Introduction

Over the past couple of months, the tension between China and Taiwan has increased dramatically. The well-known conflict between both countries began in 1949 when Taiwan became a self-governing state, while Beijing still considers the island part of its territory. Beijing has promised to “unify” Taiwan with the rest of the mainland, using force if necessary.

The 24-hour visit to Taiwan by the U.S. Speaker of the House, Nancy Pelosi, on August 2 exacerbated the complex situation between these countries. Her visit had the potential to sow the seeds of a cyber escalation, and was followed by Distributed Denial of Service (DDoS) attacks on Taiwanese government websites such as the Defense Ministry, the President’s Office, the Foreign Ministry, and the Taoyuan International Airport.

The comparison to the Russian-Ukraine war is clear: China did its homework and learned how will the world reacts to such a potential invasion. The current state between China and Taiwan is marked by similar cyber activity via multi-vector attacks.

Another vector that demonstrates this tension is the national-level cyber breaches. Since June 1, the Cyberint Research Team has witnessed a significant rise in the number of Chinese and Taiwanese breaches exposing billions of residents’ personal information.

The battle between both countries has already begun, digital warfare is here, and we see the proliferation of ricochets. We can assume that it is just a matter of time until additional significant attacks are launched, impacting both countries’ citizens.

Data Breaches and Traffic Volume Comparison

When reviewing the activities of the past three months, a significant spike in Chinese and Taiwanese breaches appeared in cybercriminal leak forums. The graph below displays the commenting traffic in Chinese/Taiwanese related threads:

The breaches include major nation-state and nation-related companies, which we saw only a few previously.  Among the threads, we found Shanghai Suishenma QR code 48.5M unique users, which might let a threat actor the ability to trace every individual user since January 2022.

Additional impactful data breaches that were shared in the forum are:

In addition to the abovementioned data sales, there is also a high demand for Chinese data and exploits, which threat actors are willing to purchase. Total engagements in these threads are far beyond the 150k, which leaves the interest in Chinese data in the lead, with any other topic trailing far behind. We will dive into some of those breaches in the next section.

The Shanghai Police Breach

The end of June was a turning point for Chinese breaches. A user named ChinaDan shared the Shanghai National Police (SHGA) Database Leak. These databases contained information about 1 billion Chinese national residents and several billion case records, including:

• Name
• Address
• Birthplace
• National ID Number
• Mobile number
• All Crime / Case details

The Threat Actor offered all the data for 10BTC ($200k), which was purchased later.

Due to the sensitivity of the data, and because it was one of the first major Chinese breaches ever, the post attracted massive traffic and led to the creation of countless new users due to the high interest, resulting in an unusual announcement from the forum’s administrators clarifying the forum rules in Mandarin.

Notable Actors And Victims

Against The West – Operation China and Renminbi

BlueHornet/APT49 began as a data leaks group called AgainstTheWest around October 2021 when they already stated that they would attack any group or organization that would side with Russia. Within their target list we can find CoomingProject company, APT3(Gothic Panda), APT40 (KRYPTONITE PANDA), APT28 (Fancy Bear), APT38 (Lazarus) along  multiple Chinese companies such as Alibaba, Wechat and MyBank.

On August 12, the group announced Operation China, which mainly targets Chinese state-related corporations. The group attacked ZTE, a Chinese state-owned tech firm. On August 21, the group sold an additional database under the campaign name Operation Renminbi. The victim was the Chinese Ministry of Internal Affairs and the database contained 50.8M entries. The data was offered for $1000 and was quickly sold.

KelvinSecurity

The team previously declared that it was standing with Ukraine against Russia, and is currently still involved in the warfare while attacking a Russian gas organization. A few weeks ago the group attacked the Chinese Wanguoguoji World International, which, according to the group, works with Chinese agencies. An additional victim of the group is the Jinan University School of Chinese citizens residing abroad. The university is administered by the Overseas Chinese Affairs Office of the State Council and the Ministry of Education of China.

Karakurt, Lockbit and Other Actors

During 2022, there has been an increase in ransomware attacks against Chinese instances. However, the recent tension between the countries did not initiate a burst of ransomware attacks. Surprisingly, the groups involved in activity against China include Karakurt, which was previously known for mainly targeting Western corporations. Karakurt attacked two companies – Hengan International Group and Shanghai Hanbell Precise Machinery Co Ltd.

From the analysis of Lockbit’s victims, we can assume that the group is mainly financially motivated and did not take a side. Among their 2022 victims are nine Taiwanese and four Chinese victims.

#OpChina Anonymous and Their Allies

On May 6, the Cyberint Research Team first identified #OpChina alongside the well-known #OpRussia Campaign Hashtag. The hashtags, accompanied by a message, originated from Anonymous, and contained the following text: “Anonymous warns China not to ‘try anything stupid against Taiwan’”.

From that point, additional groups such as the GhostSec and DoomSec groups joined forces and started attacking Chinese-related institutes. On June 6,  Anonymous hacked a Chinese government educational website to commemorate the Tiananmen Square Massacre.

On July 17, Anonymous hacked MIIT’s China Academy of Telecommunications Research, because, according to the threat actors, “China buys Russian oil and has become the main financier of Putin’s war, giving Moscow a reliable source of revenue that cushions the impact of harsh Western sanctions”.

Conclusions

Although physical combat between Taiwan and China is a possibility, cyber warfare is already up and running, executing Denial of Service and ransom attacks affecting both sides. Western threat actors have already embedded themselves into this major conflict, and have started breaching whatever stands in their way. This has drawn both countries deeply into the western cybercriminal forums.

As the conflict does not seems to be close to ending any time soon, and due to the similarity to the Russia-Ukraine war, we can assume that the attacks will be further escalated by both parties over time, and will impact a broader range of sectors, from infecting SCADA/ICS devices to influential attacks on social media platforms as we have witnessed in the Russian-Ukrainian war.

As a result of the massive traffic that #oprussia has gained from the beginning of the war, it is notable that threat groups and individual actors aren’t hesitating to attack sensitive sites, governmental entities, or any additional state-related service to harm and harass the opposition. This mindset is a complete contrast to previous norms, were attacking China and Russia was taboo due to the potentially devastating consequences.