China vs. the CIA: Digital Potshots Ramp Up Cyber Threats for Private Organizations

“China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland. . . “

– The US Office of the Director of National Intelligence’s 2023 Annual Threat Assessment

International espionage, digital warfare, and cyber threats for private corporations on the periphery… It’s all unfolding with unprecedented intensity. In the past few years, revelations about China’s sophisticated cyber-espionage operations and the Central Intelligence Agency’s (CIA) expansive digital intrusions on enemies, allies and friends reveal a stark reality: the cyber battleground is more active than we may realize. The escalating cyber conflict between two of the world’s most formidable powers – China and the United States, particularly its CIA – as they engage in a high-stakes digital warfare.

The transformation of China’s cyber capabilities from legacy tactics to a formidable, state-of-the-art arsenal marks a significant shift in global cybersecurity dynamics. Under the direction of President Xi Jinping, China has not only intensified its cyber operations but has also emerged as a cyber superpower, rivaling even the United States. The use of advanced malware like Daxin, undetected for over a decade, in global espionage operations, is a testament to China’s growing prowess in the digital domain.

On the other side of the digital divide, the CIA’s long history of covert operations, has been implicated in a series of cyberattacks targeting various countries, including China. Investigations have unearthed the agency’s use of sophisticated tools and techniques, pointing to a comprehensive and well-funded state-backed hacking initiative.

As the digital potshots from China and the United States(CIA) ramp up, we’ll analyze their strategies and tactics, and assess the broader implications of their digital confrontations on cybersecurity and geopolitics.

China’s Growing Cyber Capabilities

Over the past decade, the People’s Liberation Army(PLA) and other state-backed entities have shifted their focus from mere data theft and espionage to more complex operations targeting critical global infrastructure. This transition reflects China’s broader strategic goal to assert its influence and safeguard its interests in the digital domain.

President Xi Jinping’s regime marks a pivotal turn in China’s cyber strategy. Under his leadership, there’s been a concerted effort to integrate and amplify China’s cyber capabilities. Xi’s administration has overseen a reorganization of military and intelligence structures, placing a high priority on cyberwarfare. To accomplish this, China’s communist government reorganized its military and civilian technological resources to match the threat from the United States.

China Uses Advanced Malware Like Daxin in Global Espionage

A striking example of China’s enhanced cyber capabilities is the deployment of Daxin, an advanced malware tool. Described as one of the most sophisticated pieces of malware ever used by China-linked hackers, Daxin has been instrumental in espionage operations.

How does Daxin work (simplified)?

Daxin, a sophisticated type of malware, uses several advanced techniques to avoid detection and carry out its harmful activities. It can send disguised messages over the internet that look like regular traffic, making it hard for standard security tools to spot them. At the core of a computer system, it can secretly alter how the system operates to hide itself and control certain functions, like file management. Daxin is adaptable, able to add new harmful features depending on what it needs to do, and can move stealthily within a network, mimicking normal administrative actions. It can sneakily send out stolen data in a way that looks like regular internet traffic and has tricks to keep functioning even after attempts to remove it, like setting up hidden automatic tasks. To avoid being caught by antivirus programs, it constantly changes its appearance and behavior.

How does Daxin work (technical)?

Raw Socket Communication: Daxin’s use of raw sockets for C2 communication is a key technical feature. Unlike standard TCP or UDP sockets, raw sockets allow the malware to craft and send packets that are indistinguishable from normal traffic, bypassing traditional network monitoring tools. For example, it might craft ICMP or TCP packets that are embedded with C2 data, yet appear as regular network traffic.
Kernel-Level Rootkit Techniques: At the kernel level, Daxin likely employs hooking techniques to intercept and modify system calls, a common rootkit strategy. This could involve, for instance, hooking the ‘NtQueryDirectoryFile’ function in the Windows Native API to hide its presence from directory listing tools, or manipulating the IRP_MJ_READ and IRP_MJ_WRITE I/O request packets to intercept and modify file operations.
Modular Payloads and Lateral Movement: Daxin’s modular nature means it can dynamically load additional payloads tailored to specific environments or tasks. For example, it might use PowerShell scripts for lateral movement within a network, leveraging standard administrative tools like WinRM or WMI for execution, which helps it blend in with legitimate administrative activities.
Stealthy Data Exfiltration: For data exfiltration, Daxin could use covert channels, such as embedding stolen data within seemingly benign network protocols. An example would be using DNS queries (a technique known as DNS tunneling) to send out small chunks of data, making it look like normal DNS traffic.
Persistence Mechanisms: Daxin likely employs advanced persistence techniques to survive reboots and evade detection. This could involve using Windows Registry keys or scheduled tasks that are triggered to reinstate the malware if it’s detected and removed. For instance, it might create a scheduled task that periodically checks for the presence of its kernel module and reinstalls it if missing.
Evasion Tactics: To evade detection by antivirus software or EDR solutions, Daxin might employ tactics like obfuscating its code, dynamically decrypting/encrypting its payloads in memory, or using polymorphic code that changes its signature every time it’s deployed.
Exploiting Specific Vulnerabilities: While not explicitly detailed in open-source descriptions of Daxin, it’s plausible that the malware exploits specific vulnerabilities for initial access or elevation of privileges. This could involve, for example, leveraging known exploits in network services or unpatched vulnerabilities in operating systems.

