China Cybersecurity: No Place to Hide, Part 3

This is the third in a four-part series on China cybersecurity. This series stems from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here. To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. To read part 2 of this series, go here. Part 2 explains why cryptography is not a solution and it looks at the Golden Tax Malware Program as an example of CCP malware. In this Part 3, I discuss how companies are essentially forced to into an insecure network system so as to expose their data to the CCP and I examine the international implications of this. In part 4, I will address head-on practical options foreign companies have for dealing with China’s cybersecurity system.

VI. How Companies are Pushed into an Insecure Network System.

As we have seen, the goal of the CCP and its agents is to push all businesses, foreign and domestic, into an insecure network system that allows CCP surveillance, control and full access to all data stored or transmitted over networks within the PRC. So: how do they do it.

A. The Chinese Government is the Hacker.

The basic goal of the PRC Comprehensive National Security (总体国家安全)concept in the network realm is for all network communication and information to be open and available to the Chinese government while blocked from access to parties outside the state. In keeping with this concept, the government seeks to ensure all network activity conducted within China is transparent to the state. This program is applied to all persons (individuals or entities) that operate within the borders of the PRC (and now Hong Kong and Macao). If you operate in China, you must assume all your networked data and communications are subject to capture by the Chinese government. There is no longer any privileged status given to foreign invested companies or to foreign nationals; Once within the borders of the PRC, their treatment is the same as for domestic companies and Chinese nationals.

So how does the PRC government implement this program? The key point is that the Chinese government is the hacker. When the hacker is directly involved in creating and policing the Internet and the key agent for implementing cybersecurity, it is axiomatic there will be no protection from the network intrusion/data collection activities of that hacker. The hacker dictates how the system will work and it of course provides no protection against its own activities.

B. Aisino Corporation

This basic fact is illustrated by the Golden Spy/Golden Helper malware program discussed earlier. Trustwave reports the Golden Spy software was written by Aisino Corporation: (Aerospace Information Joint Stock LLC. – 航天信息股份有限公司) Listed IT company specializing in information security. Their website states they are owned by the state company CASIC (China Aerospace Science & Industry Corporation Limited – 中国航天科工集团公司). See Golden Spy Chapter 4: Golden Helper Malware Embedded in Official Golden Tax Software.

CASIC is the PRC’s leading manufacturer of missiles and related aerospace devices. It sells missile systems to North Korea and it works closely with the Russian military. As a weapons provider, it is an SOE directly under the control of the PRC government and the CCP. In other words, it is the government. Recently, as part of the PRC plan to promote indigenous development of network operations and cloud computing, CASIC entered into the commercial network business via Aisino, its subsidiary that had been active in payment processing and other accounting systems. Aisino’s drafting of the Golden Shield tax software and implementation of the related system is part of that process.

C. The Golden Spy/Golden Helper Malware

Aisino’s drafting the Golden Spy malware means the PRC government drafted this malware. Simply stated, the PRC government is the hacker and this hacker is shielded from any liability arising from its hacking activity. This is why Aisino employed a crude and easy to identify trojan horse system for this malware. It is at no risk of getting caught or getting punished or getting taken down.

Some have commented to us and to security professionals that such an obvious intrusion somehow shows the PRC government cannot be behind the malware program. ArsTechnica responded to this type of comment in clear terms:

Comment from reader: “Use of a trojan downloader is not subtle.”

Response from ArsTechnica: As for it being less subtle… malware like this isn’t subtle period by the standards you’re applying here, so that’s a bizarre argument. It’s also a bit odd that you think the Chinese government cares about subtlety when we’re talking about software that’s distributed by government mandate within their country. Like… what, are the Chinese authorities going to do? Crack down on them?

As Arstechnica makes clear, when the malware or illicit gathering of data is done by the government itself, there is no remedy and no escape. The Chinese government and its related group of hackers do not need to be subtle or hide their tracks when they are operating within the borders of the PRC.
What are the techniques used to push companies into an insecure network?

1. Forced use of government software that contains malware.

The Golden Spy/Golden Helper malware included in the tax payment software required by the PRC government is an example of this method. Trustwave has issued a series of reports on this malware and on Aisino’s response in dealing with the public revelations regarding this software. See Golden Spy: Chapter Two – The UninstallerGolden Spy Chapter 3: New and Improved Uninstaller, and Golden Spy Chapter 4: Golden Helper Malware Embedded in Official Golden Tax Software. These Trustwave reports should be required reading for any foreign company planning to operate in China.

