The hidden cost of data hoarding. [Research Saturday]

Dave Bittner

You're listening to the CyberWire network.

Kyla Cardona

Powered by N2K ransomware, supply chain attacks and zero day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of the ThreatLocker zero trust endpoint protection platform. Robust cybersecurity is a non negotiable to safeguard organizations from cyberattacks. ThreatLocker implements a proactive, deny by default approach to cybersecurity, blocking every action process end user unless specifically authorized by your team. This least privilege methodology mitigates the exploitation of trusted applications and ensures protection for your organization. 2473655 IT professionals are empowered by Threat Locker Application allow listing, ring fencing, network control and EDR solutions, enhancing their cybersecurity posture and streamlining internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Aurora Johnson

We looked at China's data breach and leak ecosystem and we discovered that there's a lot of interesting differences between the Chinese speaking cybercrime world and the Russian and English speaking cybercrime worlds. We found that their cybercrime ecosystem depends a lot more on persistent access, often persistent insider access directly to data sources and that they often siphon off this data and sell it on the black market.

Kyla Cardona

In today's sponsored Industry Voices research Saturday, we speak with Kyla Cardona and Aurora Johnson from Spy Cloud. The research is titled China's Surveillance State is Selling Citizen Data as a side Hustle.

Dave Bittner

So as a security researcher I'm curious by nature.

Kyla Cardona

So that's Kyla Cardona.

Dave Bittner

When I went on the platforms like Breach Forums and other illicit platforms on Telegram that we know of on the Western Russian European side, I would see small bits of Chinese data and I was curious. I was like there needs, you know, there has to be more where this came from. And so I took some clues and I did some deep diving and I uncovered a very different cyber crime ecosystem. And the way that they have they prefer firsthand data or fresh data rather than data that is hacked or leaked. So they prefer that because they say that it's Directly from the source. So they have two different major exfiltration methods known as SDK, which is backend permissions on apps mostly, and dpi, which is deep packet inspection, which is done through major telecom centers in China like China Unicom, China Mobile and China Telecom. So there's insiders on both ends of that spectrum that exfiltrate data daily is allegedly is what they say, and that's the data that is sold, traded, and also used to funnel these Shabong coups or SGKs that are these lookup queries that are public and private. So when it comes to the, when we compare it to the Western European, Russian side, which mostly consists of hacked or leaked data, data breaches from people or malicious cyber actors, it's different when you compare it to the Chinese one, because when it comes to Chinese, those actors, they prefer data directly from the source and they call the databases that we call data breaches secondhand data because they don't essentially believe that it could be like they question the credibility on that kind of data because it is, you know, from a hacking method or a penetration tool. And they also have this obfuscation tactic. So if they were to breach a website, then they would name it by the industry rather than the actual website. And this is, we believe that this is an obfuscation tactic because in order to preserve their access to that website, they don't want to name it, they'd rather name it by industry rather than the actual website itself, which is the opposite of what you see people doing on breach forums for leaked, for hacked and leaked data data breaches, because those are usually named by the website itself.

Aurora Johnson

I was just going to add on to that last point, which is just forums like breach forums and some of the Western forums that we track. Oftentimes the actors actually will name breaches not even for the entity that they hacked, but for the entity that has the most interesting data within the data set. And there's just like a strong culture of boasting about the breaches that they have. And it's the opposite in China. They're trying to be stealthy and like Kyla said, it's likely to preserve insider access in at least some cases.

Kyla Cardona

No, that's interesting, Aurora, with the research that you all have done here, how big a window do you suppose you have into this network?

Aurora Johnson

So we track hundreds of Chinese language cybercrime channels on Telegram, some of which have tens of thousands of accounts that are in them. But I think this is just a window into the overall Chinese cyber crime threat. Ecosystem. And we've only scratched the surface in looking at these actors.

Kyla Cardona

I see. Well, let's talk a little bit about the terminology and language. The research mentions some Chinese slang things like pantsless data. How do these colloquialisms shape the way that these data leaks are advertised and traded in these specific communities? Kyla.

Dave Bittner

Yeah, so Pansys data is a, is a homophone for library dragging, which is technically means in, in Chinese slang that you're hacking someone's databases. So these terms are really important to understand the, the cybercrime ecosystem because you can't find this data without using those terms. Pansless data, SDK, DPI, MD5, MD5 is another term that they use for anything that is cracked. So any cracked or anything you're trying to crack, so any hashed passwords, whether it's SHA256, MD5, SHA12, SHA512, all of those things, they all fall under MD5. So the slang is very important in understanding the ecosystem, I'd say. And it's used in all aspects of the platforms that they use. So whether we see them on X, on Telegram 1, recently on Blue sky, that's the only way to kind of understand the ecosystem is if you know what these terms mean because these are what they use every day in this entire cybercrime ecosystem.

