author photo
By Cam Sivesind
Thu | Oct 13, 2022 | 3:26 PM PDT

Armed with uses cases and identifying the conditions that prompt the People's Republic of China (PRC) to commit cyber offensives, a 76-page report from Booz Allen Hamilton presents a framework for anticipating and interpreting PRC attacks and helps CISOs identify factors that increase an organization's risk from cyberattacks.

Examining cyberattacks over the past decade, the report highlights patterns of PRC attacks used to influence countries, organizations, and people the PRC perceives as threats to its ideals.

Per the report, "PRC actors likely:

  • Knocked the U.S.-based developer platform GitHub offline for enabling targeted subversion of PRC censorship
  • Disrupted semiconductor manufacturing in Taiwan after it re-elected a resistant president seeking closer U.S. ties
  • Infiltrated American natural gas pipeline operators in response to the U.S. strategic reorientation to the Indo-Pacific"

Critical supply chains are at heightened risk from cyberattacks, particularly as Beijing puts additional pressure on Taiwan; and companies with global footprints, as well as organizations managing critical infrastructure in the U.S., are at greater risk, the report notes.

Some other notable highlights from the report:

  • "China's cyberattacks are intended to secure its 'core interests,' three officially referenced but not formally defined matters of vital interest to China related to its political system, territory, and economy. Ultimately, advancing these interests serves to sustain the legitimacy."
  • "The PRC's cyberattacks frequently mirror its non-cyber policy responses to the same problems, such as harassing counterclaimants to South China Sea territories with substate actors like fishermen and hacktivists."

The report recommends that threat analysts increase political monitoring, namely watching for developments that spur retaliation from groups aligned with the PRC; monitor for the PRC's hostile application of national pressure on a competitor through non-cyber means, including military exercises, harassment of maritime efforts, and limiting or banning imports from other countries; and ramp up profiling of threat actors, including analyzing common contractors and resources used by PRC-aligned groups.

CISOs, specifically, are encouraged to increase organizational resiliency through stern assessment; incorporate geopolitical and geographical analysis into cyber risk assessment; look at risks by sectors, such as a country or region where semiconductors or oil and gas production (any key sector) are at risk; step lightly when producing messaging that is critical of the PRC and its actions, such as its treatment of the Uighur minority, the Dalai Lama, the situation in Taiwan, and corruption with the PRC government. Open and published criticism increases the risk of organizations that do so, the report states.

{RELATED: Trump and Kim: Magnets for Malware]

The report provides a breakdown of the analytic framework so CISOs can understand the "why" behind China's launching of cyberattacks. By understanding the PRC's core interests, how its various agencies operate in cyberspace, and how the PRC perceives the strategic importance of its cyberattacks, CISOs and their teams can better plan and implement defensive tactics.

By examining in detail 13 case studies, authors of the report "show how PRC-aligned actors conducted cyberattacks when China's domestic and international interests came under pressure."

One case study (No. 6) analyzes how the PRC disrupted Hong Kong's pro-democracy protests in 2019-2020 in opposition to new strict extradition laws introduced by the Hong Kong Legislative Council in April 2019, which would allow China to demand the handover of its opponents living in or traveling to Hong Kong.

The report's cyber activity analysis: "At least four large DDoS attacks targeted communications platforms used by the Hong Kong protest movement in 2019. These attacks consistently occurred on the dates of scheduled mass protests or, in the case of Hong Kong's election day, when protests were likely to break out."

The report's assessment: "These DDoS attacks, combined with information and surveillance operations, likely served to mitigate the threat to China's political stability of a growing domestic democratic movement. These attacks specifically attempted to undercut the Hong Kong democracy movement by disrupting its organizing platforms; attacks consistently coincided with scheduled and sudden political developments that typically led to protests. In addition to the tactical effect of hindering political organizing, the attacks may have had the intended effect of signaling China's intent to use overwhelming force to stop the protest movement, if necessary."

The report concludes that China has refined the mission of its cyber-capable agencies and reorganized operational units to increase efficiencies. 

"The case studies in this report show a shift from crude shows of force—barely distinguishable from common hacktivism—to carefully timed operations exploiting persistent access to cause precise effects timed to support messaging and useful narratives. The true measure of China's cyberattack capabilities, however, likely cannot be fully discerned in open sources. It is possible China has chosen to not deploy its full capabilities
or it has done so without public attribution."

For more information, read the full report here: Same Cloak, More Dagger: Decoding How the People's Republic of China Uses Cyberattacks.