New Report on Chinese Intelligence Cyber-Operations

The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years.

The always interesting gruqq has some interesting commentary on the group and its tactics.

Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information would be helpful.

Posted on July 20, 2018 at 6:38 AM19 Comments


vas pup July 20, 2018 10:32 AM

Related to IC (tag intelligence):

Lying in a foreign language is easier:

“It is not easy to tell when someone is lying. This is even more difficult when potential liars speak in a language other than their native tongue. Psychologists investigated why that is so.

Most people don’t find it more difficult to lie in a foreign language than in their native tongue. However, things are different when telling the truth: This is clearly more difficult for many people in a foreign language than in their native one. This unexpected conclusion is the result of a study conducted by two psychologists from the University of Würzburg.

Two contradicting theories

There are two research theories to predict differences between deception and truth telling in a native compared to a second language: Research from cognitive load theory suggests that lying is more difficult in a foreign language. “Compared to truth telling, lying is a cognitively more demanding task,” Kristina Suchotzki explains. Adding a foreign language imposes an additional cognitive challenge which makes lying even more difficult.

Lying is easier in a foreign language: This should be true according to the emotional distance hypothesis. This assumption is based on the fact that lying is associated with more emotions than staying with the truth. Liars have higher stress levels and are more tense. Research from linguistics, psychology, and psychophysiology shows that compared to speaking in a native language, communicating in a second language is less emotionally arousing. “Based on the emotional distance hypothesis, you would hence expect lying in a foreign language to be less arousing emotionally,” Suchotzki says. Accordingly, this reduced emotional arousal would facilitate lying.

[!!!]The scientists believe that these findings reflect the “antagonistic effects of emotional distance and cognitive load.” “Based on the cognitive load hypothesis, one would have expected increased effort for truth telling and lying in a foreign language, with the increased effort being more pronounced for lying,” Kristina Suchotzki says. The data suggest that the increased cognitive effort is responsible for the prolongation of the truth response in the foreign language.

The reason why this prolongation does not exist or is less pronounced in lying can be explained with the emotional distance hypothesis: The greater emotional distance in a foreign language thus “cancels out” the higher cognitive load when lying.”

Steve B July 20, 2018 3:58 PM

I didn’t read the whole report, but one short section caught my eye:

The actor often uses TLS encryption for varying aspects of C2 and malware delivery. As noted in the “Infrastructure Analysis” section of this report, the actor primarily abuses Let’s Encrypt to sign SSL certificates. We also observed many cases in which self-signed certificates were used in attacks.

Whilst I applaud the Let’s Encrypt project for raising awareness of the need to protect data in transit, I think they may have made the internet less secure for the average user who, long taught to only trust SSL-enabled sites when making payments, may find it harder to distinguish between a “secure” site and a “secure and trusted/verified” site. I would contend that the difference between a self-signed and a Let’s Encrypt SSL certificate is hardly worth arguing over.

In the last two months alone I have encountered two payment-accepting sites with Let’s Encrypt SSL certificates that, whilst well-intentioned, were most definitely not secure. Trying to explain to a non-technical person why they should only ever use the sites with a ‘burner’ pre-paid card was, shall we say, challenging.

echo July 20, 2018 4:31 PM

@Vas pup

Thanks for the research. Is it possible that resreach exists to prove higher cognitive load when interacting with a beaurocratic system when dealing with the office politics of different perceptions, priorities, and understanding of technical language?

There are I know observations made by the law journals that people forced into representing themselves within courts have significantly lower positive outcomes than when professionally represented. There are also recent cases reported in the media where people have been caught up by beaurcratic systems and a few more recently (including the Home Office) have been caught out by reports stating the mistakes and attitudes which created negative outcomes.

This may have “duty of care” and “positive obligations to build equality” ramiications.

Clive Robinson July 20, 2018 4:48 PM

@ Bruce,

Independent corroboration of this information would be helpful.

Have you spoken to Ross Anderson, he was looking in depth some time ago into some asspects of Chinese State attacks against the Dali Lama and those “dissidents” involved. IIRC the press focus back then was on Google failures but the research was more into organisational / attack structure.

Clive Robinson July 20, 2018 5:25 PM

@ All,

From the article,

    Such techniques include a particular focus on “living off the land” by using a victim’s own software products, approved remote access systems, or system administration tools for spreading and maintaining unauthorized access to the network.

