Srsly Risky Biz: China's MSS gets personal - Risky Bulletin

Summary4 min read

Podcast Summary: Risky Bulletin – "Srsly Risky Biz: China's MSS Gets Personal"

Release Date: March 20, 2025

Hosts:

Patrick Gray – Host, Risky Biz
Tom Uren – Policy and Intelligence Editor, Risky Biz

Introduction

In this episode of Risky Bulletin, Patrick Gray and Tom Uren delve into two pressing cybersecurity concerns: the Chinese Ministry of State Security's (MSS) aggressive tactics against alleged Taiwanese cyber operatives and Russia's ongoing sabotage campaigns targeting Western Europe. The discussion provides insightful analysis into these geopolitical cyber threats and explores potential Western responses.

1. China's Ministry of State Security (MSS) Doxxing of Taiwanese Cyber Operators

a. Escalation of Doxxing Activities

Patrick initiates the conversation by highlighting a recent alarming trend: the Chinese MSS has intensified its efforts to expose individuals it accuses of being Taiwanese military hackers targeting China.

Patrick Gray [00:54]: "The Chinese Ministry of State Security has doxxed a bunch of people it alleges are, you know, essentially Taiwanese military hackers who've been hitting targets in China."

b. Comparison with U.S. NSA Practices

Tom contrasts China's approach with that of the U.S. National Security Agency (NSA), noting that while both agencies identify foreign operatives, China's methods carry a more threatening undertone.

Tom Uren [01:45]: "When the US indicts someone in China, they'll name names... but China's a big country, there's lots of places you can go on holiday you don't have to go to."

c. Implications for Targeted Individuals

The doxxing by MSS includes personal details such as ID numbers, birth dates, and job titles, coupled with direct threats of lifelong prosecution. This approach differs significantly from the U.S., adding a layer of personal risk for the individuals involved.

Tom Uren [01:45]: "...they're trying to get very personal about, we know who you are and we're going to hold you accountable."

d. Broader Security Concerns

Patrick underscores the immediate risks for those with ties to mainland China, referencing the extradition of Uyghurs from Thailand as a precedent.

Patrick Gray [03:38]: "I remember when that happened... extraditing 40 Uyghurs to China."

e. Language and Rhetoric Used by MSS

The use of forceful and threatening language by MSS is reminiscent of authoritarian communications, which serves to intimidate and deter potential cyber operatives.

Tom Uren [06:47]: "...reunite Taiwan with the mainland... a cyber force aimed at attacking and infiltrating the mainland."

f. Call for Enhanced Operational Security (OpSec)

Concluding their discussion on MSS activities, Patrick emphasizes the necessity for Taiwanese cyber operatives to bolster their operational security to mitigate such threats.

Patrick Gray [08:52]: "...the Taiwanese need to get real about opsec."

2. Russia's Sabotage Campaigns Against Western Europe

a. Overview of Russian Aggression

The conversation shifts to Russia's multifaceted sabotage efforts in Western Europe, which include physical attacks on infrastructure and minor cyber operations.

Patrick Gray [09:28]: "Russia has been waging a sabotage campaign targeting Western European countries... assassinations and whatnot."

b. Analysis of Cyber Operations

Tom references a Center for Strategic and International Studies (CSIS) report, noting that while Russia conducts cyber attacks, they comprise less than 15% of their total sabotage activities.

Tom Uren [11:39]: "Cyber activities... make up a small minority of what's happening... less than 15%."

c. Western Response: Cyber Retaliation

There's a debate on whether Western nations should escalate their responses to Russian sabotage by adopting more aggressive cyber tactics. While physical sabotage is overt, cyber operations offer a deniable form of retaliation.

Tom Uren [15:01]: "Cyber is actually like a pretty good tool. It's more expensive, takes longer, it's harder, but it's also harder for people to pin it directly to you if you do your job right."

d. Ethical and Proportionality Concerns

Patrick raises concerns about the proportionality of cyber responses compared to Russia's physical sabotage, questioning the effectiveness and ethical implications.

Patrick Gray [17:07]: "It's not a proportionate response... throwing a few packets back is not proportionate."

e. Future Trajectory of Cyber Warfare

Tom outlines a potential escalation path where Western nations may increasingly rely on cyber operations as a primary means of retaliation, given their deniability and strategic advantages.

