and technological prowess have led the CCP to deploy traditional and cyber espionage tools on a very large scale and in a way that is much more coordinated and centralized than we’ve seen in the recent past.
The CCP’s approach to accessing strategic intelligence, cultivating influence overseas, and achieving technology transfer has led to the creation of three distinct bureaucracies. These bureaucracies share goals in a number of areas, and they are mutually supportive, but they are distinct from one another in how they pursue their goals. The professional intelligence services are only one of these systems. This makes China’s approach unique. It also makes mitigation difficult, because it is hard to neatly define their activities, to determine what’s legal and illegal, and to determine what is technically an intelligence operation and what’s not. In fact, many of the economic espionage activities undertaken by these systems are legal in the United States.
MeriTalk: Let’s talk about human intelligence, or HUMINT. How often do spies or intelligence assets drive information gathering?
Thorne: Public data shows that the primary model for human intelligence operations conducted by China’s professional services is to have intelligence officers stay in China. They make contact with targets when those people go to China, or through social media. The intelligence officers will also recruit overseas intermediaries who are then tasked with building out a wider network of assets on behalf of the intelligence services, but these assets don’t have specific training. Specific numbers are unclear, but most of what we read about in news media probably does not have a direct link back to China’s professional intelligence services.
MeriTalk: What are typical methods of human intelligence gathering?
Thorne: In the professional intelligence services, intelligence officers pose as academics or civil society figures to lure foreign academics or businesspeople to a conference or meeting in China. That exposes the traveler to either pressure or to access. When officers do go abroad, they can be covered as journalists, diplomats, or a variety of other identities.
Another way is using insider knowledge. Perhaps a specific person in an IT department helps map a system or explains how it is protected. Not unique to China: simple bribery to illicit cooperation and the use of front companies for acquiring restricted technology from overseas are common. At academic conferences, people take notes on what’s happening. It’s public data, but it’s being collected for an illicit purpose. Patents are another big area. China’s bureaucracy will monitor worldwide filings, translate filings of interest, and disseminate them to different entities to start additional research.
On the political side, community organizations that provide legitimate social interaction can be targets for the professional services as well as other bureaucracies. Representatives of the CCP, for example, will elicit the cooperation of the leaders of community organizations to support China’s view on certain policies. The broader members of these social groups may not be fully aware of this manipulation. Because these groups are entitled to their political opinions in the United States, I think it requires us to think about how we protect freedom of speech and how we ensure people can disclose pressure from what they believe are foreign government agents without fear of reprisal from China or the United States.
MeriTalk: It sounds like some people who are funneling information to China are acting legally. We’re most concerned about the aggregation of that information.
Thorne: I agree. The transfer of knowledge, like taking research to China, is legal in a lot of cases. It’s illicit because this knowledge transfer is encouraged very aggressively by the CCP, but it is not illegal. That knowledge aggregates in China; it is commercialized and subsidized, and it can be spun off for military development or other national strategies.
Evidence-based approaches to managing exposure to CCP systems of espionage in academia and other areas don’t require broad exclusions of certain groups based on ethnicity. I encourage people in positions of responsibility to consider that risk is intended to be managed. It’s not intended to be avoided altogether. Sometimes, avoiding risks can create negative impacts that run counter to the United States’ broader strategic goals.
MeriTalk: Recorded Future sits in an interesting place. You’re aggregating intelligence, bringing in other data sources, and triaging information. What is going on going on behind your curtain as you investigate cyber espionage?
Thorne: Recorded Future is striving to combine the best capabilities of machines and humans. On the machine side, the Recorded Future platform provides real-time analytics and intelligence on threat leads and indicators of compromise, and it monitors news and social media from a broad range of open, closed, and technical sources in most if not all major languages.
On the human side is our Insikt group. Insikt means “insight” in Swedish. It’s a group of about 50 analysts that speak about 17 languages and have an average of more than 10 years of experience in their focus areas. We put the bulk data coming into the platform into context. We are constantly adding new intelligence and research to the platform to help our clients understand what they need to focus on and how they can reduce risk. We put the technical incidents of potential cyber espionage in perspective by striving to understand the motives of the likely perpetrators.
MeriTalk: How does your political intelligence solution help organizations understand shifting dynamics in specific geographical areas?
Thorne: The Recorded Future platform applies natural language processing techniques to information as it comes into the platform. In real time, it translates non-English sources to English and categorizes how people are talking about certain things at different times to identify, for example, a military exercise, a cyberattack, or inflammatory rhetoric that is indicative of future violence. It’s also searchable by location, and integration with Esri’s mapping and geospatial analytics software enables users to visualize the data.
In addition, our staff monitors the situations that are most relevant to our clients, drawing on our language expertise, in-country experience, and other insights to produce finished intelligence. I would be remiss if I didn’t emphasize that our conversation today has been about espionage, but we also cover extremism, terrorism, information operations, and physical security.
MeriTalk: What actions could help the public and private sectors improve their intelligence gathering?
Thorne: Not specific to China – one of the most cross-cutting, impactful changes that can happen is to make it easier to work with entities in the private and nonprofit sectors to harness publicly available information, PAI. Some parts of government have done incredible things with PAI, but from an outside perspective, those examples appear few and far between. Classified intelligence appears to be prioritized over PAI, and once PAI is discovered by the government, it becomes classified. That’s unfortunate, because a wealth of data in open sources and commercial sources can provide critical insight into intractable issues if analyzed in the right way. That analysis can be very time consuming and resource intensive, and it can require skills from outside the government. I’m not saying the focus on classified intelligence needs to diminish, but I think there are new ways to leverage PAI.
With regard to China, the CCP’s cyberspace management authorities are routinely ordering or at least overseeing the takedown of materials that are very useful for researchers, so what was available last month or last week is not necessarily accessible today. I would love to see a more centralized, federally funded effort to archive and translate Chinese language sources. This is happening at various companies and organizations, at least in the United States, but without a more centralized approach, forming a complete picture of what’s happening in China is going to remain difficult and probably become more difficult in the future.