China cyber hacking obviously affects companies that do business in or with China but it is becoming increasingly apparent that it also impacts companies with no direct business connections to China. This post explains the Chinese government’s cyber hacking goals, how it does its hacking, and why it is virtually impossible for foreign companies to avoid being hacked by the Chinese government or to fight back against it.
In The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide, we explained how Chinese banks require their account holders — including all foreign companies in China — to install malware that allows the Chinese government to see all account holder data. In China Malware: Sorry, Techno Geeks, There Still is no Place to Hide, we explained how the Chinese “government itself is the hacker and it will not allow any foreign or domestic technician to provide services that will defeat the hacker’s ultimate goals.”
A. The Chinese Government is the Hacker
The basic goal of the PRC Comprehensive National Security (总体国家安全）concept in the network realm is for all network communication and information to be open and available to the Chinese government while blocked from access to parties outside the state. In keeping with this concept, the government seeks to ensure all network activity conducted within China is transparent to the state. This program is applied to all persons (individuals or entities) that operate within the borders of the PRC (and now Hong Kong and Macao). If you operate in China, you must assume all of your networked data and communications are subject to capture by the Chinese government. There is no longer any privileged status given to foreign-invested companies or to foreign nationals; Once within the borders of the PRC, their treatment is the same as for domestic companies and Chinese nationals. Just as is true for any PRC citizen, there is no place to hide.
So how does the PRC government implement this program? The key point is that the Chinese government is the hacker. When the hacker is directly involved in creating and policing the Internet and the key agent for implementing cybersecurity, it is axiomatic there will be no protection from the network intrusion/data collection activities of that hacker. The hacker dictates how the system will work and it of course provides no protection against its own activities.
B. Aisino Corporation
This basic fact is illustrated by the Golden Spy/Golden Helper malware program discussed below. Trustwave reports that the Golden Spy software application was written by Aisino Corporation: (Aerospace Information Joint Stock LLC. – 航天信息股份有限公司) , a listed IT company specializing in information security. Aisino’s website states they are owned by the state company CASIC (China Aerospace Science & Industry Corporation Limited – 中国航天科工集团公司). See GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software.
CASIC is the PRC’s leading manufacturer of missiles and related aerospace devices. It sells missile systems to North Korea and it works closely with the Russian military. As a weapons provider, it is a state-owned enterprise (SOE) directly under the control of the PRC government and the Chinese Communist Party (CCP). That is, it is the government. Recently, as part of the PRC plan to promote indigenous development of network operations and cloud computing, CASIC entered into the commercial network business via Aisino, its subsidiary that had been active in payment processing and other accounting systems. Aisino’s drafting of the Golden Shield tax software and implementation of the related system is part of that process.
C. The Golden Spy/Golden Helper Malware
Aisino’s drafting the Golden Spy malware means the PRC government drafted this malware. Simply stated, the PRC government is the hacker and this hacker is shielded from any liability arising from its cyber hacking activity. This is why Aisino employed a crude and easy to identify trojan horse system for this malware. It is at no risk of getting caught or getting punished or getting taken down.
Some have commented to us and to security professionals that such an obvious intrusion somehow shows the PRC government cannot be behind the malware program. ArsTechnica responded to this type of comment in clear terms:
Comment from reader: “Use of a trojan downloader is not subtle.”
Response from ArsTechnica: As for it being less subtle… malware like this isn’t subtle period by the standards you’re applying here, so that’s a bizarre argument. It’s also a bit odd that you think the Chinese government cares about subtlety when we’re talking about software that’s distributed by government mandate within their country. Like… what, are the Chinese authorities going to crack down on them?
So this is the situation in the PRC. As Arstechnica makes clear, when the malware or illicit gathering of data is done by the government itself, there is no remedy and no escape. The Chinese government and its related group of hackers do not need to be subtle or hide their tracks when they are operating within the borders of the PRC.
D. Forced use of government software that contains malware
The Golden Spy/Golden Helper malware included in the tax payment software required by the PRC government is an example of this method. Subsequent to its initial report on this issue, Trustwave has issued a series of reports on this malware and on Aisino’s response in dealing with the public revelations regarding this software. See GoldenSpy: Chapter Two – The Uninstaller, GoldenSpy Chapter 3: New and Improved Uninstaller, and GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software. These Trustwave reports should be required reading for any foreign company that plans to operate a business in China.
