PRC Government Hacking: How It’s Done

In The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide, I explained how Chinese banks are requiring their account holders — including all foreign companies in China — to install malware which allows the Chinese government to see all account holder data. In China Malware: Sorry, Techno Geeks, There Still is no Place to Hide, I explained how, “in China, the government itself is the hacker and it will not allow any foreign or domestic technician to provide services that will defeat the hacker’s ultimate goals.”

The four basic ways China gains access to foreign company networks and company data

In this post, I will explain how China, acting as a nation-state hacker, accomplishes its goals in the network sector by setting out the four basic ways the PRC government gains access to foreign company networks and company data.

1. Forced use of government software that contains malware

The Golden Spy/Golden Helper malware included in the tax payment software required by the PRC government is an example of this method. Subsequent to its initial report on this issue, Trustwave has issued a series of reports on this malware and on Aisino’s response in dealing with the public revelations regarding this software. See GoldenSpy: Chapter Two – The Uninstaller, GoldenSpy Chapter 3: New and Improved Uninstaller, and GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software. These Trustwave reports should be required reading for any foreign company that plans to operate a business in China.

Trustwave’s follow up reports reveal the following three key things;

First, Aisino used the auto-update system in the Golden Spy software to propagate an uninstaller that removed the malware and any files or other traces of its existence. Their software uses a standard update procedure that can then be used to download malware or other unauthorized software at any time. A clean system today can be infected tomorrow. This means this software is a constant source of risk.

Second, Trustwave discovered a related but separate malware program concealed in the Golden Tax software. This malware, dubbed Golden helper, was active in 2018 and 2019. From this, Trustwave reasonably concludes that the tax software malware program is not a recent event, but has been going on for several years at least.

Third, Trustwave confirmed my earlier description of the technique used by the Chinese banks for delivering the Golden Tax software and its malware payload:

During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse.

See GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software.
The description from Trustwave is basically the same as what I previously wrote here, even down to the use of the Windows 7 operating system. See The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide and China Malware: Sorry, Techno Geeks, There Still is no Place to Hide,

When I previously wrote of this prevalent and unstoppable CCP hacking, we received comments that none of this could be correct because it would mean the proliferation of compromised computer systems. It seems odd to people who don’t work in the PRC that the PRC government would require companies use an insecure computer system. But this is not odd when you consider the government’s goals. A compromised system is easy to hack. The government is the hacker, so they make it easy on themselves. The banks may be unaware of the details of the malware and the compromised system; the bank staff is just following orders.

2. Use of network hardware with backdoors installed

It has long been assumed that PRC manufactured network hardware is filled with backdoors that allow unauthorized intrusion by the Chinese government and a recent report confirms this assumption. As reported by ZDNet, a research group has found seven separate instances of malware/backdoors in critical network fiberoptic cable connection devises. See Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data.
ZDNet describes this these intentional backdoors as follows:

Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data. FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination.The term FTTH OLT refers to networking equipment that allows internet service providers to bring fiber optics cables as close to the end-users as possible.

As their name hints, these devices are the termination on a fiber optics network, converting data from an optical line into a classic Ethernet cable connection that’s then plugged in a consumer’s home, data centers, or business centers. These devices are located all over an ISP’s network, and due to their crucial role, they are also one of today’s most widespread types of networking devices, as they need to sit in millions of network termination endpoints all over the globe.

The simple evaluation of this malware is that it is as bad as it gets.

C-Data, the vendor identified here, is a major source for this type of hardware within the PRC. The takeaway here has to be that if this company feels free to include this backdoor system in products it sells outside the PRC, it undoubtedly is unconstrained in doing the same thing within China. This then means any foreign company operating in China should assume that its Internet connection is completely compromised by this type of malware/backdoor in its entire network system. If it is not included in its office system, it is almost certainly included at the ISP or cloud provider level.

This system is installed by telecom providers owned or controlled by the PRC government. Once again, it is the hacker — the Chinese government — setting up the system and it is the hacker that enters company network systems through these back doors.

3. Use of PRC mandated antivirus software

One of the core directives under the new PRC Cybersecurity Law regime is the requirement that networked users use antivirus software provided by the PRC government. Think about this for a minute: the Chinese government requires companies use only the “antivirus” software it provides. This antivirus software both provides a convenient platform for Chinese government hackers to enter the user’s computer network but it also no doubt is programmed to not reveal Chinese government malware.

The risks in hacked antivirus software are well known in cybersecurity circles. In Former U.S. spies say antivirus software makes for a perfect espionage platform, Cyberscoop discusses how antivirus software is great for espionage:

Because most antivirus vendors have designed their products to autonomously search for computer viruses on users’ systems by directly scanning files and then sending that data back to a server for analysis, the software is highly intrusive by nature.