Tom Uren [18:02]: "...offensive cyber stuff, and we'll try it until we get sick of it..."

f. Conclusion on Deterrence

The discussion concludes with thoughts on deterrence, suggesting that real deterrence might require more tangible defensive measures rather than solely cyber retaliation.

Tom Uren [18:08]: "If you want real deterrence, you play it out on the battlefield..."

Final Thoughts

Patrick and Tom provide a compelling analysis of the evolving landscape of cyber threats emanating from major geopolitical players like China and Russia. The episode underscores the critical need for enhanced security measures, strategic responses, and a reevaluation of traditional deterrence mechanisms in the face of sophisticated cyber and physical sabotage tactics.

Notable Quotes:

Tom Uren [06:47]: "Under the guise of developing asymmetric warfare capabilities, the Taiwan's ruling party has recklessly spent taxpayer money to build a cyber force aimed at attacking and infiltrating the mainland. However, this effort is futile, akin to an ant trying to shake a tree."
Patrick Gray [15:57]: "You don't want to get your hands dirty, I think is the... you're trying to go for there, Tom."
Tom Uren [16:49]: "...destructive cyber packet throwing."

For more insights and detailed analyses, subscribe to Tom Uren's weekly newsletter, Seriously Risky Business, available at Risky Biz.

Loading summary

Transcript44 lines

[00:00]
Patrick Gray
Foreign and welcome to Seriously Risky Business, the podcast we do here at Risky Biz HQ where we talk about cyber policy and intelligence and all sort of big macro trend stuff. My name's Patrick Gray. This edition of Seriously Risky Business is brought to you by Tynes, which makes a terrific no code automation platform. Tines is just really good stuff, stuff you've never met more satisfied customers in your life and you can find them@tines.com we'd also like to thank the William and Flora Hewlett foundation for supporting Tom's work with us here at Risky Business, and also to Lawfare Media, who syndicate Tom's weekly newsletter, Seriously Risky Business, which you can find and subscribe to at Risky Biz. So, yes, Tom Uren, our policy and intelligence editor, joins me now. G'day, Tom.
[00:53]
Tom Uren
Great, Patrick. How are you?
[00:55]
Patrick Gray
Well, I'm funny you ask. Actually, I'm quite ill today. So just going to get through this one and then it is the rest of the day off, but we're going to struggle through. You've written about a couple of things this week that are very, very interesting. We touched on it briefly in yesterday's weekly show, but the Chinese Ministry of State Security has doxxed a bunch of people it alleges are, you know, essentially Taiwanese military hackers who've been hitting targets in China. This is somewhat, it's got a character to the type of, you know, similar activities that NSA does, for example, when they identify people who work for mss. And the reason we say that's different is because it, it, it has a threatening aura, which the NSA stuff doesn't really have to the same degree. So, yeah, walk us through this one.
[01:46]
Tom Uren
Yeah, so the story is the mss, China's Ministry of State Security, has over the last couple of years being really ramping up how it uses Wei Xin, which is the domestic version of WeChat. So they've got a, I guess it's a channel on there and they talk about all sorts of, I guess, national security issues. And one of the things they've been doing is outing Taiwanese military cyber operators. So this is the second time they've done it, but they've, I guess they've ramped it up. So previously they said, you know, here are some photos, here are, are their names. This time they've got ID numbers, birth dates, job titles, and they actually combine it with a pretty direct threat. And so in the post it says we will, the government, the PRC government will take all necessary legal measures to hold separatists accountable, including Enforcing lifelong prosecution for key figures. Cyber operatives aiding Taiwan's separatist agenda are urged to abandon their illusions and cease their criminal activities. So of course the background is that China, the prc, I should say, maintains that Taiwan is a renegade province. And so they're trying to get very personal about, we know who you are and we're going to hold you accountable. And I spoke to Nathan Attrell who, who's at my former employer aspi, the Australian Strategic Policy Institute. He actually thinks that these kinds of threats have immediate implications for these people. So particularly if you're traveling in the region. And so he pointed to Thailand actually extraditing 40 Uyghurs to China.
[03:39]
Patrick Gray
And so I remember when that happened.
[03:40]
Tom Uren
