Srsly Risky Biz: The PLA's cyber operations go dark - Risky Bulletin

Summary4 min read

Risky Business News - Episode Summary
Episode: Srsly Risky Biz: The PLA's Cyber Operations Go Dark
Release Date: November 21, 2024
Host: Risky.biz
Guest: Tom Uren, Public Policy and Intelligence Editor

Introduction

In this episode of Serious Risky Business, hosted by Patrick from Risky.biz, the discussion centers around the shifting landscape of Chinese cyber operations, particularly focusing on the apparent reduction in activities by the People’s Liberation Army (PLA). Joined by Tom Uren, the team delves into recent reports, cybersecurity trends, and strategic implications for global cybersecurity posture.

The Declining Visibility of PLA Cyber Operations

Tom Uren begins by referencing a report from Sequoia, which offers a comprehensive overview of Chinese cyber activities over the past three decades. He notes a significant observation:

“Just nobody in the public sphere really talks about the PLA all that much anymore.” ([01:10])

Historically, the PLA was at the forefront of China’s cyber offensive capabilities. However, recent analyses suggest a reorganization where the Ministry of State Security (MSS) has taken the lead in cyber espionage and intellectual property (IP) theft.

Shift from PLA to MSS Dominance

Tom explains that the Sequoia report indicates a strategic pivot:

“We think based on what we see, is that they're going after these harder military targets.” ([02:43])

The PLA’s diminished presence in public cyber operations is theorized to result from their focus shifting towards more covert, military-related cyber engagements. Unlike the overt IP theft activities previously associated with units like 61398 (APT1), the PLA is now targeting more robust and resilient military infrastructures, making their operations less visible and more persistent.

Emergence of Vault Typhoon

Patrick brings attention to a newer threat actor dubbed Vault Typhoon, which aligns with the hypothesis of the PLA’s strategic shift:

“Vault Typhoon is linked to the PLA... it's uncharacteristically stealthy for a Chinese operation.” ([05:05])

Vault Typhoon is characterized by its focus on disrupting U.S. critical infrastructure rather than traditional intelligence gathering. This group’s activities suggest preparation for potential conflicts, such as those concerning Taiwan, by establishing the capability to cause significant disruptions when necessary.

Challenges in Attribution and Operational Security

The conversation highlights the difficulty in attributing cyber attacks to specific Chinese agencies. Tom posits that enhanced operational security (OPSEC) measures are likely at play:

“You can attribute it to China, we can cluster that activity together, but we just haven't seen that granular attribution to an actual agency.” ([05:44])

This increased stealthiness complicates the global cybersecurity community's efforts to identify and respond to these threats effectively.

The Proliferation of Zero-Day Exploits

Shifting focus, Tom discusses the alarming trend of zero-day (0-day) vulnerabilities being exploited as the new norm in cyberattacks:

“Most of the most exploited vulnerabilities were initially zero days.” ([07:49])

He observes that attackers are increasingly deploying zero-day exploits immediately upon discovery, before patches become available. This practice outpaces organizations' ability to respond, leaving systems vulnerable for extended periods.

Critique of Current Defensive Strategies

Patrick challenges the conventional wisdom of relying solely on patching as a defense mechanism:

“I think that's terrible advice because... people are using bugs before there are patches available for them.” ([10:01])

He argues that organizations should adopt more proactive measures, such as limiting exposure of vulnerable systems to the internet and utilizing secure cloud-based management services with multi-factor authentication (MFA). This approach reduces the attack surface and mitigates the risk posed by zero-day exploits.

Proposed Solutions and Market Dynamics

Tom suggests a more market-driven approach to vulnerability management:

“Maybe we should go a little bit free market here and let the black market set the prices.” ([13:52])

He proposes that companies invest in purchasing exploits to better understand and mitigate potential threats. By treating exploit purchases akin to bug bounties, organizations can incentivize the discovery and patching of vulnerabilities before they are weaponized by malicious actors.

However, Patrick raises concerns about the practicality and legality of this approach, especially concerning transactions with sanctioned entities like Russian actors.