China Exploits Zero-Day Vulnerabilities and Executes Large-Scale Hacking Campaigns

China’s cyber strategy has been increasingly aggressive in exploiting zero-day vulnerabilities – unknown flaws in software or hardware that can be exploited before a fix becomes available. The exploitation of these vulnerabilities has become a hallmark of Chinese cyber operations, allowing them to infiltrate and compromise systems globally.

For example, starting in 2020, a significant uptick in the use of such vulnerabilities was observed, indicating a more assertive stance in cyber espionage and warfare. The following timeline from the US Federal government’s Cybersecurity and Infrastructure Security Agency shows the increasing amount of detected Chinese cyberthreats since 2017.

CISA Timeline of Chinese Cyber Threats:

September 27, 2023: Advisory on BlackTech cyber actors linked to China, focusing on router firmware exploitation.
May 24, 2023: Advisory on China’s state-sponsored actors using LOTL techniques.
October 6, 2022: Advisory on top CVEs exploited by Chinese state-sponsored actors.
June 7, 2022: Advisory on Chinese exploitation of network providers and devices.
August 20, 2021: Advisory on observed Chinese TTPs targeting various sectors.
July 21, 2021: Advisory on Chinese intrusion campaign targeting U.S. oil and gas pipelines from 2011 to 2013.
July 20, 2021: Advisory on TTPs of APT40 actors associated with China’s MSS Hainan State Security Department.
July 19, 2021: CISA Insights on Chinese cyber threats overview.
March 03, 2021: Alert on exploitation of Microsoft Exchange Server vulnerabilities.
October 1, 2020: Alert on potential Chinese cyber response to U.S.-China tensions.
September 14, 2020: Advisory on Chinese MSS-affiliated cyber threat actor activity.
August 3, 2020: MAR on Chinese Remote Access Trojan: TAIDOOR.
May 13, 2020: Joint CISA and FBI announcement on PRC targeting COVID-19 research organizations.
February 2019: CISA webinar on Chinese cyber activity targeting MSPs.
October 3, 2018: Alerts addressing the CLOUD HOPPER campaign exploiting MSPs.
April 27, 2017: Alert on intrusions affecting multiple sectors by Chinese cyber actors.

The CIA’s Cyber Espionage Activities

The Central Intelligence Agency (CIA) of the United States has long been a central figure in the world of espionage and intelligence. However, recent revelations have cast a spotlight on the agency’s extensive involvement in cyber espionage. Reports indicate that the CIA has conducted a series of cyberattacks targeting not just adversaries but allies as well.

A report came from Qihoo 360, a leading cybersecurity firm, which published a report accusing the CIA of conducting an 11-year hacking campaign targeting Chinese industries and government agencies., spanned from September 2008 to June 2019 and focused on sectors such as aviation, scientific research, petroleum, and internet companies.

The CIA’s digital espionage capabilities were exposed by technical evidence linking these attacks to the CIA’s Vault 7 hacking tools, which were shared through WikiLeaks in 2017. The researchers from Qihoo 360 noted, “By comparing relevant sample codes, behavioral fingerprints, and other information, we can be pretty sure that the cyber weapon used by the group is the cyber weapon described in the Vault 7 leaks.”

The CIA’s cyber operations were given more liberty through a secret order issued by President Donald Trump in 2018, when he granted the agency more autonomy to conduct cyber operations without White House approval. This directive allowed the CIA to target countries like China more aggressively, focusing on offensive cyber actions such as disruption and destruction. The order was described as “very aggressive,” giving the agency “very specific authorities to really take the fight offensively to a handful of adversarial countries.”

The Trump administration’s directive also led to a reduction in oversight and restrictions, allowing the CIA to engage in “hack-and-dump” operations, where stolen documents or data were deliberately leaked online. This approach drew comparisons to tactics used by Russian hackers and WikiLeaks, with a former official remarking, “Our government is basically turning into f****ing WikiLeaks, [using] secure communications on the dark web with dissidents, hacking and dumping.”

These developments have raised significant concerns about the legal and oversight implications of the CIA’s expanded cyber capabilities. The reduced oversight and rapid approval process for cyber operations have led to worries about potential risks and unintended consequences. The global impact of these operations is profound, with the CIA accused of obtaining classified business information from China and potentially other countries, as speculated in the Qihoo 360 report: “We speculate that in the past eleven years of infiltration attacks, the CIA may have already grasped the most classified business information of China, even of many other countries in the world.”