Kyla Cardona

It's an interesting insight. You have to know the lingo to be able to read what's happening behind the scenes, I guess.

Dave Bittner

Absolutely, yeah.

Kyla Cardona

When you look at the trends here, I mean the methods that these China actors, that these Chinese actors are using to exfiltrate and sell the data, how do their methods compare to some of the other global cyber criminal operations that you all are familiar with?

Dave Bittner

It's very different because I'm not aware of Western or European or Russian actors truly having exfiltrated data every day from insider access or backend permissions and then funneling that into a Shagong coup, which I don't believe anybody is safe from because these data leak channels and those Shogong coups, they have data from prominent Chinese CCP members, ABT members, PLA members, all the way to ethnic minorities. So everyone can be on the Shagon coup. Although there are some cybercriminal actors that already post and, and tell and sorry, there's already, there's some Chinese cybercrime actors that post on their channels that they will not post any information about people in special departments, those in government positions or state owned enterprises. So while there's those people that do have protections for people of the government. There are some shogong coups or SGKs that do not have the same type of exceptions and they will post about Chinese officials, people in the government, PLA members, apts, pretty much anyone and everyone.

Kyla Cardona

Aurora, anything to add there?

Aurora Johnson

Yeah, so I think Kyla really hit the nail on the head. But I think the, the main difference is there's a much more emphasis on maintaining persistent access and posting data every single day from that same access. And I would say in the West a lot of times it's more about hacking as much data as you possibly can and leaking it all. So for example, we see ransomware data leaks where they're very loud about having access to networks. They lock and encrypt the entire network and then they'll post literally sometimes 40 terabytes of data from a single intrusion. In China they're a lot more focused on having persistent access over time and posting every single day new data from that access. That also gives us challenges as spy cloud because when we're looking at that data we have to use different strategies to try and parse it and understand it and understand what's there.

Kyla Cardona

That's a really interesting insight. I mean, is it, is it fair to say that these Chinese actors assume that they're going to have ongoing access, whereas you know, a Western actor, it seems like it's more of a smash and grab kind of thing. You know, we don't know how long we're going to be in here, so we have to get everything we can as quickly as possible. Is it just a different assumption there?

Aurora Johnson

Yeah, I think it's just a different mindset for how they approach data access. So like Kyla said, a lot of times, either they have persistent insider access access and they're trying to preserve that access and utilize it for as long as they can or sometimes they even have persistent access to a data source because in some cases, like in the SDK method, they've developed a software development kit for an application that has or for, you know, mobile applications that have persistent access into all kinds of individuals phones and they have elevated permissions so that they're able to just continuously extract data data from those phones and then that data is then in turn being sold on the black market. And we see a lot of it show up on just like Telegram channels.

Kyla Cardona

I see the research mentions that Telegram and X, formerly Twitter are platforms that are actively used for these activities. Why are these platforms so effective? Why do we think that these threat actors choose those places?

Dave Bittner

Kyla, I believe the threat actors choose those places because Telegram isn't under heavy surveillance as WeChat and QQ are. I have seen articles in our research where people are talking to these data brokers and hackers on WeChat and QQ and they want to take the conversation to Telegram and on X they use that more as an advertisement platform where they can advertise their SDK and DPI data to lead back to their Telegram channels. And these Telegram channels, they're either private or public and this is where they, you know, just upload a bunch of data that is exfiltrated freshly or, you know, daily. And this is where they also sell data. And I believe Aurora can talk more on the payment methods for that they take for Shigongkus and even buying data outright from these SDK and DPI methods.

Aurora Johnson

Yeah, I don't think they're not on the Chinese apps, but I think that we do see some of them take measures to avoid the surveillance inherent in some of the Chinese technology apps. So for example, Telegram, they use Telegram a lot and that's blocked by the Chinese government and has been blocked since 2015. So they have to use a VPN to access it outside of China. And similarly they'll use cryptocurrency to try and do their transactions. So we've seen some actors accept payments on things like Alipay or like other Chinese payment apps, but we see most of them accept payment in usdt, which is the abbreviation for the tether cryptocurrency. It's a cryptocurrency that's tethered to the value of the US dollar. So it has a very stable value and we see a lot of them using that as the main method to accept payment.