I realy do not know who came up with the “living of the land” phrase, it’s kind of a bit pointless. Because outsode of attacks that use a humant agent at the target location all attacks use “a victim’s own software” hardware etc.

It’s the primary reason why we have the InfoSec “Army of One” issue. The attacker’s expenditure is primarily in the development of the malware delivery system and payload, then the covertness of the “first launch”. After that it infects the targets systems on the targets dime, or the dime of a previous target.

The primary difference between “fire and forget” and “targeted” attacks is the use of replication code in either the delivery system or payload. If you are developing targeted code you generaly do not need or want replication code that “reaches out”, but you may need replication code that “reaches in” to infect internal systems. To a limited extent if you want “reach out” then the replication code is in the delivery system not the payload, and the other way around for “reach in”. The reason is to try and reduce the chances of your payload methods being dispersed widely when you are running a targeted attack. Stuxnet was a case in point of things not working correctly and thus the methods ended up all over the place…

echo July 20, 2018 5:49 PM


Perhaps one way to counter things is to reduce the “game” element of security? Perhaps if hacking was made more boring the ecosystem which develops and supports the talent might be deflated which would reduce the overall risk?

Clive Robinson July 20, 2018 6:26 PM

@ All,

I’ve warned against this “not realy even circumstantial evidence” in the past,

    However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was, the China Unicom Beijing Network, Xicheng District.

As the old saying has it “There is more than one way to skin a cat.”.

The fact that you find what you think is an “originating host” in an IP address does not of necessity translate to either a real originating HCI or for that matter a geographic address.

For instance I have access to a box that is multiply-homed and appears in IP address blocks in three continents. It does this in part by using below IP Physical layer routing. But as importantly I can access it via non IP based methods across radio networks and telecommunications links. I’ve been working on developing a satellite interface as well.

Whilst it is a “test and development box” it could just as easily be used as what looks like an IP originating node which it most definitely is not.

Thus even if you tracked down the box’s geo-location you would not find the HCI behind which I sit there. With the use of the satellite interface the best you could say was I am “maybe” in Europe, but again that would only be the up-link location not the HCI I sit at…

It’s why I repeatedly say “atribution is hard, very hard”. Whilst I’m not as skilled in certain aspects of “covert data comms” as some people I know, I do bring new “hinky” ideas to the table for them to play with.

When you look into the various forms of intel, most only tell you what a skilled opponent wants you to believe… But it appears that such skills are actually very rare these days, judging by some successes by the Dutch and Israeli SigInt agencies had with digital cameras connected to IP addresses.

The interesting thing to note about Winnti is that some of those behind it such as Hack520 were without doubt “criminal entities”. Which brings up the “co-opting issue” by authorities again. Not meaning to denegrate such criminals but their skill set is not of necessity that of being highly covert (ie to be co-opted they must have been caught in some way).

Whilst there are criminal entities around who get involved with cyber attacks etc, who have not been caught, I suspect the reason is not covert comms skills. More likely it is because of a lack of resources or priority in Law Enforcment Agencies (LEA).

Co-opting criminal entities into either the Intelligence Community (IC) or LEAs is actually not the brightest of ideas when it comes to “recruitment” you are effectively scraping off the “low hanging fruit” grazers, who have the “low hanging fruit” skill level that gets them caught… Whilst they might be somewhat skilled at intrusion and exploitation, that is a small part of the required skill set.

Back in the 1970’s and 80’s the defence industry of the MIC had the same problem. Those with the skills they realy needed tended to have ethics and not want to do Defence work at any price. Thus they ended up with those that for various reasons were by no means as skilled hence project overruns etc were frequent as those working on them progressed towards their pensions.

At the end of the day “You get what you pay for” and if you are enslaving via blackmail then what do you expect to get?..

Clive Robinson July 20, 2018 6:59 PM

@ echo,

Perhaps if hacking was made more boring the ecosystem which develops and supports the talent might be deflated which would reduce the overall risk?

What is one mans meat is another mans poison.

For the more skilled it is the challenge that excites and drives them forward, making it boring would not effect the challenge component.

Look at it like lock picking there are four basic types of people that do it,

1, The better Locksmiths.
2, The more practiced criminals.
3, Mouse Trap builder types.
4, Enthusiasts / hobbyists.

The first two only develope sufficient skills to earn a living, thus self limit their abilities. The third group are the designers / engineers / inventors hoping “to make a better mouse trap” such that people will buy their goods. Unfortunately as became obvious with one of the recent threads on this block, many mouse trap builders these days are way way more “style over substance”.