The Cyber Arms Race: China vs. the CIA

The cyber arms race between China and the United States, particularly the CIA, is a defining aspect of contemporary international relations. On one hand, China has rapidly developed its cyber capabilities, transitioning from basic cyber espionage to sophisticated, large-scale operations targeting global infrastructure. On the other hand, the CIA has been leveraging advanced cyber tools and techniques, as revealed in the Vault 7 leaks. While China’s approach is characterized by a blend of military and civilian cyber operations, the CIA’s operations are marked by their complexity and coordination with other U.S. intelligence agencies like the NSA.

Both powers possess formidable capabilities in exploiting zero-day vulnerabilities, but their strategic applications differ: China focuses on long-term infiltration and intelligence gathering, whereas the CIA emphasizes disruption and the collection of strategic intelligence.

China’s and the CIA’s Tactics and Strategies in Cyber Warfare

China’s cyber strategy under President Xi Jinping has been aggressive, long-term expansion. The use of advanced malware like Daxin and the exploitation of zero-day vulnerabilities reflect a strategic approach aimed at maintaining long-term access to sensitive information and critical infrastructure. In contrast, the CIA’s cyber strategy appears to be more diverse, involving not only espionage but also the potential for cyber sabotage.

Impact of these Activities on Global Cybersecurity and Geopolitics

The cyber activities of China and the CIA have significant implications for global cybersecurity and geopolitics. For smaller states and non-state actors, this escalating cyber arms race presents a complex challenge, as they may find themselves inadvertently caught in the crossfire or used as pawns in larger geopolitical games.

Moreover, the actions of China and the CIA in cyberspace are reshaping the norms and boundaries of international conduct. The blurring lines between espionage, cyber warfare, and statecraft are leading to a new paradigm in international relations, where cyber capabilities are integral to continued influence and relevance of the State. This dynamic is likely to influence future international cybersecurity policies, alliances, and regulations. Although, one wonders how effective these alliances will be.

Recent Impact on Critical Infrastructure and Global Security

The recent surge in Chinese cyberattacks targeting critical U.S. infrastructure, as well as other nations, marks a significant escalation in global cyber threats. These attacks have encompassed a wide range of sectors, including power, water, communications, and transportation systems. Notably, incidents such as the infiltration of a Hawaiian water utility and a major West Coast port, along with attempts to compromise oil and gas pipelines, demonstrate the strategic and diverse nature of these threats.

Potential Global Implications

The cyber operations conducted by China and the CIA have global implications that extend far beyond the immediate targets. These activities represent a shift in the landscape of international security, where cyber warfare becomes a tool for achieving strategic geopolitical objectives. The potential disruption of critical infrastructure in one nation can have cascading effects on others. This raises concerns about the vulnerability of global systems to cyberattacks and the need for privacy in cybersecurity.

Moreover, these cyber operations could set a precedent for other nations, potentially leading to an increase in state-sponsored cyberattacks targeting critical infrastructure worldwide.

Cybersecurity Measures and International Responses

In response to the escalating cyber threats from actors like China and the CIA, governments and private sectors across the globe have ramped up their cybersecurity measures.

Governments have been actively updating their national cybersecurity policies, increasing funding for cyber defense, and implementing more stringent regulatory frameworks to protect critical infrastructure. Simultaneously, there is a growing emphasis on raising cybersecurity awareness and training among employees in both public and private sectors.

Individuals and private organizations are increasingly finding themselves at the forefront of managing their own privacy and security. With China’s sophisticated cyber-espionage operations and the CIA’s expansive digital intrusions, the line between state and non-state cyber activities is blurring, leaving private entities in a vulnerable position. This situation demands a proactive approach to cybersecurity, where individuals and organizations must equip themselves with advanced security tools, stay informed about potential cyber threats, and adopt best practices to safeguard sensitive information.

Conclusion: State-Sponsored Cyber Threats Push Responsibility on Private Organizations for Privacy and Cyber Security

As we navigate through the intricate and ever-evolving landscape of cyber warfare, the escalating digital confrontations between China and the CIA underscore a critical juncture in international security and cyber diplomacy. The transformation of China into a cyber superpower and the extensive cyber espionage activities of the CIA represent more than just a bilateral conflict; they signify a shift in the global balance of power in the digital domain.

The cyber operations by China and the CIA signify a shift in international security, with cyber warfare emerging as a key tool for geopolitical strategy, potentially affecting global infrastructure and setting a precedent for increased state-sponsored cyberattacks. In response, governments and private sectors worldwide are enhancing cybersecurity measures, updating policies, and increasing funding and awareness to protect critical infrastructure and manage privacy. The blurring lines between state and non-state cyber activities have placed a greater responsibility on individuals and private organizations to proactively secure their data against sophisticated cyber threats.

In conclusion, the digital potshots exchanged between China and the CIA are not just isolated incidents; they are harbingers of a new age of cyber warfare. This reality calls for a renewed commitment to privacy and cybersecurity.