In late February 2022, Qi An Pangu Lab, a Chinese cybersecurity company, “declassified” technical details of a cyber espionage campaign allegedly perpetrated by an elite hacking group working under the U.S. National Security Agency (NSA). Per the company’s findings, these state actors dubbed the “Equation Group” by the cybersecurity community created an advanced backdoor that was used to monitor approximately 45 countries for over a decade. These countries ranged from those traditionally friendly to the United States (e.g., Japan, Germany) as well as those that were more adversarial (e.g., China, Russia). Pangu Lab asserted that this cyber espionage campaign exploited Chinese communications, scientific research, and economic sectors.  It also made the link to the NSA hackers when it found private keys to unlock a suspected backdoor Pangu researchers found on a victimized computer host in China in 2013.

The keys were published by the Shadow Brokers, a group that some disks full of NSA tools and data and dumping them onto the Internet.  More importantly, among them was the only encryption private key that could activate the backdoor and control it remotely. Per Pangu Lab, additional programs revealed by the Shadow Brokers matched “the unique identifiers” used in the NSA’s operating manuals that Edward Snowden divulged when he exposed its PRISM tool. This further strengthened the tie between the backdoor to suspected NSA/Equation hackers. Based on the Lab’s analysis of the backdoor, the technical complexity and overall sophistication of the tool and its ability to circumvent detection and countermeasures is consistent with a group largely considered to be one of if not the most sophisticated advanced persistent threat (APT) actor tracked today.

Pangu Lab’s publication of its report is notable as is only the second time a Chinese cybersecurity company has publicly attributed alleged hacking activities to a U.S. government intelligence agency. Previously, Chinese company Qihoo 360 published a report in 2020 that detailed the activities of APT-C-39, an alleged Central Intelligence Agency cyber espionage effort that targeted Chinese organizations. Ever since a U.S. cybersecurity company first took the lead in trying to attribute an APT actor to a nation state organization, cybersecurity companies – many of them United States-based – have been involved in trying to attribute APT activity to state actors, practically competing with one another in the process. Interestingly, aside from these two Chinese reports, neither Chinese nor Russian cybersecurity companies have been focused on replicating the intense efforts of their U.S. and Western counterparts, especially at a time when both China and Russia have been repeatedly identified as aggressive bad cyber actors.

The same can be said with respect to cyber-related indictments. The United States has taken the lead in identifying state actors involved in cyber malfeasance, levying indictments that ultimately expose the identity of the individuals and their associations with foreign government military and/or intelligence organizations. Neither China nor Russia has followed suit, a curious decision not to engage in tit-for-tat retaliations usually seen when governments want to punish one another diplomatically. With respect to cybersecurity company attribution reports and indictments, one question looms large – why don’t China and Russia respond in kind?

Two possible explanations are that 1) they haven’t been able to detect such activity, or 2) they have seen no need to “out” the United States or see a benefit for doing so. With respect to the first one, it is doubtful that China and Russia lack the capability to detect or root out a surreptitious network exploitation attack. Both countries possess an advanced full-scope cyber apparatus both from a state perspective, as well as from a state-influenced private sector technology perspective. Given the attention that state-driven cyber attacks have garnered, it would be inconceivable to think that neither Beijing nor Moscow isn’t concerned about U.S. cyber espionage efforts, especially in the aftermath of Edward Snowden. The second explanation is more plausible, as both governments have committed their own cyber malfeasance without much care about public opinion or cybersecurity vendor reporting. Even despite intense public scrutiny, these governments have suffered little as a result of their cyber transgressions.

The timing bears note as well. The public disclosure of this revelation comes on the cusp of Russia’s invasion of Ukraine raising a follow-up question – why now? To the degree that the current Ukraine-Russia conflict factors is uncertain. However, clearly Beijing is closely observing how Moscow goes about reclaiming what it perceives as lost territory, as perhaps a potential guide for unifying Taiwan. This includes how it tries to shape the information space to its benefit via propaganda, disinformation, influence, and censorship. Perhaps the timing of this report is to start to paint the U.S. in a negative light for its own public relations purposes.

Beijing has been attempting a reset with the United States since the new administration assumed office, hoping the new U.S. president will reinstate a  pragmatic China policy that addresses mutual collaboration over pertinent issues based on the importance of both countries to the global community. But China recently has employed a carrot-stick approach to the United States. On one hand, it courts U.S. partnership, but on the other, solidifies economic ties with Russia, intimates that the United States is a major world threat, and even blames the United States for fanning the flames of the Ukraine conflict. Such mixed signaling can be interpreted as trying to keep the United States on its heels, especially if Beijing moves away from Russia, or else an effort to keep its options with Moscow open in case U.S. relations continue to sour.

China understands that it is too late to compete against Western cybersecurity companies’ efforts of exposing APT activity. There are far too many reports of varying fidelity that have outed Chinese intelligence and military cyber operations. However, Beijing may seek to solely divulge U.S.-driven cyber espionage during those times of geopolitical turmoil when it thinks it can use the news to its benefit. Perhaps when viewed through this lens, Beijing sees cyber attribution not only as a vehicle to point out culpability, but also to support its influence campaigns by exposing the hypocrisy of its biggest adversary to the larger global community. This doesn’t necessarily change things as much as send a message to the United States that China has the capabilities to track the most surreptitious of cyber threats, and therefore positions Beijing as an equal to Washington when it comes to exposing state-driven cyber malfeasance. Should relations continue to chill and following the lead of some U.S. cybersecurity companies, the next report that surfaces may very well identify the perpetrators behind the keyboards with the threat of China-levied indictments right behind.

 

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community