Indictments, Attribution Unlikely to Deter Chinese Hacking, Researchers Say

china vpn us government ban spying

Researchers are skeptical that much will come from calling out China for the Microsoft Exchange attacks and APT40 activity, but the move marks an important foreign-policy change.

The federal government is fighting back against what it says are China-based cyberattacks against U.S. universities and companies with indictments and a “naming-and-shaming” approach — but researchers aren’t convinced the efforts will come to much in terms of deterring future activity.

On Monday, the White House released an official statement announcing its attempt to push back against “irresponsible and destabilizing behavior in cyberspace.” The European Union, the United Kingdom, and NATO countries also announced it will join the U.S. in “exposing and criticizing [China’s] malicious cyber-activities,” the White House statement added.

The statement also formally attributed the widespread Microsoft Exchange zero-day exploitation to the China’s Ministry of State Security.

The U.S. Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Administration (NSA) released multiple advisories providing details about cybersecurity threats from the Chinese government, and announced the indictments of four Chinese nationals alleged to have been operating on behalf of the Chinese Hanian State Security Department.

The indictments allege the four Chinese Hainan State Security Department (HSSD officers), were behind the advanced persistent threat group APT40: Including Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin, as well as Wu Shurong, who allegedly wrote and targeted malware against universities, governments and companies across the globe between 2011 and 2018.

“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China,” said Acting U.S. Attorney Randy Grossman of the Southern District of California, in a statement. “The defendants include foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate.”

CISA and FBU have also released detailed APT40 tactics, techniques and procedures (TTPs) and mitigations.

Collective Cybersecurity Intelligence-Sharing

Lisa Plaggemier, interim executive director of the National Cyber Security Alliance (NCSA) said this outspoken stance against China is new from the E.U. and NATO, and shows an encouraging move toward more open intelligence-sharing. She also pointed out that the U.S. could have announced sanctions against China, which it didn’t do, signaling it is taking its allies’ positions into account in developing countermeasures.

“Given there were no direct sanctions levied at the current moment towards China – unlike in previous cases with Russian malicious cyber-activity – the fact that the E.U. and NATO outwardly condemned these actions – which is uncommon given their previous hesitancy to do so given deep ties between them – showcases that there is a unified front in combating this type of behavior moving forward,” Plaggemier told Threatpost.

That kind of inter-agency and international-government cooperation is important and can help deter future attacks, David Carrol, managing director for NTX Cyber at Nominet told Threatpost. But Carrol and Plaggemier, along with others, pointed out besides intelligence sharing and efforts to name and internationally shame the Chinese government for its actions, there’s no actual consequence being imposed for the alleged data theft.

“Given the ongoing rise in malicious activity, and the ratcheting up of tensions in the Cyber Cold War, it is unlikely that these steps alone will halt this nefarious cyberactivity in its tracks,” Plaggemier said.

Carroll added, “The best means of preventing harm at scale from these types of cyberattacks is to combine collective intelligence with government intervention. With an adversary indiscriminately compromising so many servers and this becoming a familiar pattern of behavior, we need to deploy our own technologies that enact protection at scale.”

Where’s the Deterrent?

Hitesh Sheth, president and CEO at Vectra, compared the APT40 indictments to last October’s charges against Russian nationals accused of being tied to the Sandworm APT. Because Russia doesn’t have any extradition agreements with the U.S., the indictments remain what Sheth called “symbolic.”

“For this (or any deterrent) to matter, the targets have to care – and stand to pay some price by ignoring the action,” Sheth said by email. “For a reminder of how effective such indictments are, hark back to last fall’s grand jury indictments of Russian GRU officers on cybercrime charges. If they slowed Russian malware campaigns, it’s hard to tell.”

Could Government Moves Increase Attacks?

It’s clear that while government posturing serves as a deterrent of decorum, it falls to individual organizations to protect themselves from these kinds of nation-state backed attacks.

“International cooperation, formal attribution, prosecution, sanctions, and other retorts and countermeasures, are all tools for driving more responsible state behavior in cyberspace,” Amit Yoran, CEO of Tenable and former founding director of US-CERT at the U.S. Department of Homeland Security, told Threatpost. “[But] while governments focus on attribution, deterrence and response efforts, organizations are still responsible for exercising a standard of care when operating and securing their own systems.”

Dirk Schrader from New Net Technologies said that he fears government gestures like these indictments could have the opposite effect as intended, and end up actually being detrimental to the country’s security posture.

“All these measures and ideas are more about licking our own wounds than influencing any nation-state APT group,” Schrader said. “The security dilemma that western nations are facing can only be solved when defensive behavior gains the advantage. Any indications of intensifying on offensive measures will only lead to more intense cyberattacks.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles