J.D. Work serves as the Bren Chair for Cyber Conflict and Security at Marine Corps University. He holds additional affiliations with the School of International and Public Affairs at Columbia University, the Elliot School of International Affairs at George Washington University, and as a senior advisor to the Cyberspace Solarium Commission. He can be found on Twitter @HostileSpectrum. The views and opinions expressed here are those of the author(s) and do not necessarily reflect the official policy or position of any agency of the U.S. government or other organization.
According to Chinese cybersecurity vendor Qihoo360, over the past month, some two hundred targets linked to the Chinese government’s COVID-19 response were allegedly compromised by threat group DarkHotel, which has also been referred to as SHADOW CRANE, Fallout, and DUBNIUM by different firms (I will use DarkHotel in this piece not as validation of any specific company’s work but because it has been widely used in the press). This intrusion set, active since at least 2009, first received industry attention after targeting multiple U.S. policy and defense industrial base systems. Initial attribution varied widely, and preliminary theories linked the group at differing times to China and North Korea, based largely on simple cui bono analysis. Later consensus emerged indicating a South Korea nexus, including suggestions of state-level responsibility.
Coverage of the intrusion set by major cybersecurity vendors, such as Broadcom (Symantec), CrowdStrike, FireEye, Google, McAfee, Microsoft, and others [PDF], was initiated due to threats posed to their client base and ongoing access to apparently robust zero-day procurement mechanisms, supplying the attackers with multiple new exploit options to hack common operating system and application targets used by enterprises worldwide. However, focus on technical characteristics of specific malware implants, delivery mechanisms, and associated exploitation capabilities tended to largely gloss over implications of DarkHotel's other cyber operations against government and military targets within North Korea and China.
Chinese cybersecurity firms, including Qihoo360, Tencent, and Qi-AnXin, have in recent years also reported on DarkHotel, assigning new designators to the activity as APT-C-06 and T-APT-02. Such coverage emulates Western intelligence, albeit in a somewhat less mature form as commercial practices evolve in Chinese industry. These firms have also been involved in informal exchanges with Western practitioners to share findings about DarkHotel. Yet, it remains unclear the extent to which research findings circulated by these Chinese companies reflect independent, objective discovery vetted through properly rigorous analytic tradecraft.
Cyber Intelligence With Chinese Characteristics
Chinese critics have previously characterized Western firms as mere fronts for U.S. government intelligence and have advocated that China pursue a similar model. This reflects a distorted view of the complex motivations and incentives within global cyber intelligence markets and calls into question the legitimacy of Chinese cyber intelligence reporting.
Chinese tech majors’ cyber intelligence reporting offers an opportunity to provide new deliverables that advance Chinese government narratives of victimization by foreign actors and offset reputational damage done by repeated attribution of economic espionage to the People’s Liberation Army and Chinese Ministry of State Security. Reporting by Chinese vendors further serves to identify new zero-day exploits used by China’s adversaries and offers a stream of Common Vulnerabilities and Exposures (CVE) enumeration to highlight when foreign security researchers accuse the companies of withholding discovered vulnerabilities for use by Chinese cyber actors.
Chinese intelligence reporting is problematic at best in the absence of visibility into the relationships between these firms and the Chinese government and the incentives that they create. This is illustrated by another Qihoo360 and Qi-AnXin disclosure that focused on the Longhorn/Lamberts intrusion set, dubbed by Beijing as APT-C-39/Rattlesnake. This work argued a connection between artifacts disclosed in the Vault7 leaks of alleged stolen Central Intelligence Agency documents and incidents that these companies claimed to have observed in Beijing, Guangdong, and Zhejiang dating back to 2008. This ultimately advanced unsupported allegations of U.S. attempts to acquire classified information belonging to Chinese companies. Such actions would be in violation of the United States’ unilateral prohibition against using the U.S. intelligence community to enrich American businesses. These allegations were made during a politically useful time for the Chinese government, as Western intelligence had just demonstrated multiple violations of commitments made by President Xi in 2015 to cease cyber economic espionage. Due to the close relationship between Beijing and Chinese cybersecurity companies, it is unlikely that these unjustified but politically convenient claims resulted merely from individual analytic error.
Implications and Outlook
Recent Chinese disclosures of DarkHotel operations also likely serve a political purpose. Beijing is under intense pressure, both internationally and domestically, after suppressing early warnings of COVID-19 and falsifying statistics, timelines, and other basic data about the outbreak. The conveniently timed linkage of South Korean-attributed intrusions to the COVID-19 pandemic is unsupported by published technical evidence. This emphasizes the need to critically evaluate such claims, despite contemporaneous news alleging DarkHotel intrusions against the World Health Organization (WHO), which has been under heavy Chinese influence.
Intrusions against medical infrastructure are presumptively illegitimate violations of cyber norms advanced by nations in a time of peace, and if resulting in destructive effects during hostilities, may be violations of the law of armed conflict. However, targets described by Qihoo reach beyond health-care entities—suggesting clear political intelligence objectives throughout the campaign. Likewise, though it is difficult to distinguish espionage from operational preparation of the environment, there have been no indications of attack staging. Any destructive attack would of course be beyond the pale in the current crisis, demanding immediate response.
Chinese government attempts to evade accountability for aggravating the worldwide pandemic have placed new challenges on the international system, both to treat disease and deal with deliberate disinformation from Beijing. On top of that, by including the Chinese health-care system in a longer list of political targets that other major actors would consider legitimate, Chinese cyber firms could be weakening normative efforts to distinguish which types of targets are off-limits. The long-term effect of saying everything is out of bounds is to make nothing out of bounds as actors ignore the norms process as unrealistic and unworkable.