Conclusion

The episode underscores a pivotal shift in Chinese cyber operations from overt IP theft to more covert and strategic military-focused activities. The emergence of groups like Vault Typhoon exemplifies this transition, marking a new era of sophisticated cyber threats. Additionally, the rampant use of zero-day exploits challenges existing defensive paradigms, necessitating innovative and proactive security strategies.

Patrick and Tom conclude by emphasizing the need for the cybersecurity community to adapt to these evolving threats through enhanced collaboration, strategic investment in vulnerability management, and the adoption of more resilient defensive architectures.

“Once again, you can find Tom's full write up at News Risky Biz. A pleasure to chat to you always... we'll do it again next week.” ([14:15])

This detailed exploration offers valuable insights for cybersecurity professionals and enthusiasts, highlighting the dynamic nature of cyber threats and the imperative for adaptive security measures in an increasingly complex digital landscape.

Loading summary

Transcript29 lines

[00:02]
A
Foreign.
[00:05]
B
And welcome to another edition of Seriously Risky Business, the podcast we do here at Risky Biz hq, which focuses on public policy and intelligence and cyber and all of that good stuff. This podcast and all of this Seriously Risky Business work is supported by the William and Flora Hewlett foundation and Lawfare Media. I'm of course joined by our public policy and intelligence editor, Mr. Tom Uren. Hello, Tom.
[00:32]
A
G'day, Patrick. How are you?
[00:34]
B
Good, good. And yeah, we've just been through your newsletter that you write every week, which people can find at News Risky Biz. And you know, you've written up a few things here. And the first, you've used a report from the security company Sequoia as a starting point for this one, but you're taking a look at which agencies in China are doing what. And, you know, you've kind of pointed out that the pla, the People's Liberation army, which used to be a huge player in Chinese cyber operations, we don't really know what they're up to these days. And that is not necessarily a wonderful thing.
[01:11]
A
I thought this report was interesting because it takes this big picture overview of everything that's happened in Chinese cyber for 30 years. It's not a huge report, so it obviously summarizes a lot of things, but it really pointed out to me that just nobody in the public sphere really talks about the PLA all that much anymore. And, you know, going back 10 years, they used to be the main cyber force. So the kind of top line reading of their report is that the mss, the Ministry of State Security, has taken over. But they do have a section about the PLA where they say, you know, there've been reorganizations. And their theory is that you don't see them because they're now focused on military targets. Those targets, you tend to try and be more covert because they're at least notionally they're harder targets and you would really like to stay on them and have long term persistence. So, like, there's these drivers to be more stealthy. And then also those targets are less likely to say, oh, hey, yeah, we got hacked, we got owned. They just tend not to do that. So that is their theory, which makes a lot of sense to me. That's why they've just totally disappeared. So it seems like there was a reorganization. The MSS got all the, you know, go steal the ip. It seems like a Ministry of State Security type job.
[02:44]
B
And that used to be, as you point out, that used to be the plasma wheelhouse. Right. So you go back to when was it like 2013 or whatever? When Mandiant released the APT1 report, which for those who weren't around back then and paying attention, it was a very big deal. It was the first time that we'd seen APT activity, you know, attributed in this way not only to a government but to unit 61938. Sorry, 61398, you know, and here's the building and here are the people who serve in the unit. So that report was huge. And of course APT one back then was doing a lot of IP theft. It was just that particular unit that was just wholesale IP theft. Like the connectivity going into that building was insane. There was nothing stealthy about it. So now mss, I'm sure they're doing a lot of IP theft still. But they do all of your traditional espionage sort of stuff. Right. Sort of the stuff that you would task ASD here with or NSA in the us There's a lot of intelligence collection there. You know, that's MSS now. So yeah. What on earth are PLA doing?
[03:51]
A