Trustwave’s follow up reports reveal the following three key things;
First, Aisino used the auto-update system in the Golden Spy software to propagate an uninstaller that removed the malware and any files or other traces of its existence. However, their uninstaller software continues to provide a portal to users’ systems that can be used to download malware or other unauthorized software at any time. A clean system today can be infected tomorrow. This means this software is a constant source of risk.
Second, Trustwave discovered a related but separate malware program concealed in the Golden Tax software. This malware, dubbed Golden Helper, was active in 2018 and 2019. From this, Trustwave reasonably concludes that the tax software malware program is not a recent innovation, but has been at work for several years at least.
Third, Trustwave confirmed our earlier description of the technique used by Chinese banks for delivering the Golden Tax software and its malware payload:
During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse.
The description from Trustwave is basically the same as what we previously wrote here on our blog, even down to the use of the Windows 7 operating system. See The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide and China Malware: Sorry, Techno Geeks, There Still is no Place to Hide,
When we previously wrote of this prevalent and unstoppable China cyber hacking, we received comments that none of this could be correct because it would mean the proliferation of compromised computer systems. It seems odd to people who don’t work in the PRC that the PRC government would require companies use an insecure computer system. But this is not odd when you consider the government’s goals. A compromised system is easy to hack. The government is the hacker, so they make it easy on themselves. The banks may be unaware of the details of the malware and the compromised system; the bank staff is just following orders.
E. Use of network hardware with backdoors installed
It has long been assumed that PRC-manufactured network hardware is filled with backdoors that allow unauthorized intrusion by the Chinese government and a recent report confirms this assumption. As reported by ZDNet, a research group has found seven separate instances of malware/backdoors in critical network fiberoptic cable connection devices. See Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data. ZDNet describes these intentional backdoors as follows:
Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data. FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination.The term FTTH OLT refers to networking equipment that allows internet service providers to bring fiber optics cables as close to the end-users as possible.
As their name hints, these devices are the termination on a fiber optics network, converting data from an optical line into a classic Ethernet cable connection that’s then plugged in a consumer’s home, data centers, or business centers. These devices are located all over an ISP’s network, and due to their crucial role, they are also one of today’s most widespread types of networking devices, as they need to sit in millions of network termination endpoints all over the globe.
The simple evaluation of this malware is that it is as bad as it gets.
C-Data, the vendor identified here, is a major source for this type of hardware within the PRC. The takeaway here has to be that if this company feels free to include this backdoor system in products it sells outside the PRC, it undoubtedly is unconstrained in doing the same thing within China. This then means any foreign company operating in China should assume that its Internet connection is completely compromised by this type of malware/backdoor in its entire network system. If it is not included in its office system, it is almost certainly included at the ISP or cloud provider level.
This system is installed by telecom providers owned or controlled by the PRC government. Once again, it is the hacker — the Chinese government — setting up the system and it is the hacker that enters company network systems through these back doors.
F. Use of PRC-mandated antivirus software
One of the core directives under the new PRC Cybersecurity Law regime is the requirement that networked users use antivirus software provided by the PRC government. Think about this for a minute: the Chinese government requires companies use only the “antivirus” software it provides. This antivirus software both provides a convenient platform for Chinese government hackers to enter the user’s computer network but it also no doubt is programmed to not reveal Chinese government malware.
The risks in hacked antivirus software are well known in cybersecurity circles. In Former U.S. spies say antivirus software makes for a perfect espionage platform, Cyberscoop discusses how antivirus software is great for espionage:
Because most antivirus vendors have designed their products to autonomously search for computer viruses on users’ systems by directly scanning files and then sending that data back to a server for analysis, the software is highly intrusive by nature.
Aside from the remote risks, antivirus can extend the attack surface of a host,” said Blake Darche, a former computer network exploitation analyst with the NSA. “If an attacker can gain access to the central antivirus server within an organizations network, that central server can be used for malware distribution.”
