China’s attack motivations, tactics, and how CISOs can mitigate threats


A new report published by Booz Allen Hamilton provides detailed insights into global cyber threats emanating from the People’s Republic of China (PRC). The China Cyber ​​Threat Report outlines Beijing’s key motivations for conducting cyber attacks or espionage, the key tactics it employs, and provides strategies for CISOs to help their organizations better identify and prepare for cyber campaigns in the PRC .

Security, Sovereignty, Development: Main Motives for Cyber ​​Attacks in the PRC

The report identifies three “core interests” through which China stands ready to authorize offensive cyber operations when threatened, related to the country’s political system, territory and economy:

  • Security (also referred to as political security, popular security, social stability, and national unity) refers to ensuring China’s long-term social stability in its political and social system organized and run by the Chinese Communist Party (CCP). “However, the party sees numerous threats to this stability,” the report said. “Democracy, anti-corruption, and reformist political movements directly challenge the legitimacy of the CCP,” while natural disasters and the COVID-19 pandemic are testing the government’s perceived competence, as are economic slowdowns.
  • Sovereignty (also called national sovereignty, territorial sovereignty and territorial integrity) refers to China’s exclusive authority and control over various land and sea areas, the report said. “China’s top leadership routinely asserts in no uncertain terms that it will not compromise on its territorial claims.”
  • Development refers to China’s ambitions to secure its economic activities – something that has only become an explicit core concern in recent years, the report says. “Threats to PRC development include economic decoupling, restricted access to technologies such as semiconductors, barriers to investment in the PRC, and physical threats to shipping lanes, personnel and offices.”

The report lists various key PRC organizations associated with conducting cyber missions, including the Ministry of Public Security (MSP), the Cyberspace Administration of China (CAC), and the Central Propaganda Department (CPD)/ United Front Work Department (UFWD). As for the strategy and targets of cyber attacks, China has developed a “three warfare” approach to shape the information environment. These are:

  • Psychological: The use or threat of force to influence an opponent’s decision-making, with cyberattacks aimed at signaling China’s position on key issues through controlled, non-escalating destruction and disruption of specific significant targets.
  • Public Opinion: Attempting to control the spread of information, with cyberattacks impeding information sharing by disrupting news websites, social media, and communication platforms.
  • Law: The use of international and domestic laws and legal mechanisms for strategic attack and defense purposes, with China participating in debates about acceptable behavior in cyberspace.

DDoS, ransomware, ICS attacks are among China’s top tactics

The report summarizes the primary PRC attack tactics based on several recent case studies and outlines four methods most commonly used in campaigns. These are DDoS, website defacement/digital signage, Industrial Control Systems (ICS) breaches and ransomware. All have their own distinctive features of the People’s Republic of China and may have a significant impact on the affected companies, the report added.

  • DDoS attacks often use China-based IP addresses and point to signaling targets, resulting in temporary loss of availability of websites and other online resources, increased hosting costs, and inability to engage DDoS mitigation providers.
  • Website/digital signage defacement typically blurs the lines in public sources between independent hacktivists, government-sponsored hacktivists, and faketivists, resulting in loss of communication with key audiences, consumer trust/public unrest, and disclosure of sensitive data.
  • ICS attacks often target the energy and power sectors, while unused access may constitute reconnaissance, positioning, or signaling, disrupting operational technology (OT) systems, supply chain disruptions, and power, water, or other utility outages.
  • Ransomware attacks, a tactic rarely linked to PRC pro-government groups in public sources, compromise data integrity and system availability and disrupt business operations.

The report recommended CISOs strengthen their risk management approaches to mitigate the above attacks, including:

  • Conducting full reviews of supply chains to understand dependencies and manage associated risks.
  • Conducting command-level wargames based on observed and plausible escalating forms of offensive operations by PRC adversaries.
  • Audit or review existing security controls for potential threat activity by PRC adversaries.
  • Sharing information with peers, government organizations, and other companies to increase community awareness of current adversarial activity and improve visibility of the threat landscape.

Location, sector, and actions affect the likelihood of facing cyberattacks in the PRC

There are three factors that increase an organization’s likelihood of being the target of, or affected by, a cyberattack in the PRC, the report said. These are Location, Sector and Actions. Organizations based in locations where the PRC does not have a clear power advantage (e.g. USA, India, Taiwan) are at greatly increased risk, while those in critical, academic and news/media sectors are at moderately increased risk Risk with politically significant sectors (e.g. semiconductors) and political entities (e.g. democracy promotion, anti-corruption groups) at much greater risk. Likewise, entities involved in attempts to purposefully undermine the PRC’s online censorship and/or target Chinese audiences with an anti-PRC message or messages that conflict with core PRC political positions to undermine, far more likely affected by an attack by the PRC report indicated.

Booz Allen Hamilton advised CISOs to consider the risk profiles of their organizations, partners, suppliers and other third parties to better inform and address risk mitigation, including:

  • Assessing organizational resilience to increased threats of cyberattacks on specific countries, with a focus on sectors most likely to be attacked.
  • Incorporating geopolitical analysis into cyber risk assessments.
  • Incorporating cyber risk analysis into the organizational messaging risk management process involving operational, legal and PR stakeholders.

China is developing cyber activities into a ‘potent threat’

China’s growing cyberattack capabilities and global assertiveness have created a powerful threat to the United States and other countries and organizations whose own priorities, goals and policies are at odds with China’s growing core interests, the report concluded.

“Over the past decade, China has better defined the responsibilities of its cyber-enabled agencies and reorganized its operational entities more efficiently. China is now involving both offensive and defensive operators in joint military exercises.” However, the true measure of China’s cyberattack capabilities is unlikely to be fully appreciated in open sources, the report added, and it is “possible that China has decided to expand its its full capabilities, or has done so without public attribution”.

Copyright © 2022 IDG Communications, Inc.


About Author

Comments are closed.