Chinese cyber espionage and the Belt & Road Initiative

Presented at VB2019, Oct. 3, 2019, 10 a.m. (30 minutes)

The purpose of this paper is to demonstrate that one of the key drivers of Chinese cyber espionage is the Belt & Road Initiative (BRI). Also known as the New Silk Road, the BRI focuses primarily on Central Asia, but the ramifications of the BRI also affect entities outside Central Asia. Deloitte CTI continues to observe significant targeting along the New Silk Road. The examples of targeting in this paper are not intended to be exhaustive; rather, they are intended to demonstrate the scope and the persistent nature of Chinese cyber espionage operations against countries with BRI projects and countries with technology and know-how that are relevant to the BRI. The goal of this paper is not to provide evidence of attribution to specific Chinese government organizations; rather, it is to demonstrate that the activities detailed herein align with the intelligence priorities of China in the region. This paper is based on a variety of data sources, including open source as well as Deloitte CTI internal sources. This study is composed of two major sections: * A discussion of what the Belt & Road Initiative is, including its intelligence dimensions and the ways in which it ties into the strategic plans of China. This part will include a description of the Chinese intelligence services with a foreign intelligence mission. * Provide recent examples of intrusion activity, including high-level analysis of malware deployed against targets, C2 infrastructure and TTPs employed by adversaries targeting the states along the New Silk Road.

Presenters:

• Loucif Kharouni - Deloitte
  Loucif Kharouni Loucif Kharouni is the VP, Service Delivery for Threat Intelligence at Deloitte based out of Seattle. He leads multiple remote teams across the US, Europe and Asia Pacific of highly skilled professionals. Loucif has a background in cybercriminal methodology and behaviour and has extensive expertise in intelligence gathering and tracking down cybercriminals. He has written, discussed, and presented about topics that include targeted attacks, financial threats, bulletproof providers, and the cybercrime economy. Prior to Deloitte, Loucif worked for the Trend Micro research team and focused on adversaries' investigations and their activities that led to multiple arrests in collaboration with various law enforcement agencies. Loucif has participated as a speaker in various professional cybercrime conferences over the years such as Cert EE, Virus Bulletin, M3AAWG, APWG, SERENE-RISC and RISE.
• Thomas Thomasen - Deloitte
  Thomas Thomasen Thomas Thomasen is a threat researcher with Deloitte's Global Cyber Threat Intelligence team based out of Copenhagen, Denmark. Thomas has a background in intrusion analysis and has extensive experience with tracking APTs, including their operations, capabilities and intentions. Prior to joining Deloitte, Thomas worked for the Danish Defence, focusing on APT activity.

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/chinese-cyber-espionage-and-belt-road-initiative

Similar Presentations:

• BSidesLV 2019 / China as a New Russia? Analyzing Similarities and Differences of Chinese Threat Actors from their Russian Counterparts
• DEF CON 30 (2022) / Dragon Tails: Supply-side Security and International Vulnerability Disclosure Law
• The Eleventh HOPE (2016) / Chinese Mechanical Locks - Insight into a Hidden World of Locks