Evolving China-based cyberwarfare demands greater regional resilience
30 Nov 2023|

In a speech at this year’s Shangri-La Dialogue, hosted by the International Institute for Strategic Studies in Singapore, Australian Prime Minister Anthony Albanese set out a balanced approach to handling China’s aggressive regional expansion: ‘Australia’s goal is not to prepare for war,’ he said, ‘but to prevent it through deterrence and reassurance and building resilience in the region.’

He went on to say that Australia and its regional allies need to ‘make it crystal clear that when it comes to any unilateral attempt to change the status quo by force, be it in Taiwan, the South China Sea, the East China Sea or elsewhere, the risk of conflict will always far outweigh any potential reward’.

China has recently shown a greater willingness to test the boundaries of physical confrontation. In the cyber domain, however, it has long engaged in aggressive tactics, where the rewards significantly outweigh the potential risks. This is bad news for Australian government organisations, local companies and their counterparts across Southeast Asia, which are having to divert significant resources to protect themselves against evolving Chinese cyber espionage, intellectual property theft and other cyberattacks.

CrowdStrike Intelligence is highly confident that China-nexus adversaries will continue to target both Southeast Asia and Australia in the government, telecommunications, military and civil-society sectors in support of national intelligence-collection priorities. We also expect to see a ramping up of cyber espionage in the AUKUS area as Australia strengthens its defence ties with the US and UK.

Concern around China-based cyber activity has only grown. The extraordinary disclosure in May that VANGUARD PANDA (better known as Volt Typhoon), a China-sponsored adversary group, had been lying dormant in US critical infrastructure networks for at least months suggests persistent assertiveness from China-based cyber actors in support of China’s cyber goals.

To reference the prime minister’s assessment, building resilience and reassurance is vital to deterring such attacks. Understanding more about China-based cyber activities in the region is an important place to start.

CrowdStrike Intelligence has been tracking China-nexus cyber adversary groups, including state-sponsored and state-affiliated groups, for over a decade. Last year, intrusions in the Asia–Pacific region accounted for roughly two-thirds of all China-nexus intrusion activity. In comparison, European and North American targeting accounted for about a quarter of intrusion activity.

While nearly every industry in the Asia–Pacific region is targeted, certain sectors receive more attention. Government organisations are targeted across the region, likely as a standing intelligence-collection mission. Telecommunications and technology organisations also remain high-priority targets. Technology entities face ongoing economic espionage campaigns targeting research and development data, proprietary information and trade secrets. Telecommunications entities offer Chinese adversaries the capacity to amplify intelligence-collection or surveillance efforts via direct access to foreign telecommunications infrastructure.

Cyber activity also fits with Belt and Road Initiative priorities, under which China-nexus groups target energy, finance, health care and other sectors to advance Beijing’s goal of technological independence.

Threat actors targeting these sectors collect strategic intelligence, compromise intellectual property and conduct surveillance of groups of interest—all of which are key Chinese intelligence goals.

Intellectual property theft is a significant, long-term issue for governments in the Asia–Pacific region. However, governments can do only so much to protect against such attacks. As the ASPI Critical Technology Tracker demonstrates, China is gaining technological dominance in numerous technologies that could provide economic and military advantages.

But what role will cyberwarfare play if China does try unilaterally to change the status quo by force (to borrow the common terminology of the US and its partners)? Unsurprisingly, Taiwan has been subjected to an overwhelming number of intrusions originating from China—likely economic espionage but also supporting Beijing’s desire for unification with Taiwan.

China can draw on a large ecosystem of cyber skilled actors to support its aims while retaining a level of plausible deniability. CrowdStrike didn’t observe an increase in government-sponsored attacks against Taiwanese firms when US House Speaker Nancy Pelosi visited Taiwan in mid-2022, but we did see an increase in China-affiliated nationalist hacktivism, resulting in web defacements and multiple distributed denial-of-service, or DDoS, attacks.

However, the recent VANGUARD PANDA attack up-ended previous thinking about plausible deniability. China was discovered to have infiltrated the networks of US critical infrastructure organisations, as well as those in Pacific bases such as Guam. The VANGUARD PANDA threat actors used a technique called ‘living off the land’, whereby tools already in a compromised system are used to achieve objectives while appearing to be normal processes.

The VANGUARD PANDA breach may indicate new assertiveness from Chinese cyber operatives in the Pacific region. Whereas theft and compromise of intellectual property, espionage and destructive attacks are motivated by intelligence, technological and financial needs, VANGUARD PANDA had the potential to be activated at a critical future juncture, disrupting communications and influencing a potential future conflict in the South China Sea.

It’s rare that governments publicly attribute such attacks. The fact that the Australian Signals Directorate, and other agencies in the Five Eyes community, publicly attributed this attack to China shows the seriousness of the threat.

The scale and scope of China-nexus adversary activity in Southeast Asia demonstrates the region’s strategic importance to China. Beijing asserts territorial claims over large portions of the South China Sea and continues to pursue extensive economic and strategic interests in the region.

Building resilience against continued China-nexus attacks will require all government and non-government organisations across the region to put more emphasis on baseline protective capabilities and cyber hygiene, patching known vulnerabilities and training employees to ignore and report phishing attempts, particularly since these continue to fool even trained observers. As China builds its capacity to up-end the status quo, organisations in the Indo-Pacific must strengthen and harmonise their people, processes and technology to build regional resilience against ubiquitous cyber threats.

First, organisations should solve human problems with human solutions. Behind every cyberattack is a human seeking personal or national gain. To fight fire with fire, organisations need to understand that they are facing ongoing attacks. Organisations must incorporate threat intelligence, threat hunting and threat response experts to fight on these cyber front lines. Threat intelligence provides invaluable insights into the tactics, techniques and procedures of threat actors such as VANGUARD PANDA and the vulnerabilities they most often exploit. Knowing how adversaries think and operate is half the battle. Threat hunting and response experts provide the first line of defence against potential breaches, engaging in hand-to-hand-on-keyboard combat with adversaries to protect their organisations’ critical assets.

Second, organisations should perform how they practise. Once they’ve built or augmented their team with the proper players, the next step is to lay out a game plan to help the organisation prepare for a potential breach. Threat response teams, often from external providers, are essential in building incident response plans, conducting red/blue-teaming exercises and confirming regulatory compliance. This will ensure their organisation is well prepared to operate swiftly, smoothly and ultimately successfully when faced with a cyber threat.

Third, they should bring technology to a technology fight. The threat landscape is evolving so quickly that ‘good enough’ security is still never good enough. Organisations can no longer bury their heads in the sand and rely on signature-based antivirus and other basic solutions to keep them protected against sophisticated attacks. Business and technology decision-makers must prioritise artificial intelligence and machine-learning-based security as the baseline foundation, with capabilities such as XDR (extended detection and response), identity protection, cloud security and more, to stay one step ahead of even the most advanced adversary.

Fourth, it’s essential to follow the principle that ‘sharing is caring’. The war against cyber adversaries is a team effort, requiring both the public and private sectors. Organisations on both sides must adopt a ‘one team, one fight’ philosophy, sharing insights and telemetry across borders, and enabling day-to-day collaboration between government and non-government experts. Governments are well placed to leverage the extensive experience and knowledge that exist in the private sector.

Thankfully, these are all key considerations and issues covered in the government’s new cybersecurity strategy. The time is now for Australia’s cybersecurity capabilities to evolve to build the regional resilience required to meet the ever-growing threat from cyber adversaries.