Yeah, yeah, that was not that long ago, just a couple of weeks ago. So the other thing that occurred to me is that there's a lot of cross border family relations. So if you still happen to have family on the mainland, I think that's also something to think about. I think that's over time that's less and less of a concern. But still. So the contrast is that when the US indicts someone in China, they'll name names, they'll give a whole lot of aliases, they'll provide a whole lot of technical details. And for the cyber security community and cyber nerds like us, that stuff's all really good. And that the name names is like, it's interesting, but it never feels like that comes with a particularly heavy burden because, you know, China's a big country, there's lots of places you can go on holiday you don't have to go to.
[04:35]
Patrick Gray
Whereas Taiwan, right. If you want to go anywhere now, you've got to worry that you're going to get, you know, that's right.
[04:41]
Tom Uren
And by the nss, it's very firmly in a region that is within China's sphere of influence, for lack of a better word. And so I think it just comes with a higher level of threat. That's something that you pay attention to. I think someone in China indicted by the US can laugh it off and go, okay, well I won't go to the U.S. yeah, and many other countries, but there's lots of countries in the region where you're probably, okay, very different for Taiwanese. And so the ATREL actually listed a whole lot of other things that could happen as well. So it's. But I, I left those out. I think it's the individual risk I was focusing on.
[05:27]
Patrick Gray
And well, there's also, there's also this implied threat. Right. Which is that China keeps talking about, you know, reuniting Taiwan with the mainland. They say that this is a, you know, long standing policy goal of theirs. And this statement, these, this doxing seems to very clearly say, should that happen, we're going to prosecute you. You know, if we take over, you're going to prison. And that is something that's probably going to have an effect on recruitment, for example, to get people to do these sorts of operations. There will be some people who won't want to do them.
[05:58]
Tom Uren
Yeah. It does make me wonder like, does that make you more reluctant or does that make you like, you know, patriotic? I want to stand up against this. I'm going to join the military and do the cyber thing. So one way you can talk about, think about it, is that this means that MSS actually cares. We're having an effect. This is good work that we're doing. I don't know if that's true, but it's clearly the intent to try and deter people from, from joining those forces.
[06:32]
Patrick Gray
Yeah, I mean, another, another interesting thing that you highlighted though, in your piece is that the language that the Chinese use in these sort of documents is very different to the sort of language used by the West.
[06:42]
Tom Uren
Yeah. So the, it's, it's got like, you.
[06:46]
Patrick Gray
Know, North Korea vibes.
[06:48]
Tom Uren
Exactly. I did. You know. Under the guise of developing asymmetric warfare capabilities, the Taiwan's ruling party has recklessly spent taxpayer money to build a cyber force aimed at attacking and infiltrating the mainland. However, this effort is futile, akin to an ant trying to shake a tree. So that's the kind of thing that. Florid language.
[07:14]
Patrick Gray
Sweet metaphor, bro.
[07:15]
Tom Uren
Yeah. Yeah. Apparently that's a regular Chinese idiom. I quite like it.
[07:19]
Patrick Gray
That's not bad. I like idioms from other countries, but anyway, yeah. An ant trying to shake a tree. There you go. You learn something new every day.
[07:25]
Tom Uren
That's right. We can, we can incorporate that into the Risky Business oeuvre. So most of the post is like that. Now, the thing that gives it slightly more credibility is that there were three cybersecurity reports that came out on the day or the next day that talk about Taiwanese threat actors targeting China. So the idea is clearly that they're trying to in some ways mirror what the US is doing here. The technical things here, the people, they're trying to put together a package that has some impact. So so far, those three reports, they didn't link very clearly to the individuals. So it's the MSS saying, here are these four people and then there's these other reports saying, yes, Taiwanese interests are hacking China, but clearly they're on a path to try and bring these together and have more impact. Now, I actually think that in this case, by naming and doxxing people, they're playing to their strengths. That's, I think, where they'll actually have some impact. So the cyber security technical detail, I think that's kind of neither here nor there. Like the, the, the. That's not the point, but clearly. So I expect to see more of the doxing.
[08:53]
Patrick Gray
Well, you wrap up, you wrap up your analysis of this by saying the Taiwanese need to get real about opsec. And, you know, there's a reason we don't see the Chinese doing the same thing to NSA or ASD or GCHQ is because they actually have good OPSEC procedures which prevents these sorts of things from happening. I mean, you know, you've got to be diligent. It's not always easy, but it's, it's achievable.
[09:12]
Tom Uren
Yeah. So it would have been better if they'd started that 10 years ago.
[09:16]
