Threat Inteliigence / OSINT / NETSEC / NATSEC

MSS - Ministry of State Security and its cyber activities

In previous post we dealt with the intelligence activity of the People's Liberation Army and how the reforms of the armed forces are aimed at improving their functioning in this field. This time we will focus on an agency dealing with typically intelligence tasks - the Ministry of State Security (国家 安全 部, MSS). To start with a brief historical outline, the modern MSS organization is the result of the transformations that have taken place place in June 1983. It was then that the Central Investigation Department (CID) absorbed the counterintelligence functions of the Ministry of Public Security, thus becoming China's main intelligence agency. The reorganization was political, led by Luo Qingchang, a staunch opponent of Deng Xiaoping. Due to Luo's position, it was not possible to remove him from office, so the creation of the MSS allowed for a change of intelligence leadership and the removal of an inconvenient politician. In addition to personnel changes, the creation of the MSS also took place during the reform of Deng Xiaoping's policy, assuming greater opening of China and establishing contacts with foreign partners. The Deng Plan envisioned the "Four Modernizations" of Agriculture, Science, Industry and Defense to significantly strengthen China's position in the international arena. For this, however, knowledge and technology were needed, which was not easy to obtain due to limited diplomatic relations and the intelligence apparatus weakened by purges and reforms. Civilian intelligence agencies have not been able to meet the intelligence demands of politicians. So Deng turned to the PLA, specifically Second Department of the General Staff as an intelligence arm. This approach influenced the hierarchy of the intelligence apparatus organization that pushed the MSS into the background, but at the same time protected the organization from the politicization that had befallen the PLA. At the same time, however, the 1990s was a period of investments that were to pay off 20 years later. Chinese intelligence began to be interested in new technologies and network operations, which resulted in the establishment in 1997 of the China National Information Technology Evaluation Center (CNITSEC), which was supposed to deal with the assessment and cataloging of vulnerabilities, but in fact was the face of the MSS department responsible for the CNE and network security. Similarly, during this period, support from the government was obtained by the first companies creating network security solutions, such as TOPSEC or Venustech.

These investments started to bring the greatest benefits for MSS after 2015. In the previous post I wrote about the reorganization of the PLA and the creation of the Strategic Support Force, and this period is the time when the MSS adopted a more aggressive approach to conducting foreign operations and obtaining information. And the key component was precisely cyber activities, which created the possibility of operating on an unprecedented scale and conducting operations regardless of geographical conditions.

Taking a moment longer to organize, MSS is divided into offices. Contrary to PLA, where the place of the unit in the organizational structure can be tracked using the MUCD, in the case of MSS information about individual offices is not so readily available. Sources saythat MSS could have eighteen offices:

  1. The First Bureau - operations by intelligence officers operating without official cover.
  2. Second Bureau - operations of intelligence officers acting as diplomats, journalists, and other persons officially affiliated with the government.
  3. Third Bureau - unknown function.
  4. Fourth Bureau - operations related to Taiwan, Hong Kong and Macau.
  5. The Fifth Bureau - intelligence analysis and distribution of intelligence products.
  6. Sixth Bureau - functions unknown.
  7. The Seventh Bureau - counterintelligence in the field of analysis and obtaining information about hostile intelligence agencies operating against China.
  8. Eighth Bureau - Counterintelligence investigating the detection and detention of spies operating in China.
  9. Ninth Bureau - monitoring foreign organizations and subversive organizations to prevent espionage.
  10. Tenth Bureau - monitoring Chinese student organizations and subversive organizations operating abroad.
  11. Eleventh Bureau - OSINT analysis, translations and meetings with foreign guests or visits to foreign centers. It is currently operating within this office China Institutes of Contemporary International Relations.
  12. Twelfth Bureau - MSS participation in United Front Work - a department dealing with influencing social elites in China and abroad.
  13. The Thirteenth Office - the aforementioned CNITSEC, network operations and network security.
  14. The Fourteenth Bureau - Technical Reconnaissance Office - control of traditional correspondence and correspondence conducted via telecommunications networks.
  15. Fifteenth Bureau - Taiwan-related operations, an office related to the Taiwan Institute of China Academy of Social Sciences.
  16. Sixteenth Bureau - function unknown.
  17. The Seventeenth Bureau - function unknown.
  18. Eighteenth Bureau - Operations Against the United States.