Trustwave’s follow up reports reveal the following three key things;

First, Aisino used the auto-update system in the Golden Spy software to propagate an uninstaller that removed the malware and any files or other traces of its existence. Their software uses a standard update procedure that can then be used to download malware or other unauthorized software at any time. A clean system today can be infected tomorrow. This means this software is a constant source of risk.

Second, Trustwave discovered a related but separate malware program concealed in the Golden Tax software. This malware, dubbed Golden Helper, was active in 2018 and 2019. From this, Trustwave reasonably concludes that the tax software malware program is not a recent event but has been going on for several years at least.

Third, Trustwave confirmed my earlier description of the technique used by the Chinese banks for delivering the Golden Tax software and its malware payload:

During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and Golden Helper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse.

See Golden Spy Chapter 4: Golden Helper Malware Embedded in Official Golden Tax Software.

When I previously wrote of this prevalent and unstoppable CCP hacking, we received comments that none of this could be correct because it would mean the proliferation of compromised computer systems. It seems odd to people who don’t work in the PRC that the PRC government would require companies use an insecure computer system. But this is not odd when you consider the government’s goals. A compromised system is easy to hack. The government is the hacker, so they make it easy on themselves. The banks may be unaware of the details of the malware and the compromised system; the bank staff is just following orders.

2. Use of network hardware with backdoors installed.

It has long been assumed PRC manufactured network hardware is filled with backdoors that allow unauthorized intrusion by the Chinese government and a recent report confirms this assumption. As reported by ZDNet, a research group has foundseven separate instances of malware/backdoors in critical network fiber optic cable connection devises. See Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data.

ZDNet describes these intentional backdoors as follows:

Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data. FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination. The term FTTH OLT refers to networking equipment that allows internet service providers to bring fiber optics cables as close to the end-users as possible.

As their name hints, these devices are the termination on a fiber optics network, converting data from an optical line into a classic Ethernet cable connection that’s then plugged in a consumer’s home, data centers, or business centers. These devices are located all over an ISP’s network, and due to their crucial role, they are also one of today’s most widespread types of networking devices, as they need to sit in millions of network termination endpoints all over the globe.

The simple evaluation of this malware is that it is as bad as it gets.

C-Data, the vendor identified here, is a major source for this type of hardware within the PRC. The takeaway here has to be that if this company feels free to include this backdoor system in products it sells outside the PRC, it undoubtedly is unconstrained in doing the same thing within China. This then means any foreign company operating in China should assume that its Internet connection is completely compromised by this type of malware/backdoor in its entire network system. If it is not included in its office system, it is almost certainly included at the ISP or cloud provider level.

This system is installed by telecom providers owned or controlled by the PRC government. Once again, it is the hacker — the Chinese government — setting up the system and it is the hacker that enters company network systems through these back doors.

3. Use of PRC mandated antivirus software.

One of the core directives under the new PRC Cybersecurity Law regime is the requirement networked users use antivirus software provided by the PRC government. Think about this for a minute: the Chinese government requirescompanies use only the “antivirus” software it provides. This antivirus software provides both a convenient platform for Chinese government hackers to enter the user’s computer network and it is also no doubt programmed not to reveal Chinese government malware.
The risks in hacked antivirus software are well known in cybersecurity circles. In Former U.S. spies say antivirus software makes for a perfect espionage platform, Cyberscoop discusses how antivirus software is great for espionage:

Because most antivirus vendors have designed their products to autonomously search for computer viruses on users’ systems by directly scanning files and then sending that data back to a server for analysis, the software is highly intrusive by nature.

Aside from the remote risks, antivirus can extend the attack surface of a host,” said Blake Darche, a former computer network exploitation analyst with the NSA. “If an attacker can gain access to the central antivirus server within an organizations network, that central server can be used for malware distribution.”

Software updates, which can help patch bugs or other issues in a product, adds another attack vector because it provides a trusted avenue for the remote introduction of code into computers around the world.

Chinese hackers are well acquainted with using antivirus software for this purpose. See: Research claims CCLeaner attack carried out by Chinese-linked group.

Within the PRC, use of mandated PRC antivirus software takes Chinese government hacking risks to an even higher level. Within the PRC, there is no need for a remote hack. The hacker itself (the Chinese government) provides companies with an essentially pre-hacked system.

This pre-hacked system will not screen against malware created by the PRC government and this system also serves as the vector for inserting a continuous stream of malware provided by the PRC government and its partners.

Consider the parallel situation in the U.S. Imagine a scenario where the NSA and the FBI are the only vendors of antivirus software. This software might be effective at screening malware from criminals and foreign actors. But nobody would expect that software would protect users from NSA or FBI intrusion. That would be silly. It is sillier still to believe this about the PRC and its government mandated antivirus software.