Yeah. And so that particular report also talks about the size of the organization and they talk about, you know, dozens to hundreds of hands on keyboard operators and perhaps hundreds to thousands of staff. So that's based on the size of the building that they were in and also the amount of concurrent operations they could do and the amount of operations they'd done over time. So that is a lot of people to just like not do any more hacking like they're hacking somewhere is the theory. And so their conclusion is, we think based on what we see, is that they're going after these harder military targets. So the other group that's popped up recently is Vault Typhoon, which fits the bill exactly for that hypothesis. It's a group that's targeting US critical infrastructure. It doesn't seem to be interested in intelligence. It looks like it's just there to be able to disrupt it at the right moment if needed. So people, the theory is that the right moment might be a conflict over Taiwan.
[04:59]
B
Yeah. And you've pointed out here too that the Washington Post cites officials.
[05:06]
A
Yeah.
[05:07]
B
Saying that Vault Typhoon is linked to the pla. But I think this is kind of your whole point in this whole thing, which is, okay, that's one citation, but there's not really much available publicly that confirms that the PLA is behind Vault Typhoon, which is uncharacteristically stealthy for a Chinese operation which traditionally they haven't really cared about attribution. And even now, like we can look at Vault Typhoon, we can attribute it to China, we can cluster that activity together, but we just haven't seen that granular attribution to an actual agency. Which suggests perhaps OPSEC is a bit more of a priority these days.
[05:44]
A
Yeah. So there's. It seems like OPSEC is a priority and there may also be reasons why Western officials don't want to attribute it. We don't want to give away how much we actually know that's possible as well. So there's several potentially.
[06:00]
B
But normally people in the private sector can fill in those gaps as well. Right. So I mean, it's one thing for the US government to say, well, we're not going to attribute this to a particular organization, but you can bet dollars to donuts that people at places like Mandiant are trying.
[06:17]
A
Yeah, yeah. So I think one of my points is that when you've got an organization as large as unit 61398 that was just one of the PLA units that does cyber operations and they disappear and then it seems like they're refocused on potentially destructive stuff, that's a reason to worry. Yeah, Yeah.
[06:38]
B
I mean, APT1 were kind of junk hackers though. Right? Like, that's one thing I think, you know, when you look at the scale of something like APT1, it was so huge. Vault Typhoon, very prolific. Not as big. I mean, Apt 1 was huge. So it's almost like, I wonder if it's the same people or if it's like a scaled down but more seriously tasked function now within the pla. But that's the. I mean, the whole point is we don't know.
[07:00]
A
Yeah. Well, that was 10 years ago. So you can imagine that there's been a lot of learning since then. And whether or not it's the same group, I think they were willing to invest a lot of people back then. I don't think it's fewer people now would be my guess. And if they're doing more stealthier stuff, it's still a lot of stuff potentially.
[07:23]
B
Yeah, yeah. Now look, another thing that you've written about this week is that people going after O days is the new normal. We're seeing just so many more attacks targeting particularly like the sorts of devices you find that a network edge with O day that is just now workaday, which is extremely not great, I would say, because this is a very difficult problem to solve.
[07:50]
A
Yeah. So there's two pieces of news really that are relevant to this. The Five Eyes cybersecurity authorities said there's this noticeable trend over the last year where most of the most exploited vulnerabilities were initially zero days. So their language around it is very tortured. Because the way I take that to read is that there's a vulnerability. It's first exploited as a zero day. And then when it becomes public, people just jump on it as quick as they can, people malicious actors.
[08:24]
B
And so I think the thing is, though, and sorry for cutting your flow there. I mean, in the case of the Palo Alto Networks bug you're talking about here, people jumped on it before it was necessarily public, I thought, didn't they? Or, you know, so I think there's plenty of. There's plenty of oday actually being used as ode.
[08:43]
A
Yeah, yeah, yeah. I think there's two things. I think that actors are more willing to just go big early, and then as soon as becomes public, other actors are investing in getting a hold of it quickly and also going big. And so that I argue that it makes it very hard for organizations to patch and keep up. And so the advice in the advisory is if you're an end user organization, you just need to be sort of poised to patch at any instant. And then there's a Palo Alto firewall bug this week. And the problem with that is that Palo Alto didn't know what the bug was, so there was a report that it had been sold on a forum somewhere. And so everyone's just waiting with bated breath, I guess, to figure out what is the bug, and then it's a race to patch it. But until you know what it is, of course, you can't do anything. And so that advice has, like, it's definitely good advice, but there's a limit to how effective it can be because there's always.
