In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four Western think tanks and an additional two non-governmental organizations (NGOs). This marks a significant increase in China-based activity from months prior, as the majority of observed activity in Q3 was predominantly focused on Southeast and East Asia. The previous “smash-and-grab” type of cyber operations, which typically characterized a majority of pre-2016 PRC espionage cases, appear to have ceased in favor of much more targeted intrusions focused on specific outcomes.
Previous operations targeting think tanks resembled the digital equivalents of so-called smash-and-grab robberies: the attackers indiscriminately exfiltrated data, vacuuming up whatever information was available. However, in these most recent incidents, adversaries specifically targeted the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.
An interesting case study was observed by both CrowdStrike Services and the Falcon OverWatch™ managed hunting team in late October 2017, when a China-based adversary attempted to compromise the web server of a think tank. The specific target appeared to be related to an ongoing military research project. As with many of the currently observed Chinese targeted intrusions, the adversary attempted to use China Chopper for reconnaissance and lateral movement after logging in via an account compromised by spear phishing. As is prevalent among CrowdStrike customers, webshell blocking was enabled in the Falcon platform, which prevented the actor from using the webshell to run any commands.
A number of think tanks in the US conduct military research, including the Center for Strategic and International Studies (CSIS), Atlantic Council, RAND Corporation, Brookings Institution, Carnegie Endowment for International Peace, Council on Foreign Relations (CFR), Heritage Foundation, and Center for a New American Security (CNAS).