A number of patents have been granted to companies in the People’s Republic of China (PRC) involving “highly intrusive forensics and data collection technologies” that allow everything from the acquisition of encrypted endpoint data and mobile forensics to collecting traffic from network devices, says a report from SentinelLabs, a division of security vendor SentinelOne.
Dakota Cary, the report’s author, said Thursday in an email to CSOonline that the most important pieces of new information gleaned from the findings are that “China’s contracting ecosystem forces many companies and individuals to collaborate on intrusions. This means many China-based Advanced Persistent Threats (APTs) may actually contain many different companies with many different clients.”
The nation’s diverse private sector offensive ecosystem, he said, “supports a wide array of intrusion capabilities. Mapping observed tooling back to a cluster may not actually represent the true organization structure of the attackers.”
In his 15-page report, he noted that, earlier this month, the US Department of Justice (DoJ) released an indictment of two hackers, Xu Zewei and Zhang Yu, accused of working on behalf of China’s Ministry of State Security (MSS), that, he said, “sheds new light on the PRC’s contracting ecosystem. The indictment outlined that Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium (aka Silk Typhoon) threat actor group.”
Xu, who was arrested on July 3 in Italy and is facing extradition to the US, was involved with a company called Shanghai Powerock, while Zhang, who remains at large, was with Shanghai Firetech.
Tiered system of hacking outfits
Cary stated in the report, “the DoJ maintains that [the pair] worked at the ‘direction’ of the Shanghai State Security Bureau (SSSB) … This ‘directed’ nature of the relationship between the SSSB, and these two companies contours the tiered system of offensive hacking outfits in China.”
In addition, the DoJ indictment noted, “the announcement of charges against Xu is the latest describing the PRC’s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement.”
Cary said that SentinelLabs has identified 10+ patents filed in the PRC that were registered by companies named in US indictments as working on behalf of the Hafnium threat actor group.
These, he said, include “remote automated evidence collection software, Apple computer comprehensive evidence collection software, router intelligent evidence collection software, and computer scene rapid evidence collection software.”
Shanghai Firetech, said Cary, conducts offensive hacking at the direction of the SSSB. “The company also has patents on a variety of offensive tools that suggest the capability to monitor individuals’ homes, like intelligent home appliances analysis platform, long-range household computer network intelligentized control software, and intelligent home appliances evidence collection software which could support surveillance of individuals abroad. Other intelligence agencies, like the CIA, are known to have similar capabilities,” he wrote.
Luke McNamara, deputy chief analyst of the Google Threat Intelligence Group, said the report findings “align with what we understand about the nature of state-sponsored cyber espionage in China, and further showcase the role these enterprises play in enabling the larger ecosystem of threat activity from China attributed operations, with increasing volume and scale.”
The puzzle of the patents
John Annand, digital Infrastructure practice lead at Info-Tech Research Group, said, “a weapon system is a weapon system, regardless of the means or material of fabrication. Are we really so surprised that some entity other than the Western military industrial complex would patent technology whose predominant purpose would be viewed (at least by them) as vital to their self-defense interests?”
As nation-states advance their own agendas (political, commercial, or other) by alternate means, he said, “it is incumbent on global leaders to adjust their approach to protect the commercial and political interests of their own citizens.”
However, the filing of the patents puzzled David Shipley, head of Canadian security awareness training provider Beauceron Security. “Honestly, I don’t get it,” he said. “It just feels so dumb. The entire point of a patent system is to encourage innovation by requiring inventors to disclose the unique elements of an invention, it encourages others to develop better processes, designs and tools.”
Shipley said, “in essence, by patenting their approaches, the companies are giving a blueprint of their ideas to others. As well, they’re showing their hand to platform providers in enough detail so they can fix those issues. If they were worried about intellectual property protection, keeping these a trade secret would have seemed to be smarter IP strategy. But as folks in our biz often say, ‘Operational Security (OpSec) is hard.’ Even more so when you patent and publish your hacks.”