China-Nexus Threat Activity in Context¶
links: MAI TOC - Guest Lectures - Index
Key Concepts¶
- 盲人摸象 (Blind people touch an elephant) 1: This idiom highlights the challenge for threat intelligence analysts to see the complete picture of threat activities.
- Levels of Analysis: Technical analysis often focuses on TTPs (tactics, techniques, procedures). Effective threat analysis should also include operational (campaign-level, personnel, financing) and strategic dimensions (high politics).
Main Threat Clusters¶
- Volt Typhoon:
- Military-focused ("A-Team").
- Known for critical infrastructure attacks in Guam and the US (2023).
- Uses "Living off the Land" techniques to avoid detection and exploits FortiGuard 0-day vulnerabilities.
- Storm-0558:
- Intelligence-focused ("A-Team").
- Specializes in supply chain compromises and high-value information theft.
- Notable operations include Microsoft and US Government intrusions (2023) and the 2009 Operation Aurora.
- APT41 / i-S00N / Chengdu 404:
- Transitioned from state-sponsored actors to contractors.
- Engages in both state-sponsored espionage and cybercrime, including malware-as-a-service.
- Notable for the US DOJ indictments and opportunistic exploitation of vulnerabilities.
- Mass Exploitation à la ProxyLogon:
- Recent operational concept rather than a specific group.
- Involves rapid mass exploitation of newly exposed vulnerabilities by multiple threat actors.
Analytical Insights¶
- Operational Tactics: Chinese threat actors show a high degree of coordination and sophistication, utilizing botnets, IoT devices, and advanced malware.
- Strategic Intentions: These activities often align with broader geopolitical goals, including prepositioning for potential conflicts and gathering intelligence for strategic advantages.
Evolution of Threat Landscape¶
- Tactical: Increased use of "Living off the Land" strategies and covert botnet operations.
- Operational: Enhanced digital quartermastering, faster intelligence turnaround, and sophisticated supply chain attacks.
- Strategic: Long-term counterintelligence efforts, military prepositioning, and showcasing capabilities through bold actions.
Importance for Switzerland and Beyond¶
- Switzerland is not immune to these threats, as evidenced by attacks like the APT31 IPAC hacks.
- Chinese threat actors are rapidly evolving and investing heavily in their capabilities.
- Understanding their threat perception and strategic motivations is crucial for effective defense.
links: MAI TOC - Guest Lectures - Index