It’s the upper echelons of the fourth group where the real skills exist and invariably they are the bane of the –faux– security lock industry. They beat those mouse trap dreamers hands down every time.

The simple fact is you can not make what they do sufficiently boring to stop them, all they seek is the nod of those they have as peers and one day might be recognized as “First amongst equals” by their peers.

But the real elite are those who care not even for the nod, “they do it for purism” just for personal satisfaction of knowing that the leading lights of industry are in effect wrong / delusional / liars. As such they may never “publish” their results or even demonstrate them to those that would be their peers. They might however occasionally let a few hints out to encorage others to progress along their self development.

As I keep telling people the laws of physics define what is possible, it’s a big hint that even a pre K12 can follow. More specific hints are “manufacturing limitations” that give you the mechanical “slop” even in new locks that give you the edge, older worn locks just make it easier to learn the skills. But as ever the big hint is develope a mind that is widely read and can move ideas from one problem domain to another it’s,the very essence of “Thinking Hinky”. Such a mind will be able to find anything that the laws of physics alow, and from which all else is possible, much to the ire of Security system designers and engineers. I can not honestly remember how many sysyems I’ve “broken” all I can tell you is that every time I meet a new system the fitst thing my mind does on trying to understand it is by thinking “how to break it”…

Spooky July 20, 2018 7:03 PM

The details supplied by the article were not that surprising, really. The Chinese run their offensive computer/network operations in a manner consistent with any other top tier nation state that can afford to fund a massive, ongoing intelligence collection effort. Ditto for the US, Russia, UK, Israel, Iran, etc. Even if you’re a country without deep pockets, the barriers to entry are relatively low when it comes to offensive operations (sadly). And the entire world is bursting at the seams with unsecured infrastructure, servers and workstations that can be used as a never-ending supply of proxies for attacks. There’s almost no downside for the perps; of course, the end-game resembles a rapidly escalating series of economic losses followed by a marked increase in the likelihood of military reprisals. As my grandmother used to say, “It will all end in tears…”


Weather July 20, 2018 7:26 PM

@all you might get more proof by working out the link budget and speed of light from you to them and approximate CPU speed, as long as there are a couple of hops after the return packet will have a usec, msec delay

Clive Robinson July 20, 2018 7:53 PM

@ Weather,

you might get more proof by working out the link budget and speed of light from you to them…

Whilst most of us cannot[1] reduce the delay times, we can all make them larger…

As long as the round trip response is, below 1/10Sec we don’t notice, and evem 1/2Sec delays can generally be worked with by humans on a Command Line Interface.

Better still with command line programmes there are “test” utilities to “script” them with auto responses and variable time delays…

Thus you would have to monitor for quite a while to get an indicator of the shortest delay, if and only if the attacker makes a mistake.

If the attacker is “smart” they can use a “serial line” system such as an old school terminal to a host. It’s not very difficult to design using the likes of a PIC microcontroler development board a device that puts in a minimum key stroke time addition.

This will because of the short automatic times, of TCP/IP ack/syn etc make what is the originating host appear to be just a node in a longer chain…

It can all be great fun working out such techniques to obfuscate both network timing round trip differences at the various layers and likewise hiding the geo-loc.

[1] Some “high frequency traders” have made holes through mountains to knock off a few uS, others pay millions to rent out multiple farms “antenna mast” rights to stop competitors shaving sub millisecond times…

echo July 20, 2018 8:02 PM


I can agree with the overwhelming bulk of what you say without quibble. Most quibble is really arguing over how the words are arranged on the page and relative laziness. As long as it’s all good clean fun and nobody gets hurt I don’t mind.

Phaete July 21, 2018 9:10 AM

Some conclusions are quite opaque.

The following for instance

“However, we have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the net block was, the China Unicom Beijing Network, Xicheng District.”

Any good proxy is indistinguishable from a host and vice versa
HOW did they know those adresses were hosts and not proxies?
Something bled through? misconfigurations? Active hacking of all the relevant IPs?

In other parts they are explaining much of the methods how, but here they generalise.
Probably 50/50 IMHO, parts truth, parts guessed or politically motivated.

I have read similar stories about pretty much every spearfishing/APT combo, nothing new, all the same info in the template.

