Skip to content

China-Nexus Threat Activity in Context

links: MAI TOC - Guest Lectures - Index


Key Concepts

  • 盲人摸象 (Blind people touch an elephant) 1: This idiom highlights the challenge for threat intelligence analysts to see the complete picture of threat activities.
  • Levels of Analysis: Technical analysis often focuses on TTPs (tactics, techniques, procedures). Effective threat analysis should also include operational (campaign-level, personnel, financing) and strategic dimensions (high politics).

Main Threat Clusters

  1. Volt Typhoon:
    • Military-focused ("A-Team").
    • Known for critical infrastructure attacks in Guam and the US (2023).
    • Uses "Living off the Land" techniques to avoid detection and exploits FortiGuard 0-day vulnerabilities.
  2. Storm-0558:
    • Intelligence-focused ("A-Team").
    • Specializes in supply chain compromises and high-value information theft.
    • Notable operations include Microsoft and US Government intrusions (2023) and the 2009 Operation Aurora.
  3. APT41 / i-S00N / Chengdu 404:
    • Transitioned from state-sponsored actors to contractors.
    • Engages in both state-sponsored espionage and cybercrime, including malware-as-a-service.
    • Notable for the US DOJ indictments and opportunistic exploitation of vulnerabilities.
  4. Mass Exploitation à la ProxyLogon:
    • Recent operational concept rather than a specific group.
    • Involves rapid mass exploitation of newly exposed vulnerabilities by multiple threat actors.

Analytical Insights

  • Operational Tactics: Chinese threat actors show a high degree of coordination and sophistication, utilizing botnets, IoT devices, and advanced malware.
  • Strategic Intentions: These activities often align with broader geopolitical goals, including prepositioning for potential conflicts and gathering intelligence for strategic advantages.

Evolution of Threat Landscape

  • Tactical: Increased use of "Living off the Land" strategies and covert botnet operations.
  • Operational: Enhanced digital quartermastering, faster intelligence turnaround, and sophisticated supply chain attacks.
  • Strategic: Long-term counterintelligence efforts, military prepositioning, and showcasing capabilities through bold actions.

Importance for Switzerland and Beyond

  • Switzerland is not immune to these threats, as evidenced by attacks like the APT31 IPAC hacks.
  • Chinese threat actors are rapidly evolving and investing heavily in their capabilities.
  • Understanding their threat perception and strategic motivations is crucial for effective defense.

links: MAI TOC - Guest Lectures - Index