As we continue our look back at some of the major stories that shaped cybersecurity in 2024, for this next article we take a step even further back to 2023.

Specifically, in 2023 there was a Chinese intrusion into Microsoft in 2023, which was spotted by a government user rather than the company itself. The reason it became a bigger story in 2024 is because the CISA report came out, and Alex Stamos said he “made every manager on my team read this report” as there were “a bunch of lessons in this report that apply to every company in here.”

That came from the SentinelOne CISO’s talk at an ISC2 talk I attended in October, where Stamos described it as ‘a great lesson’ in what an attack by a nation state looked like.

Determined and Capable

The concept of being hit by such a determined and capable attacker may be hard to imagine, and in the case of Microsoft's intrusion in 2023, even harder to find. SC UK spoke to Andrew Rose, chief security officer of SoSafe, and asked how businesses can know if they have state sponsored attackers in their network? 

Rose says that is hard to know, as nation state attacks, more so that criminal ones, are incentivised to remain quiet and stealthy until the last moment. “Nation states have access to more advanced tools and techniques, which can enable them to remain beyond detection. As such, there is no guaranteed way to ensure you can spot an intrusion.”

In the case of Microsoft, Rose points out that on average, it takes nearly 300 days to spot a breach - and Microsoft was found to be lacking a culture of security.

“That is horrifying given the scale of their integration into the vast majority of the largest, and highest profile, organisations and governments across the globe” Rose says. “Creating a culture of security is vital to ensure that it's built into every project, process and product from inception and not bolted on later, or de-prioritised for the sake of cost reduction or simplicity.”

Spotlight

The report on Chinese espionage came in a year when we saw the spotlight placed on the nation’s actions. From claims from the Ministry of Defence about an attack in the early part of the year, to claims of Chinese hackers ‘preparing for conflict’. Is it the case that China has become an increased threat on the global scale over other adversaries?

Charl van der Walt, global head of security research at Orange Cyberdefense, tells SC UK that China’s all party's approach involves the Chinese national government involving the whole ecosystem in pursuing whatever the national political objectives are.

“So my point is I'm not sure whether China is escalating, or whether China is simply not as constrained,” he says, pointing out that China’s national ethos is that it can scale in terms of offensive cyber operations at a rate that the west struggles to because of its constraints.

Van der Walt says he believes that China is operating to an agenda, increasingly trying to assert itself on the global stage, and also increasingly trying to prepare itself for other geopolitical conflicts. “I think China is trying to figure out how it can end up on top, or at least competitive, in an America first world,” he says.

“As it scales its efforts to do that, I think its cyber capabilities are able to scale with it because of the way that culture and constraints work. So I don't think it's an escalation of cyber, it's a number of geopolitical forces that are changing China's behaviour in the world and because of the way they're organising the way their culture works, you'll see a corresponding escalation of the cyber activities.”

Enhanced Efforts

So it is not the case that China has especially enhanced its efforts in cyber activity in 2024, it just got better? SC UK heard from several sources that China has implemented a policy of retaining zero-day vulnerabilities, rather than disclosing them to the vendor, and Adam Meyers, senior vice president of counter adversary operations at CrowdStrike says since President XI Jinping was elected in 2013, he has been “consolidating power.” This has resulted in the retention and use of zero-days since 2019-2020, and manifested with increased cyber activity. 

In particular, Meyers says China has been upleveling their cyber capabilities to focus on going after gateway devices and telcos. That has particularly been the case with the Salt Typhoon attacks - which Crowdstrike tracks as Operator Panda - which Meyers says is part of Chinese threat actors “who are going after telco providers, MSPs, ISPs, professional services.”

He says: “We noted in our Threat Hunting report a 142 percent increase in targeting of professional services and consulting by nation state threat actors, because they want to be able to establish enduring and persistence collection.”

Pre-Positioning

Is there anything that is making China stand out? Meyers says the act of ‘pre-positioning’ is not typical of any group as the tools, techniques and infrastructure that they're using are somewhat different.

“So we've seen them move away from using proprietary tools that we were used to seeing China and other nation states [use], to using kind of more off-the-shelf, freely available tools” such as web shells and remote monitoring management tools to blend in more, and be a little bit less obvious. He also mentions that there is less of a “smash and grab” effort to more “grown-up signal intelligence collection”.

He says: “What we were seeing leading up to 2015 was the smash and grab operations where they were noisy. They went after a specific target, they stole the IP and they might steal the talking points from a negotiation so that the Chinese company could undercut it and win the deal. It was tied to the strategic goals of China.

“Those days have largely gone away and now China is doing much more sophisticated collection,” he says. “They've become more capable, more sophisticated, they still have other challenges in terms of their population. But they're continuing to press on and what we're seeing is the evolution of their cyber intelligence espionage operations.”

Maybe it is just that China stepped up its efforts, got noticed and taken more seriously? To take this back to where we started, is this something that CISOs should be concerned about over more 'regular' attacks?

Andy Rose says “mostly, no” as “most attacks are opportunistic - the attackers will look for anyone with a vulnerability and exploit it” and fewer attacks are specifically targeted.

He recommends that if you are a firm that's likely to be targeted for specific nation state attention - such as power, water or transport – then you weave your security controls and processes together a little differently than you would at a 'normal' corporate. “In those organisations, yes, nation state attacks are a greater concern,” he says.

The research and headlines suggests that China was the more noted nation state attacker in 2024, but maybe our attention was elsewhere in the last two years. The capabilities are strong in these sponsored and affiliate groups, and the best advice is to take their actions seriously.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.