Anyhow, where can i find the comparison of our worlds top 3 agencies.
A nice overview on USA vs Russia vs China in the world of government (not only sponsored but) directed cyber (counter)intelligence.
I am hunkering for some state independent research, hopefully even objective.

Weather July 21, 2018 10:06 AM

Beef for Web, metaslopt for doc pdf sh, for 135,445, ssl certificate to stop antivirals detection, makes a changing field.
Probable look up kaul for the tools, any hacker group could be the attackers

echo July 21, 2018 7:23 PM


The published league tables rating each country by hacking attempts, either generally or within the contextof a particular incident are interesting. What is also interesting is who publishes them and how they acquired the data. A further breakdown of these tables which really exposes who hacks whom and why which also places the incidents in context might be more interesting too.

I note there are no league tables exposing how many APTs have tripped over each other when compromising a router.

This is like the old joke about the Russians bugging the UN Secretary General having to take an American bug out to make space for theirs.

Spooky July 21, 2018 8:02 PM

@ Phaete,

I’d be interested in reading a similar appraisal of capabilities, though I’m not sure it would tell you all that much. All of the major players appear to be using the exact same range of techniques; perhaps security is so universally poor across vast regions of the Internet that innovation (by which you might distinguish one outfit from another) is no longer required. Bog standard techniques are usually good enough to achieve the desired outcomes, etc. The US is probably able to outspend its competition by a considerable margin (NSA budget is around $55+ billion) and that definitely has a bearing on the breadth and depth of its programs, though I doubt it buys entirely new capabilities that are not also possessed by Russia and China. The playing field is quite level. We can sabotage and surveil each other’s networks with relative ease; no one enjoys a lasting advantage. In the end though, we all lose. We’re stuck with a multitude of hardware and software that cannot ever be trusted…


me July 23, 2018 2:12 AM

@Steve B
no, the internet is not less secure because lets encrypt.
As you said people teached “if it has a lock is secure” which is plain wrong, it was true maybe in the past but was wrong even in the past.

and now people are making the same mistake with wifi:
“don’t use public wifi, it’s dangerous”
this, while true, it’s wrong too!
because you are teaching that public wifi=dangerous/you can be hacked
while “everything else”=secure.

it’s not true! thats why https exists.
yes, attacks on 3g/4g/lte/home wifi are more rare
but this doesn’t mean that they are impossible.
and it doesnt mean that they will be rare also in the future.

justinacolmena July 23, 2018 3:12 PM

@vas pup

Liars have higher stress levels and are more tense.


People fear discovery and punishment of their perceived social or moral wrongdoing.

Someone in possession of “classified information” for example may feel much more comfortable initially lying about it rather than telling the truth. But that didn’t do Samson any good.

Lies lead to discomfort and estranged relations because inevitably “the truth will out” and then the question becomes, “Why did you lie to me?”

thoromyr July 25, 2018 10:46 AM

@ those who’ve never heard the term “living off the land” before or think it is just a restatement of having a compromised system…

Well known in the infosec community, this term refers to using existing capabilities of a compromised environment rather than attempting to extend or add capabilities. The motivation is simple — if you install a tool then:

1) use of the tool can be used to correlate activity to a specific actor

2) presence of tools becomes part of threat detection

3) tools may leak internal information

4) tools are obstructed by white-.listing

The well resourced threat actors took to either poisoning or purging information to mitigate #3 (e.g., compile dates, paths, etc.) and #2 is fairly trivial to bypass, but if the incident is identified and investigated then analysis still tends to leverage #1. As organizations started to adapt white listing #4 started becoming important.

So… if you want a packet capture, you use the Microsoft tool that is included in all versions of Windows rather than downloading your own. This defeats #1 (it is provided by MS), #2 (it would be considered a false positive in anti-virus), #3 (not your information), and #4 (signed by Microsoft and white-listed).

A competent attacker does not touch the file system, much less risk detection by anti-virus through downloading a tool. And an enterprise pretty much has to have enterprise administration tools. Leveraging those obviates the need for installing most tools.

Not that attackers don’t continue to use tools, but for activities where they utilize your own software against you this is known as “living off the land”.

Even low-grade threat actors minimize their footprint these days: injecting code into a running process is a common technique to avoid running a suspicious process or having code on disk. Powershell is a great tool.

If you read the write up there’s another approach to problem #4 that is discussed specifically with respect to this threat actor: the abuse of code signing certificates.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.