Risky Business News - Episode Summary
Episode: Srsly Risky Biz: The PLA's Cyber Operations Go Dark
Release Date: November 21, 2024
Host: Risky.biz
Guest: Tom Uren, Public Policy and Intelligence Editor

Introduction

In this episode of Serious Risky Business, hosted by Patrick from Risky.biz, the discussion centers around the shifting landscape of Chinese cyber operations, particularly focusing on the apparent reduction in activities by the People’s Liberation Army (PLA). Joined by Tom Uren, the team delves into recent reports, cybersecurity trends, and strategic implications for global cybersecurity posture.

The Declining Visibility of PLA Cyber Operations

Tom Uren begins by referencing a report from Sequoia, which offers a comprehensive overview of Chinese cyber activities over the past three decades. He notes a significant observation:

“Just nobody in the public sphere really talks about the PLA all that much anymore.” ([01:10])

Historically, the PLA was at the forefront of China’s cyber offensive capabilities. However, recent analyses suggest a reorganization where the Ministry of State Security (MSS) has taken the lead in cyber espionage and intellectual property (IP) theft.

Shift from PLA to MSS Dominance

Tom explains that the Sequoia report indicates a strategic pivot:

“We think based on what we see, is that they're going after these harder military targets.” ([02:43])

The PLA’s diminished presence in public cyber operations is theorized to result from their focus shifting towards more covert, military-related cyber engagements. Unlike the overt IP theft activities previously associated with units like 61398 (APT1), the PLA is now targeting more robust and resilient military infrastructures, making their operations less visible and more persistent.

Emergence of Vault Typhoon

Patrick brings attention to a newer threat actor dubbed Vault Typhoon, which aligns with the hypothesis of the PLA’s strategic shift:

“Vault Typhoon is linked to the PLA... it's uncharacteristically stealthy for a Chinese operation.” ([05:05])

Vault Typhoon is characterized by its focus on disrupting U.S. critical infrastructure rather than traditional intelligence gathering. This group’s activities suggest preparation for potential conflicts, such as those concerning Taiwan, by establishing the capability to cause significant disruptions when necessary.

Challenges in Attribution and Operational Security

The conversation highlights the difficulty in attributing cyber attacks to specific Chinese agencies. Tom posits that enhanced operational security (OPSEC) measures are likely at play:

“You can attribute it to China, we can cluster that activity together, but we just haven't seen that granular attribution to an actual agency.” ([05:44])

This increased stealthiness complicates the global cybersecurity community's efforts to identify and respond to these threats effectively.

The Proliferation of Zero-Day Exploits

Shifting focus, Tom discusses the alarming trend of zero-day (0-day) vulnerabilities being exploited as the new norm in cyberattacks:

“Most of the most exploited vulnerabilities were initially zero days.” ([07:49])

He observes that attackers are increasingly deploying zero-day exploits immediately upon discovery, before patches become available. This practice outpaces organizations' ability to respond, leaving systems vulnerable for extended periods.

Critique of Current Defensive Strategies

Patrick challenges the conventional wisdom of relying solely on patching as a defense mechanism:

“I think that's terrible advice because... people are using bugs before there are patches available for them.” ([10:01])

He argues that organizations should adopt more proactive measures, such as limiting exposure of vulnerable systems to the internet and utilizing secure cloud-based management services with multi-factor authentication (MFA). This approach reduces the attack surface and mitigates the risk posed by zero-day exploits.

Proposed Solutions and Market Dynamics

Tom suggests a more market-driven approach to vulnerability management:

“Maybe we should go a little bit free market here and let the black market set the prices.” ([13:52])

He proposes that companies invest in purchasing exploits to better understand and mitigate potential threats. By treating exploit purchases akin to bug bounties, organizations can incentivize the discovery and patching of vulnerabilities before they are weaponized by malicious actors.

However, Patrick raises concerns about the practicality and legality of this approach, especially concerning transactions with sanctioned entities like Russian actors.

Conclusion

The episode underscores a pivotal shift in Chinese cyber operations from overt IP theft to more covert and strategic military-focused activities. The emergence of groups like Vault Typhoon exemplifies this transition, marking a new era of sophisticated cyber threats. Additionally, the rampant use of zero-day exploits challenges existing defensive paradigms, necessitating innovative and proactive security strategies.

Patrick and Tom conclude by emphasizing the need for the cybersecurity community to adapt to these evolving threats through enhanced collaboration, strategic investment in vulnerability management, and the adoption of more resilient defensive architectures.

“Once again, you can find Tom's full write up at News Risky Biz. A pleasure to chat to you always... we'll do it again next week.” ([14:15])

This detailed exploration offers valuable insights for cybersecurity professionals and enthusiasts, highlighting the dynamic nature of cyber threats and the imperative for adaptive security measures in an increasingly complex digital landscape.