Many of the companies and organisations targeted were involved in the Belt and Road Initiative. Photo: AP
Source:
https://scmp.com/news/china/society/article/3014421/chinese-cyber-spy-ring-accused-targeting-key-players-belt-and People & Culture
‘Chinese’ cyber spy ring accused of targeting key players in Belt and Road Initiative
- Annual report by US security firm FireEye says group has been collecting business intelligence focusing on sectors such as engineering, transport and defence
- Evidence links the group to the Chinese island of Hainan and its activities are concentrated on Southeast Asia
The group was accused of collecting business intelligence on major belt and road projects. Photo: Shutterstock
A cyber espionage group is believed to be targeting key countries for China’s Belt and Road Initiative with a particular focus on sectors such as engineering, transport and defence, a US security firm has warned.
In its “M-Trends 2019” report, FireEye, which has been active in exposing Chinese espionage activities in the past, identified the group as Advanced Persistent Threat 40 (APT40), saying its researchers had concluded with “high confidence” that it was part of China’s online spying operations.
It said the group’s activities dated back to at least January 2013 and its victims included “maritime targets, defence, aviation, chemicals, research/education, government and technology organisations”.
“Target countries are concentrated in Southeast Asia or are host to global entities involved in maritime issues, such as shipping or naval technology,” the report said.
The research report, which is released annually, said that APT40 targeted government-sponsored projects and was collecting “business intelligence on major projects and agreements” related to the Belt and Road Initiative.
“The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” it said.
In addition, the report said that Chinese cyber espionage groups had also extended their reach into politics.
“Recently, Chinese groups have been targeting and monitoring elections in neighbouring countries more closely than before, suggesting a more active effort to protect Chinese investments overseas, especially as the country seeks to expand its global influence,” it said.
The group was linked to the Chinese island of Hainan, home to Chinese signals intelligence facility. Photo: Reuters
FireEye said there was evidence linking the group to internet protocol addresses located in Hainan and other parts of China, its operations followed typical Chinese working hours and it used malware known to have been used in other Chinese cyber operations.
Greg Walton, an independent cybersecurity specialist who previously worked as a consultant for FireEye, said Chinese cyber espionage networks were known to use Hainan IP addresses before.
He said the island province was also home to a Chinese signals intelligence facility and a technical unit of the People’s Liberation Army.
The FireEye report said APT40’s activities lessened after September 2015, when Chinese President Xi Jinping reached an agreement on cybersecurity with former US president Barack Obama, but they had surged since December 2017.
Although APT40 has attracted the attention of international security agencies, the report said the group was expected to remain active.
The report also noted increased activity from Vietnam, Iran and North Korea. Photo: Reuters
“Since 2013, APT40 has come to leverage an enormous library of tools and can shift operations to new targets as required,” it said.
“Despite increased public attention, APT40 has remained undeterred from conducting cyber espionage operations, and we anticipate its operations will continue through at least the near and medium term.”
The report also found that North Korea, Iran and Vietnam have emerged as major players in international cyber espionage.
“We tend to get called in for Chinese state-sponsored activities, and for many years that was it. But in the last three years, we’ve seen a proliferation of [other countries] like Iran, North Korea, Vietnam, a US-based financially motivated attacker … we’re seeing a lot more different types of actors,” Grady Summers, FireEye’s chief technology officer, said at a briefing on the report on Wednesday.
For example, a Vietnam-based cyber attacker group, APT32, was likely to have been behind an email phishing attack targeting officials in Vietnam and Cambodia between March and May this year, while cyber attackers in North Korea had previously targeted financial institutions in developing countries and foreign firms operating in Asia.