A

Understanding Chinese strategic thinking really becomes crucial for defenders because if you only focus on technical side without understanding the broader strategy context, you're essentially playing defense with a blindfold on. Chinese operations are driven by collection requirement that come from the strategic planning process. They are not random targeting organizations. There are specific intelligence gaps they're trying to fill. Foreign.

B

Hello and welcome to another episode of Data Security Decoded. I'm your host Caleb Tolan and we are recording this right after Black Hat. If you attended as well, I hope you had a blast. It's a busy show, lots of great conversations, but I walked away like many with a head cold. So thanks for that. If you attended. Now, if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when new episodes go live. And if you're already a subscriber, thanks for coming back. Give us a rating. Drop a comment below, let us know what you think about the episode. Your feedback is invaluable to us. Now. In this episode, I had the pleasure of sitting down with May Danowski, a geopolitical intelligence expert and co founder of natto. Thoughts. Mei has extensive expertise in Chinese threat actors and has presented her research at the top conferences around the world. Now we had an insightful conversation about how cultural and geopolitical dynamics shape cyber threats, insights into China's cybersecurity strategy and the importance of understanding the intersection of technology and international relations. Now, without further ado, let's dive in. May, thank you for joining. I'm really excited to chat with you because your background and expertise in geopolitical intelligence, particularly in relations to China is so impressive. What is a common misunderstanding about Chinese state backed threat actors that you often hear?

A

Well, thank you for having me today. So this actually is a great question to get us started the conversation. A common misunderstanding of Chinese state backed threat actor I have observed over the years is view them as a monolithic and centrally coordinated entities operating under unified command and control. However, in realities the Chinese cyber threat landscape is much more complex and fragmented. So many assume that Chinese cyber operations have unified command structure. All Chinese cyber operations flow from a single source like the pla, the Chinese People's Liberation army or the Ministry of the State Security. In practice, multiple agencies, military units and contract groups operate with various degree of autonomy and the coordinations different units may have competing priorities or overlapping targets. So here I give you an example recent case of the SHRED group Hafnium, also known as the Silk Typhoon. So the link to Chinese hackers Xu Zwei which DOJ already have an indictment about him. So she was arrested in Milan, Italy in early July. So NATO south actually have a detailed report about analysis about him and his career growth and relationship with Hafnium. So she works for the Shanghai Military State Security Bureau which is a local branch of Chinese military Ministry of State Security through a front company Par Rock which was established by the Shanghai Bureau. So the Shanghai State Security Bureau manages the Parrot operations directly from recruitment, tasking and feedback loop structured reporting process is all managed by the State Security. But in Xu's case, one task from the State Bureau was to target COVID 19 research. So the state Secure Bureau gave him who to target to and what information they needed. And she would figure out, you know how to access that information. After each operations she would report back to the bureau the result. So as you know to Chinese threat group, you know, other analysts, you know for example the Dakota Carry from Center One also have a great report about to identify actually other hackers and contract companies also have involved in the Hafnian operations. So it's not like a single company related to this one throw group of one single Ministry of State Security actually is from local branch. So this, you know, when we understand this we had to really know the Chinese cyber operations in March diverse and fragmented even than some of us assumed.

C

Right.

B

That's really interesting and I was reading your your report that you wrote in Natto thoughts that you were just referring to which is your publication where you analyze linguistic, policy and cultural factors and how they influence the ttps used by threat actors that you follow. What have you observed by looking at cyber operations through that lens?

A

Yes, just like he just said nanosl focus on strategic Cyber threat analysis this lens differential from operational or technical cyber threat analysis it provides a context and can help us identify the who, why and when and where cyber threat activities particular through understanding threat motives, incentives and the constraints so that we can define us from adversary not just by patching the system of blocking the malicious IPs also determine risk allocating resources and setting strategies. So for example, over the years we have observed that number of cyber enabled economic astronaut activities tied to China which affect US Firms other business globally associated with various China's national strategic plans, you know, such as Five Year Plan Meeting China 2025, the Bell and Road initiatives. So this state based cyber threat actors are often likely to work in line with this Chinese government to pursue this political goals. So another example we have seen that many hacker for hire companies involved in the state backed cyber operations most Companies register as private companies. So however in China, the concept of private company is different from understanding of private company in Western countries, particularly their relationship with the Chinese Communist Party. So for example, all private companies have to register with the local government Communist Party committee in addition to registered business registration. So any private company that have three or more party group members are required to establish a primary primary party organizations in their companies. So officials from local government parties committee are obligated to recruit party members in any private companies. So for private companies, a good relationship with the local party communities can be beneficial for their business operations such as obtain government loans and contacts. In Nanosaur's analysis leak from the Chinese company isoon, we found a lot of conversations between the ISOON executives talk about their struggles, how to entertain the local officials and place them to get government contracts. So this is all the examples, you know, we can look into the strategic goals of Chinese government and also from, you know, how they structure companies, understand the cultures to get a better understanding about the Chinese cyber operations.