[10:02]
B
I don't agree. I think it's terrible advice because, you know, the whole thing that we're discussing right now is that people are using bugs before there are patches available for them. And I think, you know, the better advice is to really consider what you want to expose to the Internet. Like, I had that interview with the CISO from Sophos recently about the work that they did, the sort of counter, you know, counter espionage work that they did against Chinese apts that were targeting their products. One thing that actually was a. I had a chat with Ross, like before and after the interview. It didn't actually make it into the interview, but they have. So the feature that people were targeting is a feature that Sophos never intended for their customers to make available on the Internet in the first place. But then when Covid happened A lot of people just opened up these management interfaces to the Internet. But the really interesting thing he said is that you could do the same type of management via Sophos cloud services, which would not have exposed people in the same way. So it's like a, you know, a cloud style login with MFA and whatever. It doesn't involve, you know, exposed ports on the device. It's just a much more secure way of doing it. But people don't configure it that way because they want to manage their own thing. They don't quite trust the cloud. So, you know, there are things that people can do here like firewalling selectively vulnerable devices and things that are going to get them, you know, much further than oh well, we should just patch faster. So I don't like that advice at all.
[11:26]
A
Yeah. So to be fair in the advisory, there is other advice about opening up specific IP addresses or allowing specific IP addresses and stuff like that. I guess my point is you just on a hiding to nothing though, if you're relying on patching. And so my suggestion is just that maybe we should expect companies to go out and buy those bugs and so that they can figure out what the potential exploit is and fix it. I liken it to a sort of a bug bounty. Like if you squint really hard, there's actually no evidence that whoever was selling the exploit has done anything illegal. And it also provides a monetary incentive for companies to actually release secure products in the first place. And it's not like paying a ransom because nothing's happened yet. So, you know, I think you can sort of squint quite hard. Quite hard, I admit. And just imagine that it's like a bug bounty where the price is set by the black market. So it's very capitalist.
[12:35]
B
Yeah, yeah. So that's the interesting thing, Right, which is our company is going to be prepared to pay black market rates for a bug like this. I don't know how much it's sold for, but yeah, you can, you can kind of. So. So there is a problem with that though, right? Which is people who are operating in sanctioned places.
[12:53]
A
Yep.
[12:54]
B
How do you pay someone in Russia, for example, for this type of information? I will pull you up on one thing though. You said that there's no evidence this person did anything illegal. Selling oday to criminal types for criminal purposes, I'm pretty sure will get you some form of charge. Right. Like it is very different to a bug bounty. But I think the wider point that you're making here is that, you know, Whatever someone paid for this bug, there's been a lot more damage caused to the vendor than would have been caused by them just buying it. Right. And I don't know how comprehensive a solution this will be, but trying to draw people doing this sort of research for illicit purposes and channel them into more legitimate things like bug bounties would be a positive thing. And you're right. The thing that stops them from doing that is that when you have the vendors setting the prices for bugs, they can't compete with the black market. So maybe the lesson here is we need to go a little bit free market here and let the black market set the prices.
[13:53]
A
Yeah, that's my suggestion.
[13:56]
B
And it's not like Palo Alto Network can't afford it. Right.
[13:59]
A
I had a look and I couldn't find a bug bounty for Palo Alto's devices. I could find it for its website. That doesn't mean it's not there. I just couldn't find it immediately. So, you know, who knows?
[14:15]
B
Yeah, yeah, point well made. I mean, they're just a clown car at the moment. The likes of Palo Alto Networks and Fortinet and whatever. Get that stuff off the Internet if you can. Tom, you're in. We're going to wrap it up there. Once again, you can find Tom's full write up at News Risky Biz. A pleasure to chat to you always, as always, my friend. And we'll do it again next week.
[14:35]
A
Thanks, Patrick.