China is Now Number 1… in APT Attacks

If you are an IT staff member or work in upper management at a large company or organization, no one needs to tell you what an APT attack is. That’s because you are likely dealing with them on a daily basis. If you are not dealing with them, it’s probably because you simply haven’t discovered the fact that you are under attack.

APT stands for advanced persistent threat. It means exactly what it says. These attacks use advanced hacking techniques because they are undertaken by hacking groups that are well-funded and well-equipped by governments. These governments have the money and time to develop state-of-the-art hacking tools. They are not looking to make a quick buck, in fact, just the opposite. They are most often interested in getting data or information and they don’t care how long they have to wait to get it. In this way, they are persistent and once on a network are happy to hide and wait for years to get what they came for. Because of these features, they constitute a major, perhaps even the most serious, threat to companies and organizations.

It’s important to note that you don’t have to be in a major corporation to be hit with an APT attack. It is becoming more and more common for the attackers to go after the supply chain; that is, smaller companies connected to larger companies or organizations. This is sometimes easier for the attackers because smaller companies don’t often have the finances to construct strong cybersecurity defenses. Once compromised, these smaller companies serve as conduits to the bigger companies.

There are four countries supporting most of the APT hacking groups. These are Russia, North Korea, Iran, and China. Of course, this is a western perspective. If you were to ask Russia and China, they would probably list the U.S. as their main hacking threat. But there is a difference.

Yes, the U.S. does use hacking to keep an eye on foreign governments and foreign companies. U.S. intelligence probably knows quite a lot of what their adversary’s latest plans are and what technologies they are working on. The difference between the U.S. and China is that China feeds any information they find back to the Chinese companies that will benefit most from it. And China makes no secret of this.

Released in 2015, China’s 2025 plan has the stated goal of becoming the world leader in key areas of technology. They have put pressure on their own tech industries to reach this goal in whatever way they can. One way is to require any foreign tech company that wants to work in China to give up the secrets to their technology. Why spend time and money on researching technology that other companies have already developed? Under government pressure, it is little wonder that Chinese tech companies have tried to encourage foreign tech companies to work with them. The Chinese government has enlisted the help of Chinese university students studying in the U.S., who they encourage to work for specific industries and organizations, clearly with the goal of them bringing back important information to China. They have also recruited U.S. researchers. Chinese hackers, working with the Chinese government, are continuing their attempts to hack into and steal data from key industries. FBI Director Christopher Wray says that they are looking into China-related economic espionage in most of its 56 field offices. “Put plainly, China seems determined to steal its way up the economic ladder, at our expense.”

To this end, China has created a number of government sponsored hacking groups. Of the 20 most dangerous APT threat groups in the world, FireEye has listed China behind eleven of them. Each group has designated targets that are assigned by the Chinese government. Here are the groups and targets that are listed in the FireEye report. Pay especial attention if your business or organization is in the targeted sectors.

APT1 – Information Technology, Aerospace, Public Administration, Satellites and Telecommunications, Scientific Research and Consulting, Energy, Transportation, Construction and Manufacturing, Engineering Services, High-tech Electronics, International Organizations, Legal Services Media, Advertising and Entertainment, Navigation, Chemicals, Financial Services, Food and Agriculture, Healthcare, Metals and Mining, Education

APT3 – Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, Transportation

APT10 – Construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan

APT12 – Journalists, government, defense industrial base

APT16 – Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries

APT17 – U.S. government, and international law firms and information technology companies

APT18 – Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, Transportation

APT19 – Legal and investment

APT30 – Members of the Association of Southeast Asian Nations (ASEAN)

APT40 – Maritime targets, Defense, Aviation, Chemicals, Research/education, Government, and Technology organizations

APT41 – Nothing shows more clearly the Chinese government’s hand behind hacking than APT41. What apparently began as an independent hacking group has joined up with the Chinese government. In the past, this group concentrated on hacking the video game industry to make money. However, as they coordinated more and more with the Chinese government over the years, their targets have changed. The graphic below, modified from FireEye, show this change.

apt41 targets

The members of APT41 are, apparently, allowed by the Chinese government to hack for profit so long as they work with the government on other types of hacking. The Chinese government will even supply some high-powered hacking tools to help them out. In other words, financially motivated hacks have become far more dangerous.

Despite the advanced nature of all of these APT attacks, they all seem to begin in a more traditional way; with a well-designed spear phishing email. A report from the DHS on spear phishing attacks and the health industry gives the following examples.


It is possible that the target has had trouble with violating the Fair Labor Standards Act in the past. It is also possible that they had previously been contacted by the Better Business Bureau. An attacker who managed to compromise a network would work through it to find information that they could use to compose a successful spear phishing email. The link that the victim is directed to is hidden in a shortened bitly format. It can, thus, be assumed that the download mentioned is, in fact, a malicious program designed to take over the victim’s computer.

Any information found by the attackers while in a network can be leveraged to create a legitimate-looking phishing email. Here is an example in which the attackers uncovered some personal information about a victim and created an email with a link to a malicious doc file. It would seem like a difficult download to avoid.

phish personal

If a group like APT41 was behind such an attack, they could hack for profit and information at the same time. It’s an attractive position to be in for an experienced hacker. With no fear of prosecution, they would, with the most sophisticated tools, be able to launch a lucrative campaign of terror on businesses and institutions around the globe; a very disturbing thought, indeed.

The Chinese government shows no signs of backing away from this lucrative business model. In fact, Chinese-based APT attacks are on the rise and China will continue to top the list of cyber threats in 2019. (Chart from ZDNet)

china threat

It is possible that the recent trade war between the U.S. and China may increase the number of Chinese cyber attacks against the U.S. as China tries to get information that will strengthen its bargaining position. However, in so doing, they may end up undermining themselves and proving that they are, in fact, a nation that needs to be restrained. This restraint would have to be in the one form China seems to understand; a coordinated strategy whose professed goal is economic destabilization. If China is made to feel like the victim of its own ideals, it may reconsider its business model.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s