C

Right, right.

B

You mentioned the five year plan and that's definitely something I want to get to a little bit later in our conversation. But, but speaking of those operational characteristics within the global cyber threat landscape, how does China differentiate between other state sponsored actors like those in Russia, North Korea or Iran?

A

So you know, when we try to understand the difference, you know, I want to just emphasize, you know, what, you know China's operational characteristics. So I often offer to understand them from at least three aspects, you know, including strategic approach, target selections and attribution complexity. So I think we just talk about the lot of target is follow their strategic plans. So how to say the bottom line of a strategic goals for China for any Chinese backed state backed cyber operations is part of a broader geopolitical competition for information, economic advantage and strategic influence. So in other words, China conducts cyber activities support its national object objectives. So like we just said, economic development, military modernization, global influence projections, then we can think about how, how they do it. So China take a mix a top down and bottom approach. In this perspectives, top down means their overall goals and the strategics made by the Chinese government. Whereas bottom up approach is utilized economic measures to get the business involved in the process. Second aspect in terms of target selections, China has been heavily focused on intellectual property, the economic ex knowledge in the past. However, in the recent years China has shown interest of targeting critical infrastructures for intelligence collections to prepare for destructive attacks. Some of the report have been framed as this. So I believe your audience is pretty familiar with the group Typhoon case So it's exactly the example of this. So last aspect of Chinese operational characteristics is attribution complexity. Because Chinese operations often involve multiple overlapping groups with various degrees of state control as we just discussed. So this provides the advantage of possible deniability. Also this demonstrates the scale of Chinese cyber operations which have evolved from state to local, state security and public security apparatus and real business in the front companies, universities and academic institutions. So now we can compare to Russia North Korea state sponsored operations we have seen examples Russia emphasize political influence critical infrastructure disruptions but not necessarily always economic astronauts in terms of North Korea because the tight political control in the country North Korea sample several operations support the political and national security priorities have taken more centralized approach. In the old days, the analysts from the industry who focus on North Korea threat actors joked that every square group from North Korea is Lazarus. So now many have identified some subgroups of Lazarus or new groups. However, most. Most of the groups are primarily affiliated with the Reconnaissance General Bureau of North Korea. So that's just the difference. You know, we. We had to really understand the each country then to understand how they operate.

C

Right? Right.

B

Understanding each of the unique motivations definitely helped add some clarity. And something that you talked about when you were referring to how China operates its goals was the targeting strategy. So do they tend to target organizations that are more in the public sector? Do they focus more on private sector companies? What types of critical infrastructure do these Chinese state backed actors seem to target most frequently? And why is that?

A

This is a great question. You know, from what I have observed, you know, Chinese cyber strategy actually much more nuanced than a simple public versus private sector divide. They're really quite strategic about their targeting is often reflect broad national priorities. So the reality is both but with clear patterns. Chinese actors don't really think in terms of public or private the way we might think. Instead they seem to target based on what serves the strategic objectives. So you will see them hitting government agencies for intelligence gathering but also going private companies for intellectual property of technology assets secrets. So in terms of targeting critical infrastructure, as I mentioned about involving targeting selections as one of their operational characteristics, what really notable in recent years in their increased focus on critical infrastructure, we've seen significant targeting of telecom providers, energy sectors, water transportation systems, for example. Give the example again new group. You know, we haven't really get grasp of because it's a lot of confusions about the group SAO Typhoon. So SAO Typhon is targeting the telecom providers. This makes, you know, perfect sense, you know, from their perspective because Telco gives You access to so much communication data. Then the both typhoon campaign also highlight this shift. Let's like we just talk about it. So the infrastructure targeting is particularly interesting because it represents evolution. So early Chinese operations were heavily focused on intellectual, intellectual property, staff going after manufacturer companies, tech forms, defense contractors. Now we see what look like operational preparations of the battlefield as some analysts support it. So the bottom line is that Chinese cyber operations are remarkably align with their broad national objectives again economic development, technological advancement, strategic positioning. So they are not just random hating targets. There's a clear logic that spans both public and the private sectors based on what advance China's interests.

