China’s attack motivations, tactics, and how CISOs can mitigate threats

A new report published by Booz Allen Hamilton provides detailed insight into global cyber threats posed by the People’s Republic of China (PRC). The Same Cloak, More Dagger: Decoding How the People’s Republic of China Uses Cyberattacks outlines Beijing’s chief motivations for carrying out cyberattacks or espionage, the key tactics it employs, and provides strategies for CISOs to help their organizations to better identify and prepare for PRC cyber campaigns.

Security, sovereignty, development: key PRC cyberattack motivators

The report identifies three “core interests” over which China is willing to authorize offensive cyber operations if threatened, related to the nation’s political system, territory, and economy:

• Security (also referred to as political security, the people’s security, social stability, and national unity) relates to the guarantee for China’s long-term social stability in its political and social system, organized and led by the Chinese Communist Party (CCP). “However, the party sees numerous threats to this stability,” the report stated. “Pro-democracy, anticorruption, and reformist political movements directly call the CCP’s legitimacy into question,” while natural disasters and the COVID-19 pandemic test the government’s perceived competency, as do economic slowdowns.
• Sovereignty (also national sovereignty, territorial sovereignty, and territorial integrity) relates to China’s exclusive authority and control in various land and maritime areas, the report read. “China’s senior-most leadership routinely unequivocally asserts that it will make no concessions on its territorial claims.”
• Development relates to China’s ambitions of securing its economic activities – something that has been elevated to an explicit core interest only in the past few years or so, the report stated. “Threats to the PRC’s development include economic decoupling, restricted access to technologies like semiconductors, barriers to PRC investment, and physical threats to shipping lanes, personnel, and offices.”

The report listed various key PRC organizations associated with carrying out cyber missions, including the Ministry of Public Security (MSP), the Cyberspace Administration of China (CAC), and the Central Propaganda Department (CPD)/United Front Work Department (UFWD). As for cyberattack strategy and goals, China has developed a “three warfare” approach to shaping the information environment. These are:

• Psychological: The use or threat of force to affect an adversary’s decision making, with cyberattacks designed to signal China’s position on key issues through controlled, non-escalatory destruction and disruption of specific significant targets.
• Public opinion: The attempt to control information dissemination, with cyberattacks hindering information sharing through the disruption of news websites, social media, and communications platforms.
• Legal: The use of international and domestic laws and legal mechanisms for strategic offensive and defensive purposes, with China engaging in debates about acceptable behavior in cyberspace.

DDoS, ransomware, ICS attacks among top tactics used by China

The report synthesized primary PRC attack tactics based on several recent case studies, outlining four methods most used in campaigns. These are DDoS, defacement of websites/digital signage, breaches of industrial control systems (ICS), and ransomware. All have their own distinguishing PRC characteristics and carry potentially significant implications for targeted entities, the report added.

• DDoS attacks often use China-based IP addresses and indicate signaling objectives, resulting in temporary loss of website and other online resource availability, increased hosting costs, and the inability to retain DDoS mitigation vendors.
• Defacement of websites/digital signage typically blurs lines in public sources between independent hacktivists, government-encouraged hacktivists, and faketivists, leading to loss of communications with key audiences, consumer trust/public unrest and exposure of confidential data.
• ICS attacks frequently target energy and power sectors while unused access may represent reconnaissance, prepositioning or signaling, triggering disruption of operational technology (OT) systems, supply chain disruptions, and loss of power, water, or other utilities.
• Ransomware attacks, a tactic rarely connected to PRC government-aligned groups in public sources, harm the integrity of data and availability of systems and disrupt business operations.

The report recommended CISOs strengthen their approaches to risk management to help mitigate the above attacks, including:

• Conducting full reviews of supply chains to understand dependencies and how to manage related risks.
• Conducting executive-level wargames based on observed and plausible escalatory forms of attack operations by PRC adversaries.
• Auditing or reviewing security controls in place for potential threat activity by PRC adversaries.
• Sharing information with peers, government organizations and other companies to increase community awareness of current adversary activity and improve the visibility of the threat landscape.

Location, sector, actions impact likelihood of facing PRC cyberattacks

There are three factors that increase an organization’s likelihood of becoming the target of or being impacted by a PRC cyberattack, the report continued. These are location, sector, and actions. Organizations based in locations where the PRC lacks a clear power advantage (e.g., US, India, Taiwan) face a greatly increased risk, whereas those in critical, academia and news/media sectors face moderately increased risk with politically significant sectors (e.g., semiconductors) and political entities (e.g., democracy promotion, anticorruption groups) at much greater risk. Likewise, entities that have been involved in attempts to specifically subvert PRC online censorship and/or targeting of a Chinese audience with an anti-PRC message or messages conflicting with core PRC political positions are far more likely to be affected by a PRC attack, the report stated.

Booz Allen Hamilton advised CISOs to consider the risk profiles of their organizations, partners, vendors, and other third parties to better inform and address risk mitigation, including:

• Assessing organizational resiliency if there is a heightened threat of cyberattacks against specific countries, focusing on sectors most likely to be targeted.
• Incorporating geopolitical analysis into cyber risk assessments.
• Incorporating cyber risk analysis into the organizational messaging risk management process, with the participation of operational, legal, and public relations stakeholders.

China’s developing cyber activities a “potent threat”

China’s growing cyberattack capabilities and global assertiveness have created a potent threat to the United States and other countries and organizations whose own priorities, goals, and actions conflict with China’s expanding core interests, the report concluded.

“In the past decade, China has better defined the missions of its cyber capable agencies and more efficiently reorganized operational units. China now includes both offensive and defensive operators in joint military exercises.” However, the true measure of China’s cyberattack capabilities likely cannot be fully discerned in open sources, the report added, and it is “possible China has chosen to not deploy its full capabilities, or it has done so without public attribution.”