So, as befits China's main civilian intelligence agency, the scope of work of the MSS is very broad. Naturally, we will be most interested in operations related to the Thirteenth Bureau and broadly understood cyber activity. As in the case of the PLA, information about the operations will be provided by a combination of private sector reports and indictments, the protagonists of which were Chinese intelligence officials. However, when writing about Chinese cyber activities, and MSS in particular, it is impossible to mention one very interesting source. In 2017, a blog called Intrusion Truthwhich very quickly gained the interest of threat intelligence analysts due to the publication of detailed descriptions of Chinese operations, and moreover, the disclosure of the identity of specific people responsible for them. Interestingly, as a motivation for his actions, Intrusion Truth pointed to MSS theft of intellectual property. According to the authors, such operations are particularly damnable, as they are simply theft of someone else's work, showing only how China has to lean on dirty activities in order to maintain the competitiveness of local companies.

We can therefore start the description of the operation with the activity that was also discussed by Intrusion Truth, but first appeared in the public consciousness in April 2017. thanks to the PwC and BAE Systems report describing the activities called "Cloud Hopper". Cloud Hopper was supposed to be a division of the APT10 group affiliated with the Chinese government, and its goal was to break into service providers (MSP - Managed Service Provider). SMEs have been and are very valuable targets due to the wide access to customer infrastructure they have due to the type of services provided. A successful hack could therefore potentially provide resources that go far beyond just those that were in the organization's environment. According to the findings of PwC analysts, APT10 dealt with espionage activities, exfiltrating large amounts of data from the servers of both SMEs and their clients. Cloud Hopper was not a one-time APT10 action, the group's activity dates back to 2009, when the first traces of attacks on American companies related to the defense industry were found. At this point, it is appropriate to dwell on the chronology for a moment, taking into account that we are looking here at the activities of Chinese groups broken down into PLA and MSS operations. In the report, we find such an interesting paragraph:

Let us note two aspects here. First, the authors speculate that the decline in activity in 2013-2014 may have been related to the disclosure of APT1 activity (as mentioned in the Mandiant report). However, as we remember, APT1 is after all a PLA activity - so are we really dealing with an MSS operation? There may be several explanations here, first of all if we are talking about the use of individual tools, it can often happen that we are actually tracking not the operators, but the authors of the tools used by various groups associated with the intelligence organizations of a given country. Likewise, due to, for example, personal contacts or the exchange of experiences between units and departments, the method of creating infrastructure may be based on similar methods. Secondly, unfortunately, without access to information sources such as SIGINT or HUMINT aimed at the organizations in question, it is very difficult to say whether we are talking about the same organizational unit all the time. Especially if the activity lasts as long as in this case. Let's not forget, for example, the reform of the PLA or the change in position and development of cyber MSS capabilities that took place in the meantime. So on what basis do we consider APT10 as MSS operations? The attribution in this case was made by the US government that published indictment against officers of the Tianjin State Security Bureau. In the document, we can read that the activity of the group tracked as APT10 started even earlier - at least in 2006. The operators worked for the Chinese company Huaying Haitai, which works in liaison with MSS, specifically the aforementioned Tianjin office, for the operation. As for the modus operandi of the perpetrators, the indictment presents a rather standard hacking scenario - e-mails with phishing attachments leading to the installation of implants on the victim's computer. However, the most interesting element of the documents provided by law enforcement agencies is usually not technical details, but information about attackers and their targets. And so we will find a description of two campaigns here. The first one started around 2006 and was aimed at industrial espionage. APT10 gained access to defense companies and government agencies (the prosecution mentions aviation, space technology, component manufacturing, pharmaceuticals, oil refining, computer technology and the maritime industry). The second, launched in 2014, is attacks on SMEs, i.e. activities most likely described by the private sector as Cloud Hopper. According to the U.S. prosecutor's office, one of the breaches to such an entity (based within the jurisdiction of the New York Southern District Prosecutor's Office) allowed access to customer data from at least twelve countries in Europe, America, Asia and the Middle East. In addition, a breach into the systems of the United States Navy was also briefly mentioned, which resulted in the theft of data on over one hundred thousand employees.

The second of the APT groups associated with the activities of MSS is APT3. Boyusec, a Chinese company providing cybersecurity services, is to be responsible for APT3. The link between APT3 and MSS activities was first mentioned by Intrusion Truth in May 2017. In a post on your blog indicated the similarity of the names of people acquiring infrastructure for APT3 operations with the shareholders in Boyusec and article according to which Anonymous Pentagon officials have revealed Boyusec is involved in intelligence activities for the Chinese government. Not long after that Recorded Future published the report in which analysts supported this thesis. Recorded Future relied on its own telemetry regarding infrastructure registration and business links between Boyusec and Guandong ITSEC - a research center operating within the already mentioned CNITSEC. Thus, MSS operated here through subcontractors, outsourcing operations to a private entity through research agencies that are under the control of MSS and are the public face of network operations. Recorded Future presented this report on the following simple diagram:

When it comes to the scope of APT3 activity, we can go back to 2015, when FireEye published an advanced report in which attackers used 0-day vulnerabilities in popular web browsers such as IE or Firefox and fast movements in the environment after gaining access. Like APT10, the targets selected by APT3 had a distinctly defensive and industrial tinge - FireEye analysts observed that the group was interested in aviation and defense, construction, telecommunications, transportation, and new technology companies.

