Are you using Atlassian? Better read this

Research

China-Taiwan Threat Intelligence Landscape

Introduction

Over the past couple of months, the tension between China and Taiwan has increased dramatically. The well-known conflict between both countries began in 1949 when Taiwan became a self-governing state, while Beijing still considers the island part of its territory. Beijing has promised to “unify” Taiwan with the rest of the mainland, using force if necessary.

The 24-hour visit to Taiwan by the U.S. Speaker of the House, Nancy Pelosi, on August 2 exacerbated the complex situation between these countries. Her visit had the potential to sow the seeds of a cyber escalation, and was followed by Distributed Denial of Service (DDoS) attacks on Taiwanese government websites such as the Defense Ministry, the President’s Office, the Foreign Ministry, and the Taoyuan International Airport.

The comparison to the Russian-Ukraine war is clear: China did its homework and learned how will the world reacts to such a potential invasion. The current state between China and Taiwan is marked by similar cyber activity via multi-vector attacks.

Another vector that demonstrates this tension is the national-level cyber breaches. Since June 1, the Cyberint Research Team has witnessed a significant rise in the number of Chinese and Taiwanese breaches exposing billions of residents’ personal information.

The battle between both countries has already begun, digital warfare is here, and we see the proliferation of ricochets. We can assume that it is just a matter of time until additional significant attacks are launched, impacting both countries’ citizens.

A speculative Tweet regarding China’s cyber attacks
Figure 1: A speculative Tweet regarding China’s cyber attacks

Data Breaches and Traffic Volume Comparison

When reviewing the activities of the past three months, a significant spike in Chinese and Taiwanese breaches appeared in cybercriminal leak forums. The graph below displays the commenting traffic in Chinese/Taiwanese related threads:

China-related comments – a major increase in traffic
Figure 2: China-related comments – a major increase in traffic

The breaches include major nation-state and nation-related companies, which we saw only a few previously.  Among the threads, we found Shanghai Suishenma QR code 48.5M unique users, which might let a threat actor the ability to trace every individual user since January 2022.

Suishenma QR Breach post in cybercriminals forum
Figure 3: Suishenma QR Breach post in cybercriminals forum

Additional impactful data breaches that were shared in the forum are:

Name of Breach Exposed Data/# of Records
A leading Chinese bank’s database  50GB
ShunFeng/SF Express -Top courier in china 66M Records
Wanguoguoji World International China  20K, Admin Access
Ningbo Ocean Vocational and Technical School  105 xlsx tables/100k users
ZTE | Chinese State-Owned Tech Firm  4,000 entries
China Agricultural Bank(ABC Bank)  890K Records
China Job Seekers Full Info Database (digov.com.cn)  382K Records
China Database (bevol.com/bevol.cn)  400K
China Changan Automobile Co. Ltd customer list  2M+
www.sinograin.com.cn – Strategic data of the agricultural sector  40GB
xinnet.com – Cloud hosting Leak  80GB
China Zhejiang CONBA Pharmaceutical Co. Ltd Internal Data  180GB
China Bank Software Service Provider www.yusys.com.cn  Source Code
Major China Hospital Data Leak  N/A
Podinns Hotels Customer Leak  13M
Shanghai Police Leak Several TB/1B Records

 

In addition to the abovementioned data sales, there is also a high demand for Chinese data and exploits, which threat actors are willing to purchase. Total engagements in these threads are far beyond the 150k, which leaves the interest in Chinese data in the lead, with any other topic trailing far behind. We will dive into some of those breaches in the next section.

0-Day to Chinese Services offered for 50K
Figure 4: 0-Day to Chinese Services offered for 50K

The Shanghai Police Breach

The end of June was a turning point for Chinese breaches. A user named ChinaDan shared the Shanghai National Police (SHGA) Database Leak. These databases contained information about 1 billion Chinese national residents and several billion case records, including:

  • Name
  • Address
  • Birthplace
  • National ID Number
  • Mobile number
  • All Crime / Case details

The Threat Actor offered all the data for 10BTC ($200k), which was purchased later.