4. Shift from email to WeChat.

After the Chinese government banned Gmail in China, Chinese government agencies began pushing foreign companies to communicate using PRC approved email services. These services do not work well and are widely known to be insecure. Most foreign companies therefore continued to use alternative U.S. and European based email providers. These services are relatively secure from message interception by the Chinese. Proton mail and other systems with end-to-end encryption are quite secure in China.

The Chinese government could have taken a next step by blocking access to all foreign based email providers. But the Chinese agencies have taken a more creative approach. Now that the Chinese government has assumed essentially complete control over WeChat, Chinese agencies force all communications onto the WeChat application. If you send an email to your bank, your bank will not respond. If you send an email to your local tax office, it will not respond. If you send an email to the local police department concerning your visa status, it will not respond. The same holds true for Chinese courts, which typically respond to us simply by requesting we communicate with them using WeChat. This is even true when documents are submitted. Chinese government agencies almost invariably require submissions as a WeChat attachment rather than as an email attachment.

This then means a shift from adequate security to no security at all. This can be seen by the recent Amnesty International rating of instant messaging applications. Amnesty International rated the 11 top messaging applications on encryption and user privacy on a scale of 0 to 100. Facebook received the highest rating of 73. WeChat received a zero rating. In other words, Amnesty International concluded WeChat provides literally no protection at all from hacking. None. Nada. Zero. Zilch. 没有. See FOR YOUR EYES ONLY? Ranking 11 technology companies on encryption and human rights.

This forced move to a completely insecure communication platform was done in a typical CCP way. There is no law or regulation prohibiting foreign based email. There is no law or regulation mandating WeChat. The “rule” is imposed in practice. If you send an email, it will not be returned. If you call or visit a government agency to complain, the response is: “Use WeChat. Everyone else does. You should too.” And so the rule is imposed, with no obligation on the part of the Chinese authorities to formalize or publish the rule.

5. Forced use of an insecure version of Windows Explorer.

Many services provided by the PRC government are now provided online. For example, many forms and applications will only be accepted by Chinese government agencies through an online system: paper applications are not accepted. In the same way, information from the government is primarily provided online. Here then is the catch. Virtually all PRC government online systems will only operate on an insecure, outdated, unpatched version of Windows Explorer, usually Explorer 8. If you try to use these systems with Chrome, Firefox, Safari or Opera, the systems do not work. There is no explanation, they just don’t work. Access to these systems is not optional: doing business in China requires Internet access to these government websites. So without comment and without formal regulation, the user is forced into an insecure system.

VII. Cross border and International Implications

The PRC cyber-insecurity system extends beyond the Chinese border, making it impossible to avoid it even by not setting up operations in China. Consider the following:

1. Any transfer of data into China is at risk of being accessed by the Party and its agents. All Chinese companies and organizations are subject to the cyber-insecurity regime. Assume you are working with a Chinese entity and assume that entity for its own benefit wants to keep secret the information you have provided. The sectors where transfers of highly confidential data go into China are numerous: contract manufacturing, joint R&D, technology licensing. The Chinese entity with which you are working is exposed to the same disclosure and access risks described above. As a result, any foreign entity must assume all data transmitted to China is at risk.

2. Under the Digital Silk Road program, the Chinese government is working to extend the Chinese cyber-insecurity program to all countries that allow Chinese entities to build out their network systems. This allows China to export its Internet based surveillance and control system around the world. See Will China control the global internet via its Digital Silk Road? and Exporting digital authoritarianism. This concern is generally expressed as a human rights issue. From our perspective, however, the concern is the creation of the PRC cyber-insecurity model around the world. Through the Digital Silk Road system, the PRC government is teaching foreign governments how to create the information transparent system created in China. The added twist is that Chinese companies are setting up the system so the Chinese government has full access to the local system. This is then creating a system where foreign technical data will be acquired at two levels: by the local government and by the Chinese government.

3. Many industry sectors have been pre-hacked by the CCP and its agents. To transfer data into such hacked systems is to transfer data to the CCP and its agents. The Taiwan semiconductor industry is an example. Taiwan semiconductor manufacturers have been thoroughly hacked by the PRC. See Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry. High level employees of Taiwan chipmakers have been hired away to work in China. See China hires over 100 TSMC engineers in push for chip leadership: Emerging chipmakers offer lavish pay packages to snap up talent. This means it is almost certain confidential chip designs and technology are being leaked to the PRC.

Stay tuned for the conclusion of this series, to be published tomorrow.