Patrick Gray
Well, they always say, right with OPSEC is like, you always need it a few years before you realize it.
[09:21]
Tom Uren
That's right. But there's no better time to start than now. So I think it's, it's something they should do.
[09:28]
Patrick Gray
Yeah. Just going back to something earlier where I said, oh, I remember that happening with the Uyghurs being extradited from Thailand to China. I just looked into it while we were chatting, and it also happened 10 years ago. So I understand there's been a new one a couple of weeks ago, but, yeah, not the first time. And another thing, too, just interesting that we were talking about how they're publishing this stuff to WeChat, because we had that chat with Lena Lau recently where she was looking at a whole bunch of stuff published by the Chinese about alleged NSA intrusions into systems. She got all of that from WeChat as well. So it really seems like, you know, WeChat in China is kind of the everything app. Right. For chatting, you know, communication, payments and, you know, publishing content. Sort of like what Elon Musk's vision for X is, you know, to turn it into a. Into an everything app. So, you know, I think for people who are interested in what's happening in China increasingly, they're going to need to get on WeChat to sort of get this information. But let's have a little bit of a chat about the next thing you looked into for a long While now Russia has been waging a sabotage campaign targeting Western European countries. And this has involved everything from, you know, trying to blow up ammunition plants to, you know, energy sabotage to all sorts of stuff, assassinations and whatnot. There is a minor cyber component to this, but I guess the interesting thing in what you've done here is looked at how the Western European countries are likely to respond. And even though cyber makes up a small component of what the Russians are doing to them, it's probably going to be one of the ways that they choose to respond to this Russian aggression, which is to, you know, respond in kind, which is to hack into their critical infrastructure and get into places where they can, they can do damaging things. You kind of argue in this piece that they might be better off hiring some local thugs to throw some bombs, given that it's, you know, if you're going to respond in kind, you may as well respond in kind. But that, that's kind of not polite. And Western Europe being Western Europe, they're probably going to do something a little more deniable and low key and respond in cyber. But know this underpinning this whole story is this idea that like norms are kind of going out the window at the moment. I think, I feel like that's accelerated since there's been a change of government in the US too.
[11:39]
Tom Uren
Yeah. So it's, this is based on a Center for Strategic and International Studies report. So csis and they basically had a database of destructive Russian activities that occurred over the last several years. And so basically, you know, if you plot them, line go up and they analyze what is actually going on. And it was interesting to me that the cyber activities, they're definitely there, Russia's definitely doing them, but they make up a small minority of what's happening. So less than 15%. And like, if you looked at them in isolation, you would go, okay, yeah, there's some stuff happening and it's important, we should do something about them. But when you contrast it to the rest of the report, it's like, okay, this is what they're doing is trying to assassinate people. They're actually setting off explosives, lighting fires, trying to assassinate executives. So the, I don't want to say that the cyber stuff pales into insignificance, but it is, it's definitely a small proportion. So they're choosing to use other techniques. And mostly they're hiring local criminals or finding people who they can convince on an ideological basis. So they're finding local proxies most of the time. And so the report argues that the European countries and the west should be much, much more aggressive in punching back, I guess.
[13:15]
Patrick Gray
Yeah.
[13:16]
Tom Uren
And that if you allow Russia to just keep on doing these kinds of sabotage operations, there's absolutely no reason that they would stop. And it would, it's sort of self perpetuating if you don't push back. Well, why would you stop?
[13:29]
Patrick Gray
Well, I mean, this has been an issue for a long time and not just with Russia. You look at what China's doing with Vault Typhoon and the west is sort of reticent to do the same thing back because it's. Look, ultimately it's legally sketchy. But this report says unlike authoritarian countries such as Russia, this logic of not responding in kind assumes that democratic countries cannot or should not conduct forceful actions against Russia because they are not involved in a declared war. Yet these concerns are largely fallacious and they reflect a mindset of self deterrence. Russia, not Europe or the United States, chose to escalate a shadow war in Europe. In fact, a failure to respond will likely increase the likelihood of a protracted Russian campaign. I mean, it's hard to disagree with that. Right. And you sort of get the sense that this restraint that we've been seeing from the west over the last, you know, 20 years say you sort of get the sense that's, that's about to be flung out the window. But it will probably start, as you argue, they'll probably start with a bit of cyber. You know, they're probably not going to be hiring local bomb throwers just, just yet. But it seems like this is the path we're heading down, I guess is the point.