C

Right? Right.

B

And clearly the Chinese state backed, you know hacking and threat apparatus is quite robust. And a big question that I'd like to get your take on is how can blue teams and defenders, particularly those that are operating within those critical infrastructure domains that you were talking about, energy, water, telecommunications, how can they address some of the current threats and data security risks from China? I know recently there was the Microsoft SharePoint tool, Shell Exploitation. That's just one of many recent examples. So what can organizations do to defend themselves from these types of threats?

A

You know this is where understanding Chinese strategic thinking really becomes crucial for defenders. Because if you only focus on technical side without understanding the broader strategy context, you're essentially playing defense with a blindfold on. I would like to emphasize three approaches to address the current threats and data security risk from China if I can. So so first I think is understanding strategic patience and mission objectives. The first thing defender need to grasp is that Chinese directors operate with what intelligent analysts call strategic patience. This isn't some script kiddie is trying to make a few bucks. These are operations designed to support China's long term national objectives. So when you are defending critical infrastructure, you need to think like strategic intelligence analysts and ask, you know, what would China want from my organization that serve their broad goals. So is this disruptive disruption capability for future conflicts, economic intelligence about energy market, understanding of our supply chains. So this strategic lens completely changed how you prioritize your defense. If you are water utility for extent for instance, understanding the vault typhoons infrastructure targeting is likely about positioning for potential future disruptions help you focus on operational technology security, not just IT systems. So second is the collection requirements framework. So here is something most defenders don't think about it. Chinese operations are driven by collection requirement that come from the strategic planning process. They are not random targeting organizations. There are specific intelligence gaps they're trying to fill. Although it's always not easy to know what The Chinese intelligence collection requirements are because you know we are, you know, don't have any classified documents that Chinese government is making. But you know it requires some knowledge of area studies to figure out, but it's not impossible. So for critical infrastructure definers this means understanding what intelligence values you represent. Are you critical node in supply chains they want to understand? Do you have a relationship with defense contractors? Are you involved in technologies that support their strategic competitors? So this intelligence driven approach to defense planning is way more effective than generic assume breach strategy because it help you understand not just how they might attack, but why they want to attack you in the first place. So lastly is understanding operational patterns through the strategic lens. So last year nanosauce published a research of reconnaissance scanning tools used by the Chinese reactor. So I discovered tools like MBT scan and scan box more lower have been used by multiple Chinese groups. This reminds us when we look at a tools like MBT scan being used consistently across multiple Chinese groups over a decade, that's not just a technical preference, it reflects the institutional knowledge transfer within the Chinese cyber ecosystem. Understanding this helps defender realize they're not facing isolated threat groups, but elements of broader strategic programs. This means your threat intelligence program needed to track patterns across the entire Chinese eco cyber ecosystem, not just individual apt groups. You know, when APC40 develop new techniques, you should assume other Chinese groups will likely adopt similar approach over time. So overall we have to keep in mind that Chinese cyber operations are fundamentally strategic in nature. So our defense needs to equally strategic. So technical controls are important, but they need to be guided by understanding of strategic objectives, operational patterns and the broader geopolitical context in which this threats operate. I hope this is helpful.

C

Right?

B

Absolutely. And to your point, China is incredibly strategic in their cyber operations and what their objectives are. And a lot of that stems from their five year annual or five year plans. I was about to say annual plan, but five year plan doesn't make so much sense for annual. But we're nearing the end of the 14th one and they aim to prioritize things like technical self sufficiency, strengthening national security, exploring more partnerships within the eu, increasing defense spending. Many other things are included in that as well. But looking back over the past half decade, how successful have they been in executing their cyber plans? Has there been anything that surprised you?