Software updates, which can help patch bugs or other issues in a product, add another attack vector because they provides a trusted avenue for the remote introduction of code into computers around the world.
Chinese hackers are well acquainted with using antivirus software for this purpose. See: Research claims CCLeaner attack carried out by Chinese-linked group.
Within the PRC, use of mandated PRC antivirus software takes China cyber hacking risks to an even higher level. Within the PRC, there is no need for a remote hack. The hacker itself (the Chinese government) provides companies with what is essentially a pre-hacked system.
This pre-hacked system has two major effects. First, the system will not screen against malware created by the PRC government. Second, the system will serve as the vector for inserting a continuous stream of malware provided by the PRC government and its partners.
Consider the parallel situation in the U.S. Imagine a scenario where the NSA and the FBI are the only vendors of antivirus software. This software might be effective at screening malware from criminals and foreign actors. But nobody would expect that software would protect users from NSA or FBI intrusion. That would be silly. It is sillier still to believe this about the PRC and its government mandated antivirus software.
G. Shift from email to WeChat
After the Chinese government banned Gmail in China, Chinese government agencies began pushing foreign companies to communicate using PRC-approved email services. These services do not work well and are widely known to be insecure. Most foreign companies therefore continued to use alternative U.S. and European email providers. These services are relatively secure from message interception by the Chinese. Proton mail and other systems with end-to-end encryption are quite secure in China.
The Chinese government could have taken a next step by blocking access to all foreign email providers. But the Chinese agencies have taken a more creative approach. Now that the Chinese government has assumed essentially complete control over WeChat, Chinese agencies force all communications onto the WeChat application. If you send an email to your bank, your bank will not respond. If you send an email to your local tax office, it will not respond. If you send an email to the local police department concerning your visa status, it will not respond. The same holds true for Chinese courts, which typically respond to us simply by requesting we communicate with them using WeChat. This is even true when documents are submitted. Chinese government agencies almost invariably require submissions as a WeChat attachment rather than as an email attachment.
This then means a shift from adequate security to no security at all. This can be seen by the recent Amnesty International rating of instant messaging applications. Amnesty International rated the 11 top messaging applications on their use of encryption and protection of user privacy on a scale of 0 to 100. Facebook received the highest rating of 73. WeChat received a zero rating. In other words, Amnesty International concluded that WeChat provides literally no protection at all from China cyber hacking. None. Nada. Zero. Zilch. 没有. See FOR YOUR EYES ONLY? Ranking 11 technology companies on encryption and human rights.
This forced move to a completely insecure communication platform was done in a typical CCP way. There is no law or regulation that says foreign based email is prohibited. There is no law or regulation that says using a completely insecure WeChat is required. The “rule” is imposed in practice. If you send an email, it will not be returned. If you call or visit a government agency to complain, the response is: “Use WeChat. Everyone else does. You should too.” And so the rule is imposed, with no obligation on the part of the Chinese authorities to formalize or publish the rule.
Our goal with our China cybersecurity posts is to describe the on-the-ground cybersecurity realities for foreign companies operating in China. As you have seen, the Chinese government is the hacker, so it can have full access to all information about the foreign entities that operate in its midst — from critical information concerning protected technologies down to the most mundane facts about the daily activities of the foreign company and its employees. In our digitized world, that information is available on computer systems and networked communications of the foreign owned entity.
The Chinese government obtains the information it wants by using the techniques we have described. In fact, we have outlined only a subset of the various techniques it uses to gain access to information.
Of course, the Chinese government encourages foreign-owned entities to protect themselves from criminal hackers and from intrusions conducted by their non-state owned business competitors. Under the new cyber regulations, this form of self-protection is legally required for enterprises operating in critical sectors.
But the flip side to this requirement is that the Chinese government allows for no protection against its own acquisition of that same information. Attempts to block access by the Chinese government are futile. One attack vector may be blocked in one case of infection. But as a practical matter, it is not possible to defend against attacks by a PRC government that uses a full set of cyber hacking penetration techniques. The only question is whether the Chinese government is interested or not. If they are interested, they will succeed. There is no place to hide.