Aside from the remote risks, antivirus can extend the attack surface of a host,” said Blake Darche, a former computer network exploitation analyst with the NSA. “If an attacker can gain access to the central antivirus server within an organizations network, that central server can be used for malware distribution.”

Software updates, which can help patch bugs or other issues in a product, adds another attack vector because it provides a trusted avenue for the remote introduction of code into computers around the world.

Chinese hackers are well acquainted with using antivirus software for this purpose. See: Research claims CCLeaner attack carried out by Chinese-linked group.

Within the PRC, use of mandated PRC antivirus software takes Chinese government hacking risks to an even higher level. Within the PRC, there is no need for a remote hack. The hacker itself (the Chinese government) provides companies with what is essentially a pre-hacked system.

This pre-hacked system has two major effects. First, the system will not screen against malware created by the PRC government. Second, the system will serve as the vector for inserting a continuous stream of malware provided by the PRC government and its partners.

Consider the parallel situation in the U.S. Imagine a scenario where the NSA and the FBI are the only vendors of antivirus software. This software might be effective at screening malware from criminals and foreign actors. But nobody would expect that software would protect users from NSA or FBI intrusion. That would be silly. It is sillier still to believe this about the PRC and its government mandated antivirus software.

4. Shift from email to WeChat

After the Chinese government banned Gmail in China, Chinese government agencies began pushing foreign companies to communicate using PRC approved email services. These services do not work well and are widely known to be insecure. Most foreign companies therefore continued to use alternative U.S. and European based email providers. These services are relatively secure from message interception by the Chinese. Proton mail and other systems with end to end encryption are quite secure in China.

The Chinese government could have taken a next step by blocking access to all foreign based email providers. But the Chinese agencies have taken a more creative approach. Now that the Chinese government has assumed essentially complete control over WeChat, Chinese agencies force all communications onto the WeChat application. If you send an email to your bank, your bank will not respond. If you send an email to your local tax office, it will not respond. If you send an email to the local police department concerning your visa status, it will not respond. The same holds true for Chinese courts, which typically respond to us simply by requesting we communicate with them using WeChat. This is even true when documents are submitted. Chinese government agencies almost invariably require submissions as a WeChat attachment rather than as an email attachment.

This then means a shift from adequate security to no security at all. This can be seen by the recent Amnesty International rating of instant messaging applications. Amnesty International rated the 11 top messaging applications on their use of encryption and protection of user privacy on a scale of 0 to 100. Facebook received the highest rating of 73. WeChat received a zero rating. In other words, Amnesty International concluded that WeChat provides literally no protection at all from hacking. None. Nada. Zero. Zilch. 没有. See FOR YOUR EYES ONLY? Ranking 11 technology companies on encryption and human rights.

This forced move to a completely insecure communication platform was done in a typical CCP way. There is no law or regulation that says foreign based email is prohibited. There is no law or regulation that says using a completely insecure WeChat is required. The “rule” is imposed in practice. If you send an email, it will not be returned. If you call or visit a government agency to complain, the response is: “Use WeChat. Everyone else does. You should too.” And so the rule is imposed, with no obligation on the part of the Chinese authorities to formalize or publish the rule.

Conclusion

My goal with these posts on cybersecurity in China is to describe the on the ground cybersecurity realities for foreign companies operating in China. As you have seen, the Chinese government is the hacker so it can have full access to all information about the foreign entities that operate in its midst — from critical information concerning protected technologies down to the most mundane facts about the daily activities of the foreign company and its employees. In our digitized world, that information is available on computer systems and networked communications of the foreign owned entity.

The Chinese government obtains the information it wants by using the techniques I have described. In fact, I have outlined only a subset of the various techniques it uses to gain access to information.

Of course, the Chinese government encourages foreign owned entities to protect themselves from from criminal hackers and from intrusions conducted by their non-state owned business competitors. Under the new cyber regulations, this form of self-protection is legally required for enterprises operating in critical sectors.

But the flip side to this requirement is that the Chinese government allows for no protection against its own acquisition of that same information. Attempts to block access by the Chinese government are futile. One attack vector may be blocked in one case of infection. But as a practical matter, it is not possible to defend against attacks by a PRC government that uses a full set of penetration techniques. The only question is whether the Chinese government is interested or not. If they are interested, they will succeed. There is no place to hide.

UPDATE: A federal grand jury in Spokane, Washington, returned an indictment charging two hackers, “both nationals and residents of the People’s Republic of China (China), with hacking into the computer systems of hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States. . . . The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks.

This hacking program was conducted over a 10 year period and they were just recently caught. This shows how difficult it is to protect against Chinese government hacking even outside the PRC where there is actually access to the best cybersecurity tools available.