APT3 has also been indictedhowever, this time the Department of Justice did not directly name the group. The accusation in question concerned the heroes of the aforementioned Intrusion Truth post (Wu Yingzhuo, Dong Hao), responsible for the registration of infrastructure and indicated their ties to Boyusec. According to the document, the group is responsible for breaking into the Moody's rating agency in 2011-2014, to Siemens between 2014 and 2015, and in 2015-2016 to Trimble - a company dealing with GPS and GNSS navigation systems. As in the case of APT10, the break-ins were of an espionage nature. Operators stole economic analysis from Moody's, Siemens data on energy and transportation projects. In the case of Trimble, the goal was industrial property related to a project to increase the precision of navigation systems running on mobile devices such as tablets and mobile phones. The modus operandi similarly included phishing email campaigns, implant installation, and horizontal movements using stolen credentials, but the indictment also mentions a rather interesting exfiltration technique. In the case of Moody's, the attackers created a rule on the e-mail server that redirected incoming correspondence from one of the economists working in the company to e-mail accounts controlled by them. The scale of operation in the case of Siemens is also impressive - the document mentions the theft of 407 GB of data.

Another MSS operation has been indicted, but this time it has not been publicly associated with any group followed by the private sector. The indictment was published in July 2020 against two people commissioned by the MSS to commit a series of intrusions, including attacks on COVID-19 vaccine research centers. However, while it was this operation that attracted the most attention of the media, the document itself describes many more operations taking place between 2016 and 2020. The list includes companies from the defense, energy, pharmaceutical, civil engineering, computer games, and electronics sectors. The targets were not only in the United States, but also in Australia and South Korea. Interestingly, this time the prosecution indicated that the attackers used vulnerabilities in resources exposed to the Internet, misconfigured services, and used webshells to maintain access - including the well-known China Chopper. The nature of the operation was once again strictly intelligence. The operators obtained data related to the development of new technologies, especially those important from the point of view of the US military potential.

Finally, APT40 and the prosecution against Department of Security officials Hainan government disclosed in July 2021. At the same time, CISA published an article describing the techniques used by the group and indicators - implant hashes and domains used for C2 by attackers. The campaign was again decidedly long-term in nature, according to the results of the activity investigation, it began no later than 2009 and lasted until 2018. Cooperation with Chinese universities is worth emphasizing. According to prosecutors, the research staff assisted in the identification and recruitment of potential candidates for MSS work - not only technical skills were sought, but also language skills necessary for effective reconnaissance in the systems under attack. In addition, contacts with universities were also expected to help run Hainan Xiandun, the company behind the APT40 operation. As befits such a long operation, the list of targets is long and includes countries from distant corners of the globe - the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and Great Britain. As for the attacked sectors, this was once again the defense sector, aviation, education, health, and the maritime industry. Especially the latter was the target of intensive operations. Before APT40 became APT40, analysts Mandiant tracked activities associated with the group as Temp.Periscope and described the intensive efforts directed at entities dealing with shipbuilding technologies, maritime transport, materials engineering. As wide as the range of victims was, the attackers used a number of techniques in the course of their operations - from phishing emails, through a package of self-written tools, to using GitHub as a place to dump exfiltrated data. Operators also liked the use of TOR which they used to connect to implants and access infrastructure elements such as e-mail boxes used in operations.

As we can see, the MSS is not idle when it comes to using cyber operations for espionage. The activities disclosed by private research teams and law enforcement agencies present a picture of long-term operations aimed at gaining access to the target's environment and stealing data over a period of months or years. Let us remember that the break-ins described here are certainly just the tip of the iceberg - so it is clearly visible how, in terms of cyber operations, MSS has made up for the loss of position to military intelligence and is perhaps even more active now than the PLA.

So this is what Chinese services focused on foreign action look like, in the last post in the series we will look at the Ministry of Public Security and its role in Chinese cyberspace policy.

Leave a Reply

Your email address will not be published. Required fields are marked *