Kyla Cardona

We'll be right back. And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on Those events from your network, endpoint identity or web security vendors, then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for a thousand dollars off. You know, one thing that the research mentions is insider cooperation within telecommunications companies or even the device manufacturers. Can you share some insights on that?

Dave Bittner

Yeah, I believe that. And Aurora can speak more about this in detail. They have both the incentive to, and motivation to provide that insider access because of the annual or average salary in China and because they make these advertisements so enticing and they, you know, they have protections. So they, so first they mention about how much you, you can make a day, which is about 10,000 won if you know that depends on customers orders for this recruitment. And it could go, it could go even higher than that. And they also talk about protections for withdrawing the funds that you've made through like cryptocurrency mixing. And I think Aurora can speak more to that.

Aurora Johnson

Yeah, yeah, just, just like Kyla said, we do see a lot of recruitment for insider, particularly in government positions in the public security bureaus or at large financial institutions like the public banks. And then also particularly in the big three telecommunications companies, China Unicom, China Mobile and China Telecom. And they're often using that insider access to siphon data off. And they can make a lot of money. We've seen ads say that individuals that do a lot of queries or have a lot of contracts can make up to 10,000 won per day and in some cases up to 70,000 won. And then to put that in perspective, I have a number that we hold one moment and then to put that in perspective, the median annual after tax income per capita in China was 33,000 won last year. So that's around $4,500 in US dollars. So if you can make this third of the average per capita income in a single day, doing insider queries at your workplace with, as some of these data brokers say, minimal risk of being fired or caught, that is an enticing offer.

Kyla Cardona

Yeah, that could be quite a payday. How do you rate the technical sophistication of these actors when you compare them to other groups that you've researched? Where do they stand?

Dave Bittner

Sorry, that's a very hard question. But I believe that they have some. They have this word, they call themselves crawlers. So those are the tech people that are on these platforms. So when you, when you look at a Chinese data league channel, there's salesmen and there's crawlers, which are the tech people. And for the tech people, they mostly seem to use Python web crawlers to try to get data from foreign websites. And they seem to know some technical knowledge or expertise. But it's hard to say because the data that they mostly exfiltrate or their most of their targets in these cybercrime ecosystems are domestic data, is what it seems like from the SDK and DPI methods, but they do show some overseas data from like Chinese overseas Americans or Chinese overseas from the uk, Chinese overseas Thailand. So they do have overseas data, but that data seems to be less consistently posted as what when compared to the SDK and DPI data that they post constantly. And they, while they seem to have some sort of technical knowledge of, you know, hacking tools, it doesn't seem very invasive in, in the way that, like Aurora said earlier, where they grab all the data and, you know, the smash and grab type of thing, they seem to want to maintain persistent access and be stealthy. So it's hard to say what, you know, the technical expertise on that extent. But they do have some technical expertise when it comes to hacking some websites, but it doesn't seem like it's their focus.

Kyla Cardona

I see. So can you share some of the challenges that you all face when it comes to tracking these specific threat actors? You know, particularly given some of the linguistic and cultural nuances here.

Aurora Johnson

I think one of the main things is, as you said, just trying to understand Chinese, but then also specifically the slang terms that they use and being able to use that to understand what they're talking about. So I think that's like, I think that's one of the main ways that we've been able to track these actors and find a lot of them. Talking about these different data breaches is just understanding different Chinese slang terms.

Kyla Cardona

One of the quotes that you all shared in the research was from a China based blog and it said the data you leave on the Internet knows you better than your mother. I think that's, that's an evocative statement, don't you think?

Dave Bittner

Yeah, it, it's, it came from a Shagong who article and you know, the, the data that's posted out there is very invasive. And when it comes to a Shagongu lookup or SGK lookup, you can find so many things about people that you wouldn't normally find on something like, you know, white pages or fast people search like this information contains everything from hacked databases from the Western side because they are also reposting those on the Chinese data league channels, but also a lot of information like domestic to China. So there could be bank account numbers, passwords, emails, account numbers for securities investments there. So there's a lot more information on these free SGK lookups than you can imagine, even hotel room booking records.