Shanghai National Police (SHGA) Database Leak
Figure 5: Shanghai National Police (SHGA) Database Leak

Due to the sensitivity of the data, and because it was one of the first major Chinese breaches ever, the post attracted massive traffic and led to the creation of countless new users due to the high interest, resulting in an unusual announcement from the forum’s administrators clarifying the forum rules in Mandarin.

Notable Actors And Victims

Against The West – Operation China and Renminbi

BlueHornet/APT49 began as a data leaks group called AgainstTheWest around October 2021 when they already stated that they would attack any group or organization that would side with Russia. Within their target list we can find CoomingProject company, APT3(Gothic Panda), APT40 (KRYPTONITE PANDA), APT28 (Fancy Bear), APT38 (Lazarus) along  multiple Chinese companies such as Alibaba, Wechat and MyBank.

On August 12, the group announced Operation China, which mainly targets Chinese state-related corporations. The group attacked ZTE, a Chinese state-owned tech firm. On August 21, the group sold an additional database under the campaign name Operation Renminbi. The victim was the Chinese Ministry of Internal Affairs and the database contained 50.8M entries. The data was offered for $1000 and was quickly sold.

AgainstTheWest selling the Chinese Ministry of Internal Affairs data
Figure 6: AgainstTheWest selling the Chinese Ministry of Internal Affairs data

KelvinSecurity

The team previously declared that it was standing with Ukraine against Russia, and is currently still involved in the warfare while attacking a Russian gas organization. A few weeks ago the group attacked the Chinese Wanguoguoji World International, which, according to the group, works with Chinese agencies. An additional victim of the group is the Jinan University School of Chinese citizens residing abroad. The university is administered by the Overseas Chinese Affairs Office of the State Council and the Ministry of Education of China.

KelvinSecurity selling access to Wanguoguoji World International
Figure 7: KelvinSecurity selling access to Wanguoguoji World International

Karakurt, Lockbit and Other Actors

During 2022, there has been an increase in ransomware attacks against Chinese instances. However, the recent tension between the countries did not initiate a burst of ransomware attacks. Surprisingly, the groups involved in activity against China include Karakurt, which was previously known for mainly targeting Western corporations. Karakurt attacked two companies – Hengan International Group and Shanghai Hanbell Precise Machinery Co Ltd.

From the analysis of Lockbit’s victims, we can assume that the group is mainly financially motivated and did not take a side. Among their 2022 victims are nine Taiwanese and four Chinese victims.

Victims’ distribution among ransomware groups
Figure 8: Victims’ distribution among ransomware groups

#OpChina Anonymous and Their Allies

On May 6, the Cyberint Research Team first identified #OpChina alongside the well-known #OpRussia Campaign Hashtag. The hashtags, accompanied by a message, originated from Anonymous, and contained the following text: “Anonymous warns China not to ‘try anything stupid against Taiwan’”.

From that point, additional groups such as the GhostSec and DoomSec groups joined forces and started attacking Chinese-related institutes. On June 6,  Anonymous hacked a Chinese government educational website to commemorate the Tiananmen Square Massacre.

On July 17, Anonymous hacked MIIT’s China Academy of Telecommunications Research, because, according to the threat actors, “China buys Russian oil and has become the main financier of Putin’s war, giving Moscow a reliable source of revenue that cushions the impact of harsh Western sanctions”.

Anonymous’ initial announcement

Conclusions

Although physical combat between Taiwan and China is a possibility, cyber warfare is already up and running, executing Denial of Service and ransom attacks affecting both sides. Western threat actors have already embedded themselves into this major conflict, and have started breaching whatever stands in their way. This has drawn both countries deeply into the western cybercriminal forums.

As the conflict does not seems to be close to ending any time soon, and due to the similarity to the Russia-Ukraine war, we can assume that the attacks will be further escalated by both parties over time, and will impact a broader range of sectors, from infecting SCADA/ICS devices to influential attacks on social media platforms as we have witnessed in the Russian-Ukrainian war.

As a result of the massive traffic that #oprussia has gained from the beginning of the war, it is notable that threat groups and individual actors aren’t hesitating to attack sensitive sites, governmental entities, or any additional state-related service to harm and harass the opposition. This mindset is a complete contrast to previous norms, were attacking China and Russia was taboo due to the potentially devastating consequences.

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.