Discretion Is the Better Part of Valor

Think “Chinese hackers” and most likely Beijing’s many state espionage threat actors come to mind. Partly, says cybersecurity firm Kela, that’s because Chinese criminals increasingly keep a low profile on public-facing forums and rely on Telegram and other encrypted foreign messaging apps to discreetly coordinate activities and sell wares.

See Also: Live Webinar | Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture

Cybercriminals operating with extreme discretion in China should be no surprise. Beijing since 2018 has initiated multiple crackdowns on cybercrime groups and sites, backed by draconian laws that “have fostered a climate of self-censorship among major and minor website operators as well as users of hacking forums and blogs in the country, discouraging open activity by cybercriminals on the platforms,” Kela said in a report examining the Sino criminal landscape.

China has also strived to make anonymous use of the internet difficult, including through crackdowns on the use of VPNs and cryptocurrency. At least some Chinese cybercrime groups appear to have moved their base of operations outside the country.

Compared to the Russian and English-speaking cybercrime underground, the researchers said, the Chinese ecosystem sports far fewer underground forums devoted to hacking discussions or to selling hacking tools, stolen data or other illegal material. The forums that do exist don’t have an overly verbose user base, but they appear to be a prelude for communicating via direct messaging or an encrypted chat application, the report says.

“Sticking to their discreet approach, the content that Chinese-speaking cybercriminals share across various platforms is predominantly focused on services and offers rather than discussions and often uses coded language or a general overview instead of specific offers,” it says.

Chinese ecosystem cybercrime forums also lack a number of typical features, such as “clear reputation systems” for evaluating buyers, sellers and wares, “which requires additional effort in analyzing the offers and researching the specific actors,” Kela researchers told Information Security Media Group.

Much of this activity appears to take place on Telegram channels, and groups are devoted to such things as “penetration-testing services” and selling stolen databases – Chinese and foreign card details are always sold via different groups – as well as money laundering, creating fake identification and bypass services that may allow users to buy cryptocurrency or foreign SIM cards. This parallels the continuing embrace of Telegram and other encrypted chat apps by cybercrime communities globally, the researchers said.

The degree to which this level of Chinese cybercriminal using these forums and messaging tools might assist the state remains unclear, experts say, although there appears to be some degree of crossover between the communities. “The blurred line between state-sponsored actors – usually aiming for espionage – and financially motivated actors in China allows for shared resources and expertise to flow between the two groups,” Kela said.

Kela said nation-state-backed advanced persistent hacking groups likely “have vast access both to a Chinese-speaking and wider cybercrime ecosystem,” as highlighted by their use of many of the same Chinese-developed open-source and off-the-shelf tools in their attacks.

As opposed to what Beijing might classify as “Chinese cybercriminals,” the country also appears to have a thriving professional offensive hacking operations sector that regularly assists the government, under contract. Last month, a tranche of documents leaked on GitHub – evidently obtained from Shanghai-based iSoon – showed how the private company supports government-led hacking operations (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).