Aurora Johnson

And to kind of explain the SGKs a bit further, essentially they are databases of hacked, leaked and breached data that they maintain. And anyone can either for free oftentimes or by paying a very small amount equivalent to maybe US$1, do a lookup on anyone based on their phone number, their national ID number in China, their name, their email address, or a bunch of different indicators that they offer searches with. And then you can get back all kinds of data which includes things like account information for all kinds of different apps, bank account information, financial records and hack data which sometimes includes passwords. Then oftentimes they Also, these same SGKs will have advertisements for different private lookups that they're able to do. These cost significantly more usually than the, than the lower level lookups, but those are often done directly by insiders querying the networks at their workplaces. So those private lookups might include things that they're able to do like facial recognition searches, GPS tracking of an individual, like phone and call records and texting records, and also government records. So things like your Social Security data or business registrations that you've done, any government records or arrest records as well, and things that police departments might have. So with those types of insider data, you can kind of see how they are able to really get a comprehensive view of an individual for a relatively low cost just by buying it in China. And I don't think that the exact same thing is necessarily possible in A lot of other places.

Kyla Cardona

No. It's really fascinating research and for me, as I was reading through it, I felt like I had to recalibrate my notion of privacy. You know, it's easy for us to complain here in the US that there are many ways that our privacy is being violated by various tech companies, but this is a whole different level than I think how, certainly how it was framed in my own mind. When you all look at the research that you've done here, what do you hope people take away from it? What are the take homes here?

Dave Bittner

I just want them to realize that the Chinese cybercrime ecosystem is vastly different from the Western Russian, European side because there's different components in the Chinese cybercrime ecosystem and a lot of it focuses on fresh and high quality data that's directly from the source. So you have, you know, some Chinese cybercriminals exfiltrating this data and being an insider to this data and selling this data, but also on the other side aggregating the data even more by putting it into their own collection of leaked or hacked databases called SGKs and selling, you know, access to those for even more money aside from data orders from SDK and DPI methods. So it's very different in that way as, as well as even if the Chinese were to hack some sort of website, they're going to try to maintain their stealth to maintain their access. And that's why they name it by industry rather than the actual website name or company name. And that is scary to me because, you know, it's, it's hard to figure out, you know, who was hacked if they just name it by industry unless you really take a closer look at the data. And while, you know, all of this is really scary because there seems to be no privacy, it's, it's really much a double edged sword when it comes to all the data collected by the CCP mandate because, you know, while it, it is collected for and by the ccp, it can also be used against them and in some cases it has when we have found in our research that there's bank account numbers on CCP members, even passwords and email and email addresses on them as well.

Kyla Cardona

Aurora, any final thoughts?

Aurora Johnson

Yeah, I think definitely agree with everything that Kyla mentioned. I think a lot of the surveillance state rhetoric around, you know, China collecting data on its citizens really focuses on individuals most targeted by the state, like ethnic minorities. But we can see that this robust leaked and hacked data industry in China poses, poses privacy risks across all groups of Chinese people. Including enlisted high ranking CCP officials and also APT actors who do contract work for the Chinese government. I think while this is a huge privacy concern for everyone in China and also people not in China that interact with the Chinese technology ecosystem, use Chinese apps, etc. It also in some cases can can be a valuable source of data for Western Western cybersecurity researchers because you can find a lot of data on the advanced persistent threat actors that are hacking United States critical infrastructure in these databases and use that to track them.

Kyla Cardona

That's interesting. All right, well, before we wrap up, what I really want to do is kind of go back to the beginning. There's one little thing that I think we're missing in our conversation today, and that's a really nice introduction. So now that we're all a little comfortable and we've gotten the butterflies out, let's just take a minute and we're going to pretend like we're just starting out here so we get a nice introduction to the segment. And Kyla, I'm going to start out with you and I'm going to ask you this. So can you explain to us how this first came on your radar and how you all decided to pursue this line of research?

Dave Bittner

Yeah, this first came on my radar because I was interested in looking at the Chinese cybercrime ecosystem because I saw some little bits of leaks of Chinese data on Reach forums and other forums. So I was curious to find out where they came from. And when I translated the word data into Shuji, I was able to pivot off of that and find a bunch of Chinese Data League channels just based on that word and also Chinese characters. And from there I was able to uncover SDK, DPI, and MD5, which are the most prominent keywords that they use in English when it comes to describing the Chinese data leak channels.

Kyla Cardona

Our thanks to Kyla Cardona and Aurora Johnson from Spy Cloud for joining us. The research is titled China's Surveillance State Is Selling Citizen Data as a Side Hustle. We'll have a link in the Show Notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher. And I, Dave Bittner. Thanks for listening. We'll see you back here. Next It.