New Zealand’s cyber security agency believes China has been behind numerous hack attacks spanning years.
The government joined Western allies and Japan in calling out Beijing for so-called state-sponsored hacks, including a major incursion in February when Microsoft email servers were targeted.
The US has charged four Chinese nationals — three security officials and one contract hacker — with targeting dozens of companies and government agencies in the United States and overseas under the cover of a tech company.
- WATCH RNZ CHECKPOINT LIVESTREAM: ‘This is obviously a real concern’ (Duration 7:39″)
- READ MORE: NZ’s statement on China a shot across the bow – Geoffrey Miller
- NZ government points finger at China over cyber attacks
“What we do is when we see malicious cyber activity on New Zealand networks, that may be through our own capabilities that we have to help protect New Zealand networks or it may be something that’s reported to us, we look at the malware that’s used,” Government Communications Security Bureau Director-General Andrew Hampton told RNZ Checkpoint.
“We look at how the actor behaves. We look at who they might be targeting and what they do if they get onto a network.
“That allows us to build a bit of a picture of who the actor is. We then compare that with information that we receive, often from our intelligence partners who are also observing such activity.
“That allows us to make an assessment, and it’s always a probability assessment about who the actor is.
The APT 40 group
“In this case, because of the amount of information we’ve been able to access both from our own capabilities and from our partners, we’ve got a reasonably high level of confidence that the actor who we’ve seen undertaking this campaign over a number of years, and in particular, who was responsible for the Microsoft Exchange compromise, was the APT 40 group — Advanced Persistent Threat Group 40 — which has been identified as associated with the Chinese Ministry of State Security.
“The actors here are state sponsored actors rather than what we would normally define as a criminal group. What we’re seeing here is a state sponsored actor likely to be motivated by a desire to steal information.”
Hampton said there was a blurring of lines between what a state agency does, and what a criminal group does.
“Some of the technical capabilities that previously only state organisations had, have now got into the hands of criminal groups.
“Also what we’ve seen in a range of countries is individuals who may work part-time in a government intelligence agency, and then may work part-time in a criminal enterprise. Or they may have previously worked in a state intelligence agency and are now out by themselves but still have links links back to the state.
“We don’t know the full detail of the nature of the relationship, but what we do know is the Ministry of State Security in China, for example, is a very large organisation with many thousands of of employees.
“So they are big organisations with people on their payroll but they also would have connections with other individuals and organisations.
Information shared with criminals
“Something else worth noting with regard to this most recent compromise involving the Microsoft Exchange, what we saw there is once the Ministry of State Security actors had identified the vulnerability and exploited it, they then shared that information with a range of other actors, including criminal groups, so they too could exploit it.
“This is obviously a real concern to see this type of behaviour occurring,” Hampton said.
All evidence showed the cyber attacks were all originating from mainland China, Hampton told Checkpoint.
He said such attacks would be aimed at stealing data or possibly positioning themselves on a system to be able to access information in the future.
“A common tactic we see, unfortunately, is there may be a vulnerability in a system,” Hampton said.
“It could be a generic vulnerability across all users of that particular system, and a malicious actor may become aware of that vulnerability, so they would use that to get onto the network.
“That doesn’t mean they will then start exfiltrating data from day one or something like that. They may just want to to sit there in the event that at some point in the future they may want to start doing that.
“This exploitation of known vulnerabilities is a real concern. This is why all organisations need to keep their security patches up to date, because what can happen is you can have malicious actors use technology to scan whole countries to see who hasn’t updated their patches.
“They then use that vulnerability to get on the network and they may not do anything with it for some time. Or they might produce a list of all the organisations, say, in New Zealand who haven’t updated their patches.
“Then they make a decision – okay these are the four to five we want to further exploit.”
This article is republished under a community partnership agreement with RNZ.