A

Yes, you're right. Chinese 14 Five Year Plan for national Economic social development, the country's like highest level economic blueprint which runs from 2021 to 2025 will end soon. In fact, this particular 14th Five Year Plan mapped up China's overall development strategy in terms of the cyberspace. The Chinese government actually have a separate 14th five year plan for they call 14th five year plan for national informatization. So this is more cyber focused. So looking into this five year, 14 five year plan I see China has been made remarkable success at their certain areas in their cyber strategy. Probably more successful than many Western analysts expected. So two areas I'd like to mention here, you know, one is the digital economic success story. If any of your audience have traveled to China, they will know if the don't have a knows how to using Chinese apps, you probably cannot really go anywhere. So, so the you see the big headline Achieve achievement, you know, progress they call digital economic development. The plan said ambitions target digitalization across industries. And they largely hit those marks which see massive adoption. The digital technology in manufacturing, agriculture and the services, all supported by cyber capabilities then enable data collections and analysis. So this just the big scale, you know, I haven't really expected is that fast. So another area is China's standardization and norm setting wins. So this area where we probably exceed expectations is in international cyber governance. China has been incredibly active in pushing their visions of cyber sovereignty in international forums. They made significant progress in place like un, the Shanghai Cooperation Organizations and through bilateral agreements with countries in the Global South. As to what has surprised me the most, I believe it's a military cyber fusion in cyberspace and how effective they are implementing military civil fusion in the cyber domain like in corporate private sectors in the military development. So the traditional boundaries between the military cyber unit intelligence services and private sector sector cyber capabilities had essentially dissolved, you know, which is incredible. Effective at scaling their cyber capabilities while maintaining plausible deniability.

B

They've made a lot of strategic progress on all of their cyber initiatives throughout their 15th Five Year Plan or the 14th Five Year Plan. But I know it's hard to kind of project what China could be planning for the next five years, but what do you think may be a part of China's 15th Five Year Plan, if you had to guess?

A

Yeah, this is a hard question since I'm not a member of a Chinese People's Congress. So. However, through, you know, some recent Chinese media reports and official speeches, you know, particularly there's a recent talk from Chinese President Xi Jinping and he gave over a symposium on China's economic social development in the 15th Five Year Plan period. So it literally, you know, he kind of gave some guidance what they should include in their 15th five year plan. So you know, from that, you know, I kind of Expected at least you know from three key themes if I can guess. So the first is the artificial intelligence integration. So this is going to be huge because I literally kind of, you know, when we talk about a surprise I kind of surprise and that's another surprise for me how AI developed in China. So then this is also is part of China's innovation effort. So they put innovation at the priority in their 14 five year plan. So this going to be continue. So the already talking about intelligence, manufacturing, smart governance. But I think we'll see cyber capability increasingly integrated with AI systems. You know think, think AI powered network defense, automated threat hunting probably AI enhanced offensive capabilities, cyber capabilities too. Right. So second is a critical infrastructure resilience. So they understand that they have a lot of tensions you know with, with the western country, the US all this. So giving this I expect major focus on hardening their own critical infrastructure against the cyber attack. So they will probably include more requirement for domestic technologies in critical sectors and enhance their cyber defense capability. Lastly so data as a strategic asset. So the new data security law, personal information protection law was just beginning. So it's not many years ago I think just in the last cannot remember exactly when the data security law published at this point. But I think we will see much more sophisticated approach to trading data as a strategic national resources. So including probably more restriction on data flows to other countries. So the bottom line is that China has largely delivered on their several objectives over the past five years, if I can say that so and they're positioning to be even more ambitious in the next five years. So for those of us tracking Chinese Cyber capabilities, the 15th Five Year Plan is going to be crucial readings when it comes out, right?

B

Absolutely. Those are interesting projections. I will be eagerly sitting at the edge of my seat to see if those made it into the next five year plan. So Mae, thank you for the discussion. This has been so fascinating. Where can our listeners find you and learn more about all the amazing work that you're doing.

A

So our platform is on subtext so natalsusubtech.com so I also on LinkedIn Blue Sky X so you can all find me and I will welcome the feedback you know from your audience as well.

B

Wonderful, wonderful. Thank you May again this was a fantastic conversation and until next time thank you.

A

Sa.