Profile picture
, 9 tweets, 4 min read
My Authors
Read all threads
The indictment of two Chinese nationals who carried out intrusions for the MSS is full of interesting insights on the state of Chinese cyber espionage. 1/x justice.gov/opa/press-rele…
First off, consider the efficiency of this capability. Two guys responsible for stealing hundreds of millions in intellectual property. And better yet, they're contractors, so limited overhead for the PRC! 2/x
Not the first time we've seen an extortion scheme from contractor types. APT41 has done something similar when seeking to monetize their access. Being allowed to carry out crime while under the protection of the state is just one of the benefits of this type of relationship. 3/x
A lot of typical espionage work here. DIB targeting. Targeting of dissidents (Hong Kong democracy activists and Chinese Christians). 4/x
Some very interesting additional targeting. Pharma and biotech targeting began before COVID-19. This is one of the areas we've seen targeting in as well and there have also been several incidents outside of the cyber arena. 5/x
The biotech targeting by this actor is also interesting in that it is not obviously Xi-agreement compliant like so much of this activity. 6/x
Also interesting to see the targeting of PII. Could certainly be a criminal operation, but given all the PII-related incidents we've seen by other Chinese state actors, it's worth wondering how this data will get used. 7/x
Also interesting to see gaming involved. APT41, a very similar operation targeted this area heavily. I am curious if this sector is a focus of this actor's side business, rather than the work they are doing for the MSS. 8/x
Also interesting in details about the relationship between MSS and the contractors. A suggestion that they were acting proactively in some cases by targeting dissidents without tasking. Also, the indictment indicates they were given an 0-day by their MSS contact. 9/x
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with John Hultquist

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @JohnHultquist see all

Profile picture
John Hultquist
@JohnHultquist
Some coalescing thoughts on Iran's cyber capability. The first is that while cyberattack (disruption/destruction) is on the table, the most consequential capability may be cyber espionage. There will be cyber espionage against gov/mil targets as well as personnel of interest. 1/x
Iran, like others, has recently focused on moving upstream by compromising telecoms and travel. That way they can identify and track specific people. These operations put people in physical danger, especially in terrorism scenarios. 2/x fireeye.com/blog/threat-re…
Some of this activity has been enabled by DNS shenanigans, which was a leap forward for their operations. This report discusses those operations as well as some we attribute to SeaTurtle, another actor. 3/x fireeye.com/blog/threat-re…
Read 13 tweets
Profile picture
John Hultquist
@JohnHultquist
ODNI's Worldwide Threat Assessment starts with cyber, singling out China and Russia as posing the greatest espionage and attack threat. Notes the integration of espionage, attack, and influence operations. #WorldwideThreat 1/x
Report indicates Chinese espionage (to include key technology targeting) may need authorization from Beijing when alternatives are exhausted, suggesting restraint. Also noted is China's danger to critical infrastructure (a result of combining 3PLA/4PLA missions in the SSF?) 2/x
Russia is called out for influence and attack threat. Affirms that targeting of US critical infrastructure is long-term planning for damage that is localized and temporary. 3/x
Read 11 tweets
Profile picture
John Hultquist
@JohnHultquist
"Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector." -GRU persona in early '16 after their Ukraine blackout succeeded. 1/x
h/t to @emptywheel who points out that line was actually lifted from a Forbes article. 2/x

forbes.com/sites/kalevlee…
The article oddly foreshadowed a new approach by GRU. By the end of 2016, they were reattacking Ukraine's grid with more advanced malware, but they were also kicking off their first fake ransomware operations against other sectors. These operations were scalable and deniable. 3/x
Read 5 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!