Blurred Lines Between State and Non-State Actors

Elizabeth Merrigan is an intern in the Council on Foreign Relations Digital and Cyberspace Policy program.

Since at least 2013, APT17 has reportedly been responsible for a number of network intrusions against U.S. and Southeast Asian government entities, defense industries, law firms, information technology companies, mining companies, and non-governmental organizations. In July 2019, a hacking group calling themselves Intrusion Truth claimed that three members of APT17, which is also known as Deputy Dog and Axiom, are associated with the Jinan Bureau of China’s intelligence agency, the Ministry of State Security (MSS). Based on their findings, Intrusion Truth believes that APT17 carries out on-demand hacking operations for the MSS. What makes this story even more interesting was the discovery that APT17 has simultaneously targeted Chinese citizens for financial gain.

According to documents secured by Intrusion Truth, APT17 has circulated a “Price List” of data it has been actively acquiring from Chinese targets to sell for profit among the hacking community in China. While they might be collecting the data to sell it to the MSS, it is also possible that in some instances APT17 operates independently of the Chinese agency and simply sells to the highest bidder. If the latter is true, then it would be difficult to characterize the nature of the relationship between the MSS and APT17 or the extent of the MSS’s control over threat groups like it. Given the widespread visibility into and control over Chinese networks that MSS and other Chinese agencies have, it is not hard to conclude that APT 17 enjoys protections from the legal consequences of for-profit activities against Chinese citizens.

Multiple security firms, including FireEye and ProtectWise, have determined APT17 to be operating under the “Winnti umbrella” of Chinese threat actors. While experts believe that the multiple threat groups associated with the Winnti umbrella have been active since at least 2009 and carry out attacks as distinct teams with varying levels of expertise, these groups appear to share tactics, techniques, procedures, and even portions of hacking infrastructure to target Chinese state objectives.

APT17 gained notoriety in 2010 for its involvement in Operation Aurora, an attack on Google and at least thirty-three other companies in the technology, financial, and defense industries, which was attributed to Beijing. In a post dated January 12, 2010, Google revealed that the hack had breached the email accounts of Chinese human rights activists. Three years later, the Washington Post provided more evidence of state sponsorship by reporting that the hackers had gained access to a sensitive database of U.S. surveillance targets during the attack in order to identify Chinese intelligence operatives who had been compromised by the U.S. government.

While the members of the Winnti umbrella are known to have primarily targeted political entities of interest to the Chinese government, including Uighur and Tibetan activists, journalists, and public figures, some groups, similar to APT17 with its menu of stolen data, appear to operate on “secondary,” often financial incentives. The nature of these secondary activities complicates our understanding of the lines of control between threat actors and state sponsors.

According to FireEye, Chinese state-sponsored threat group APT41 has spied on global technology, telecommunications, and healthcare providers for the Chinese government, while also targeting video game companies and cryptocurrency funds for profit. Uniquely among tracked China-based actors, APT41 deploys non-public tools “typically reserved for espionage campaigns,” some of which are shared by APT17, in what appear to be financially-motivated attacks. In particular, APT41 has targeted East and Southeast Asian video game distributors as well as their popular online games, even those with sizable Chinese markets, to manipulate virtual currencies and steal source code. FireEye tracked and observed the activity of two “espionage contractors” from APT41 outside of normal business hours and found that while they have targeted video game companies and players for profit since 2012, they began concurrently conducting cyber espionage and intellectual property theft for China since 2014. The techniques used in targeting the gaming industry likely became useful in their espionage activity, just as tools adopted from cyberespionage operations on behalf the Chinese government have been deployed against targets not of interest to Beijing. 

As in Intrusion Truth’s analysis of APT17, FireEye assesses with “moderate confidence” based on APT41’s use of the same malware in both financial- and state-sponsored activity as possible evidence that that it operates as a group of contractors, rather than as state employees who would be subject to greater scrutiny and less likely to operate independently of the MSS. Outside of state-sponsored activities, some of these contractors conduct business in underground marketplaces, advertising their skills and services. A key feature of Chinese cyber policy has been increased integration between government units and contractors and freelancers who can strengthen state resources, as skilled individuals tend to work for private sector entities with government contracts because of better pay.

The continuation of these commercially-focused crimes suggests that threat actors contracting for the Chinese government enjoy legal immunity or have at least evaded consequences thus far. This unusual blurring of lines between state- and non-state threat actors will continue to not only encumber the process of attribution, but also obscure our understanding of China’s policy regarding its intelligence apparatus. If APT17 and APT41 are indeed contractors, not state employees, it may indicate China’s willingness to overlook rogue criminal activity—even domestically—if it means gaining access to the best cyber talent.