CyberWire Daily: The Hidden Cost of Data Hoarding [Research Saturday]

Release Date: January 11, 2025

Host: Dave Bittner
Guests: Kyla Cardona and Aurora Johnson from Spy Cloud
Sponsor: N2K Networks

Introduction

In the January 11, 2025 episode of CyberWire Daily, host Dave Bittner delves into the intricate world of Chinese cybercrime ecosystems with experts Kyla Cardona and Aurora Johnson from Spy Cloud. This episode, titled "The Hidden Cost of Data Hoarding," uncovers the unique mechanisms through which Chinese-speaking cybercriminals operate, contrasting sharply with their Western and Russian counterparts.

Overview of Chinese Cybercrime Ecosystem

Aurora Johnson begins by highlighting the distinct nature of Chinese cybercrime:

Aurora Johnson [02:01]: "We discovered that the Chinese cybercrime ecosystem relies heavily on persistent insider access directly to data sources, siphoning off this data to sell on the black market."

Unlike Western or Russian cybercriminals, who often engage in one-off data breaches, Chinese actors maintain ongoing access to data sources, ensuring a continuous flow of fresh data.

Comparison with Western/Russian Cybercrime

Dave Bittner elaborates on these differences:

Dave Bittner [02:58]: "Western, Russian, and European cybercriminals typically engage in 'smash and grab' tactics, hacking as much data as possible in a single intrusion. In contrast, Chinese actors prefer maintaining persistent access to consistently extract and sell data."

This persistent approach allows Chinese cybercriminals to accumulate high-quality, firsthand data over time, rather than relying on sporadic, secondhand data breaches.

Methods of Data Exfiltration: SDK and DPI

Kyla Cardona and Dave discuss the primary methods used for data exfiltration:

• SDK (Software Development Kit): Grants backend permissions on applications, enabling continuous access to user data.

  Dave Bittner [02:56]: "SDK allows backend permissions on apps, providing persistent access to data sources."

• DPI (Deep Packet Inspection): Utilized through major Chinese telecom providers like China Unicom, China Mobile, and China Telecom, enabling the extraction of data from telecommunications traffic.

  Dave Bittner [02:58]: "DPI is conducted through major telecom centers, allowing deep packet inspection to extract data continuously."

These methods contrast with the more aggressive data theft techniques seen in other cybercrime ecosystems.

Use of Platforms for Data Trading

The episode highlights the strategic use of online platforms by Chinese cybercriminals:

Dave Bittner [12:49]: "Threat actors choose platforms like Telegram and X because Telegram isn't under heavy surveillance, allowing them to upload and sell freshly exfiltrated data without detection."

• Telegram: Preferred for its relative anonymity and resistance to Chinese government surveillance, enabling the secure sale and distribution of stolen data.

  Aurora Johnson [13:54]: "Most actors accept payments in USDT, a stable cryptocurrency, facilitating easy and traceable transactions on Telegram channels."

• X (formerly Twitter): Used primarily for advertising data services and directing traffic to Telegram channels where actual transactions occur.

Terminology and Language in Chinese Cybercrime

Understanding the unique slang and terminology is crucial for tracking these activities:

Dave Bittner [07:08]: "'Pansys data' is Chinese slang for hacked databases, directly translating to 'library dragging.' Terms like SDK, DPI, and MD5 (referring to cracked data) are everyday jargon in these communities."

Kyla emphasizes the importance of familiarizing oneself with these terms to effectively monitor and interpret activities within Chinese cybercrime forums.

Insider Cooperation and Motivations

A significant aspect of the Chinese cybercrime model is the recruitment of insiders:

Aurora Johnson [18:42]: "Insiders, particularly within government positions and major telecom companies, are enticed with offers of up to 70,000 won per day—approximately one-third of the median annual income in China—to provide continuous data access."

This insider collaboration ensures a steady stream of high-quality data, making the ecosystem highly resilient and profitable.

Technical Sophistication of Chinese Cybercriminals

While persistent and methodical, the technical prowess of these actors varies:

Dave Bittner [20:24]: "Chinese cybercriminals, referred to as 'crawlers,' primarily use Python web crawlers to extract data. Their focus is more on maintaining access rather than deploying highly invasive hacking techniques."

This indicates a specialized skill set oriented towards sustainability and stealth rather than sheer technical aggression.

Challenges in Tracking and Research Insights

Tracking these threat actors presents unique challenges:

Aurora Johnson [22:36]: "Understanding Chinese slang and terminology is essential. Without grasping these linguistic nuances, it's nearly impossible to accurately identify and track cybercriminal activities."

Additionally, the use of encrypted and anonymized platforms like Telegram complicates monitoring efforts.

Privacy Implications and Conclusions

The research underscores profound privacy concerns within and beyond China's borders:

Dave Bittner [26:54]: "There is virtually no privacy. The data collected is a double-edged sword—it can be used both by the CCP and against it, exposing sensitive information about government officials and ordinary citizens alike."

Aurora concludes by acknowledging that while this data poses significant privacy risks, it also offers valuable intelligence for Western cybersecurity researchers, especially in identifying and tracking advanced persistent threat (APT) actors targeting critical infrastructure.

Aurora Johnson [28:48]: "This robust data leakage industry in China affects all groups, including high-ranking CCP officials and APT actors, presenting both privacy risks and opportunities for cybersecurity research."

Key Takeaways

1. Distinct Cybercrime Model: Chinese cybercriminals prioritize persistent access and insider cooperation over one-time data breaches.
2. Sophisticated Data Exfiltration: Utilization of SDK and DPI methods ensures continuous and high-quality data extraction.
3. Strategic Use of Platforms: Platforms like Telegram and X are preferred for their anonymity and resistance to surveillance, facilitating secure data trading.
4. Linguistic Barriers: Understanding Chinese cybercrime slang is essential for effective monitoring and tracking.
5. Severe Privacy Risks: The pervasive nature of data collection and leakage poses significant privacy threats, affecting both civilians and government officials.

Conclusion

The episode "The Hidden Cost of Data Hoarding" provides a comprehensive analysis of the Chinese cybercrime ecosystem, revealing its unique reliance on persistent insider access and sophisticated data exfiltration methods. By contrasting these practices with Western and Russian counterparts, the discussion highlights the critical need for nuanced cybersecurity strategies and enhanced monitoring capabilities to combat these evolving threats.

Credits:
Produced by Liz Stokes
Mixed by Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Executive Editor: Brandon Karp
President: Simone Petrella
Publisher: Peter Kilpe
Host: Dave Bittner

*For more insights and detailed research, visit CyberWire Daily and stay informed on the latest in cybersecurity.