Crime & Justice

Cyberattacks now focus more on espionage than on outright destruction

A Chinese government-linked group has expanded operations from traditional targets in the United States, Europe and Asia and begun focusing on Latin America.

A man looks at his phone outside Microsoft's local headquarters in Beijing. A China-based cyber espionage actor linked to the People's Liberation Army (PLA) is compromising diplomatic targets in South America. [Noel Celis/AFP]
A man looks at his phone outside Microsoft's local headquarters in Beijing. A China-based cyber espionage actor linked to the People's Liberation Army (PLA) is compromising diplomatic targets in South America. [Noel Celis/AFP]

By Entorno and AFP |

PARIS/BOGOTA -- Global cyberattacks have transitioned towards a less destructive approach, primarily centering on espionage operations.

This shift has become more pronounced with the onset of the Ukraine conflict and the evolving dynamics of global geopolitics, as highlighted in a recent Microsoft report released on October 5.

The Microsoft Digital Defense Report 2023 (MDDR) underscores a notable shift in cyber activities: "Nation-state and state-affiliated threat actor activities in the past year pivoted away from high-volume destructive attacks in favor of espionage campaigns."

Although destructive attacks have an immediate impact, espionage operations that are persistent and clandestine pose a prolonged threat to the security and integrity of governments, private industry and critical sector networks.

Actors supported by Russia and Iran increased "their collection capacity against foreign and defense policy organizations, technology firms, and critical infrastructure organizations."

The document states that "50% of destructive Russian attacks we observed against Ukrainian networks occurred in the first six weeks of the war," and then their pace declined.

The full-scale Russian invasion began in February 2022.

Microsoft underscores the increasing connection between cyber operations and propaganda. The goal is to "manipulate global and national opinion and undermine the democratic institutions" of their adversaries, particularly exploiting existing social divides.

South American diplomacy hacked

The report asserts that "Chinese cyber threat groups carried out sophisticated worldwide intelligence collection campaigns. At the same time, China's cyber influence campaigns continue to operate at an unmatched scale."

Numerous Chinese operations primarily appear to be geared towards intelligence gathering goals.

"The massive growth of this market poses a real threat to democracy, global stability and online security," MDDR warns.

Last February, Microsoft revealed that the DEV-0147 cyber espionage group, known for its ties to the Chinese government and military, compromised the computers of embassies and consulates in a number of South American countries.

The China-based cyber espionage actor is "compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't [government] agencies and think tanks in Asia and Europe," according to a Microsoft Security Intelligence tweet posted on February 13.

In recent years, American computer firms have exposed Chinese hackers who have sought out flaws in software packages or have released viruses and malware to spy on or in some cases damage some systems.

The DEV-0147 group is known for using tools such as ShadowPad, a Trojan horse that allows China-based actors to maintain persistent access and deploy additional malware.

Chinese military connections

The Chinese cyber espionage attack in South America included subsequent activities such as abuse of identities for reconnaissance and data exfiltration, Microsoft added.

A ShadowPad malware analysis carried out in February 2022 by the firm Secureworks found that this malware had been deployed by other groups sponsored by the Chinese government and was coordinated by threat groups that have operated since 2017 "on behalf of the regional theater commands" of the Chinese People's Liberation Army (PLA).

"ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security ... civilian intelligence agency and the People's Liberation Army," according to the analysis.

PLA theater commands emerged from a reform in late 2015 by Chinese President Xi Jinping.

The changes introduced in December 2015 included the establishment of the Strategic Support Force (PLASSF or SSF), whose main tasks are to modernize the capacities of the PLA in space, cyberspace and the electromagnetic domain.

Since then, "the impact on the PLA's cyberespionage mission has been extensive," said the Secureworks report.

It is also believed that the SSF is "responsible for a broad range of information warfare capabilities beyond cyberespionage, coordinating electronic countermeasures as well as offensive and defensive cyber projects."

Do you like this article?

Captcha *