A cyber espionage group employed by the Chinese Government is moonlighting for some extra cash as cyber criminals. This has broad ethical and policy implications not just for China but for all nations who operate offensive cyber operations, including Australia.

Fireeye, a major US cyber security vendor has recently identified a new cyber threat group out of China that it refers to as APT41 or Double Dragon. While cyber attacks originating out of China are hardly news, APT41 is something quite unique.  Rather than just a state sponsored group that targets intellectual property the group seems to have branched out into cybercrime for extra income. The group has been active since at least 2012 but seems to have extended its operations into cybercrime more recently. If correct, this suggests a new trend in Chinese cyber operations, although similar trends have been observed with groups in Russia and North Korea. This trend in the illegitimate economy parallels broader trends in the legitimate economy in other nations with a heavy investment in cyber warfare such as the United States and Israel.

APT41

Fireeye has identified APT41 as a distinct attack group by tracking the hacking toolsets used, their targets, identities they use and the supporting command and control infrastructure. They assess this group is of defence contractors, rather than military or full time employees given the nature of the moonlighting. Fireeye has also have identified two distinct working schedules one for state sponsored activities and other out of hours. One of individuals identified as part of this group had also been observed advertising cyber crime services for hire in these after work hours. APT 41 in its state sponsored role has stolen software certificates from computer game companies to sign malware and also targeted telco data and accommodation records on individuals of interest to Chinese security services.  They have then leveraged this access to computer game companies to pursue cyber crime activities. Initially this involved stealing in game currency but has developed into ransomware attacks as a service, crypto-jacking and even cryptocurrency mining.

Cyber Proxies

Tim Maurer in his book, “Cyber Mercenaries” describes the full spectrum of such private, informal threat actors. This ranges from low-tech, amateurish patriotic hacking groups through highly skilled Chinese and Russian contractors that support government agendas, all the way to US and UK contractors will the full spectrum of intelligence collection capabilities including human intelligence. 

This adds a new facet to the perennial problem of cyber warfare, namely the ease with which cyber weaponry goes out of control of the governments that develop and deploy it. Offensive code that is deployed in cyberspace can relatively easily be appropriated, adapted and re-weaponised by adversaries and others.

Similarly, offensive-cyber organisations that are set up outside the formal state apparatus — be it to allow plausible deniability to governments, or to reduce the financial outlays involved — may also slip outside the orbit of the state and use their hardware and software outside the limits of state-sponsored targets.  

The underlying economic reality of cyber creates an irresistible pull that draws these actors in lucrative directions — both legitimate and otherwise. This opportunism helps subsidise and support states’ efforts in the rampant cyber arms race.

Russia

In 1993 after the fall of Soviet Union Russia’s intelligence giant the KGB was broken up. Its signals intelligence function — the counterpart of the United States’ National Security Agency (NSA) — was spun off into a new organisation called FAPSI.  Its commander at the time said, “We are engaged in global electronic intelligence.”  In 2003, FAPSI was itself broken up with some of its staff going to Russian Military Intelligence (GRU) and others going into the employ of organised crime groups such as Tambov. These trained information warriors transformed the Russian hacking capabilities overnight. In very few years, cybercrime such as phishing of Internet bank accounts emerged on an industrial scale.  

The affinity between formal Russian state authorities and cybercrime continued even more recently, modelled in a way on the US earlier tendency to rehabilitate young hackers by recruiting them to law enforcement.  In 2014 hacker, Alexsey Belan was identified by the FBI as being responsible for hacking more than 1 Billion users of Yahoo. He was arrested in Western Europe on an FBI warrant but before he could be extradited he fled to Russia.  The FBI reached out to the Russian FSB for assistance.  The Russian authorities did, indeed, track Belan down, but instead of arresting him, the FSB recruited him. 

There is also evidence that FSB officers themselves are involved in criminal schemes that they mix with their official duties when an Estonian Police officer investigating black market activities was snatched and taken over the border into Russia by FSB officers looking to protect their interest in these black-market activities.

Israel

The same economic logic can be seen in such countries as Israel, where massive government investment and administrative control has created a large shadow economy of private cyber weaponry companies. The Israeli government sees it as a necessary spinoff to help fund its investment in cyber, as well as a safety valve to help it retain its skilled workforce by offering an easy transition between government employment and government supported start-ups and corporations.  On the margins of these government condoned activities are many more firms with various shady agendas.

A large proportion of the international activities of this privatised cyber sector involves illegal activities, including such scams as the aggressive promotion of binary options. The more respectable companies such as NSO — run and staffed primarily by graduates of Israel’s SIGINT outfit military unit 8200 — are involved in such dubious activities as the sale of sophisticated spyware that has ended up in the hands of repressive governments and international crime organisations.

Conclusion

While the extent of informal activities of state-supported cyber intelligence companies may vary, this new type of public-private partnership is raising new risks and challenges, that are only likely to intensify along with the cyber arms race.  Cybercrime moonlighting is clearly on the rise, as is the privatised supply of offensive cyber and intelligence services. This, in itself, will further fuel the cyber arms race, and potentially draw in large corporations with substantial exposure to risk in the cyber domain. The current cyber arms race between nation states seems set to accelerate this phenomenon unless some sort of international framework is created to limit this cyber privateering. But given the nature of global governance in general, and the dependence of large governments — most notably the US and its allies — on offensive cyber capabilities, such an international framework seems unlikely at the moment.

Dr Stephen McCombie is a senior lecturer in Cyber Security at Macquarie University. His current research interests are in digital forensics, cyber threat intelligence and information warfare.  His research draws on a diverse background in policing, security and information technology over the last 30 years. Stephen has also held senior positions in information security with IBM, RSA, National Australia Bank and most recently Secureworks.

Dr Allon J Uhlmann is a lecturer in Intelligence Studies and Cyber Security at Macquarie University. He is a social scientist and former public servant with experience in intelligence policy and analysis. He works in the areas of intelligence warfare, cognitive warfare and dynamic information superiority. His main academic teaching covers intelligence theory and practice, strategic surprises, and cyber intelligence. 

This article is published under a Creative Commons Licence and may be republished with attribution.