[14:38]
Tom Uren
Yeah, the report argues that the west basically needs to do four things. Three of them are not cyber related, but they're like actually be a lot more robust basically in communications and also in action. So a lot of it dealt with ships dragging anchors and it's basically arguing, well, you need to seize those ships and do something about them.
[14:58]
Patrick Gray
Yeah, these are the ships that are cutting cables, fiber optic cables and whatnot.
[15:02]
Tom Uren
Yeah, yeah, yeah. But it also says it, we should be a lot more forceful in offensive, destructive cyber operations. And so like this raises a quandary in my mind because like Russia's actually not doing that. Mostly they're just hiring local bomb throwers and like actual physical actions. So why would you respond in cyber? And I think the reason it makes sense is because Russia's doing like the easiest thing that will work. Like the cheapest, simplest thing. Let's find some people to throw some bombs. And it's not particularly covert and it's not particularly deniable. And I think that if you're a Western government, you would say, okay, we want to have some impact on Russia, but we don't want to get caught with our hand in the till or whatever.
[15:58]
Patrick Gray
You don't want to get your hands dirty, I think is the. That's right, you're trying to go for there, Tom.
[16:01]
Tom Uren
Exactly. And so for that, cyber is actually like a pretty good tool. It's more expensive, takes longer, it's harder, but it's also harder for people to pin it directly to you if you do your job right.
[16:16]
Patrick Gray
And so even, and we've seen time and time again that even when someone does an attribution, only so many people believe it, you know? You know, like, it's always deniable, even when the evidence to you and me, might look pretty slam dunk. Like, there'll still be people who say, ah, it was the deep state, you know.
[16:29]
Tom Uren
Yeah. And then. So I think there's, there is a logic here, even though the, the, the dumb, the simple thing to do is just find someone who's willing to throw a Molotov cocktail. I think there is a logic which argues for some destructive cyber packet throwing.
[16:50]
Patrick Gray
Chuck. Chuck. Some packets. Yeah, Molotov packets. There we go. There's a new, there's a new phrase. I just wonder how long that holds, though, if I'm honest, because it just. Nothing is trending more stable at the moment.
[17:04]
Tom Uren
How long it holds to just responding proportionately.
[17:07]
Patrick Gray
Yes, well, it's not a proportionate response, you know, when they're running around assassinating people and blowing up factories, you know, throwing a few packets back is not proportionate. So I just sort of wonder how long it is that the west continues to show restraint. I mean, the fact that they're talking about doing this in cyber at all, that's actually kind of a big development. But I wonder how long it, you know, I wonder how long before you've got Western European sponsored, you know, bomb throwers, basically.
[17:35]
Tom Uren
I think there's a couple of steps. And so I think that the first step is we need to respond in kind. And it's not clear to me that people have made that decision yet. The second step is, well, let's try this offensive cyber stuff, and we'll try it until we get sick of it, either because it's too slow, not effective enough, or too expensive, and it doesn't have the impact that we want. And so I think it's a third step, like step three on the pathway.
[18:03]
Patrick Gray
I think cyber actions are going to help them to feel better, but probably not change anything or result in any sort of deterrence.
[18:09]
Tom Uren
I mean, I think if you want real deterrence, you play it out on the battlefield by, by being less restrictive about what Ukrainian forces can do with the weapons that they have.
[18:21]
Patrick Gray
Yeah.
[18:22]
Tom Uren
And so I think that would be the immediate short term, easy to do thing that is more robust.
[18:29]
Patrick Gray
Yeah. And probably a little more norms compliant as well. Tom Uren, always great to chat to you. Always great to get your perspective. And again, if anyone would like to subscribe, subscribe to Tom's terrific newsletter. You can find it at Risky Biz and just click on the old newsletter square there and it'll take you over to the subscribe place. Great to talk to you, mate. Look forward to doing it all again next week. Cheers.
[18:52]
Tom Uren
Thanks, old pet.