APT31: US & UK attribute cyber campaign to Chinese state-sponsored group
Harry Glover | 15 April 2024
Summary
The UK and US recently publicly attributed multiple malicious cyber campaigns to APT31, a Chinese state-sponsored cyber threat actor.
APT31 have conducted surveillance and other pervasive cyber-attacks on critical infrastructure in both the US and UK, targeting individuals who are critical of the regime.
Collective action between the US and UK, in the attribution reinforces the bilateral and multilateral aims of Western nations to call out and prevent malicious cyber activity from China.
The UK’s National Cyber Security Centre (NCSC), along with the US Department of Justice, publicly attributed and indicted several individuals from the Chinese state-sponsored advanced persistent threat (APT) group APT31 on Monday, 25th March 2024. The public attribution demonstrates a shift in the US and UK’s attitudes toward China’s progressively more intrusive cyber tactics aimed at manipulating political discourse and disrupting critical services. In particular, the NCSC’s recent attribution to APT31’s involvement in the surveillance of UK Members of Parliament in 2021 reinforces the notion that China has conducted intrusive cyber operations on the UK for a number of years. Additionally, modern sophisticated techniques, such as Living off the Land (LOTL), whereby the threat actor is able to remain in systems undetected whilst conducting reconnaissance and subtle manipulation of networks, have raised further concern as to the extent to which Chinese APT groups are embedded within UK and US’s systems.
Those targeted by APT31 and other APT actors emanating from China are most often politicians and government departments who are openly critical of China across the US, UK, and EU. While China has strategic soft-power interests in states that fall under its Belt and Road initiative, its increasing capacity to operate offensively in cyberspace has meant it can influence more developed states and disrupt critical services. For example, the APT31 has targeted critical US infrastructure, such as the Defense Industrial Base, and areas of the US energy sector.
The recent attribution and indictment are indicative of two key themes. The first is that Chinese cyber actors are seen to be given impunity, similar to that of Russian cybercriminals when conducting attacks on critics of the regime; APT31 is comprised of multiple individuals working both in Chinese intelligence and as non-state actor hackers. This further solidifies the understanding that, through the various targets above, Chinese cyber actors are encouraged to disrupt critical infrastructure in adversarial states. Regardless of the extent to which APT31 has been conducting operations, the US Department of Justice has stated that APT31 has not had any detrimental effects on the upcoming election. However, the broader phenomenon is representative of a shift in China’s push to establish itself as the dominant cyber power, utilising cyberspace to influence foreign domestic discourse.
The second key theme is that the US and UK have remained steadfast in their collective effort to attribute malicious activity to China. This is important moving forward as the UK and US continue to bolster an open and interoperable internet, whereby collective action is required to ensure malicious actors cannot exploit vulnerabilities.
Forecast
Short-term: The US and UK will continue to establish the extent to which Chinese-based cyber groups are within their systems.
Long-term: China does not appear to be stopping the proliferation of offensive cyber capabilities, and as such, with minimal impunity given to hackers willing to work for the state, more intrusive cyber-attacks are likely to proliferate, particularly 'Living off the Land’ attacks, about which the US and UK have issued warnings in recent months.