The UK’s National Cyber Security Centre (NCSC) has reaffirmed previously issued guidance for individuals considered at high risk of targeted hacking by Chinese state-backed threat actors, in particular APT31, which is today being sanctioned in both the UK and the US over hacking campaigns dating back over a decade.
The NCSC has issued multiple warnings concerning the activities of APT31 over the years, and has documented a number of ways in which China may attempt to exploit data gleaned from the systems of the Electoral Commission and its other victims.
Besides large-scale espionage, these include the transnational repression of perceived dissidents and critics of China in the UK – likely including pro-democracy activists from Hong Kong, many of whom have sought and received asylum in the UK after being forced to leave their homes.
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world,” said NCSC operations director Paul Chichester.
“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society,” he added.
“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyber space and I urge them to follow and implement the NCSC’s advice to stay safe online,” said Chichester.
The NCSC has revised its online guidance for high-profile individuals, outlining key steps such people should be taking as a matter of course to render themselves a harder target for a threat actor of APT31’s ilk.
Paul Chichester, NCSC
This guidance does not merely apply to politicians, but is equally useful to senior business leaders, and researchers and scientists, whose organisations may be at risk of industrial espionage, as well as activists, legal professionals and journalists.
It highlights the importance of protecting online accounts using strong passwords and multifactor authentication (MFA), and urges those at risk to review their overall use of social media and messaging apps, and their account privacy settings.
High-risk individuals should also get much better at updating their devices. Installing security updates promptly is one of the easiest ways to protect against a cyber attack, and the majority of mobile applications likely to be targeted by groups like APT31 should do this automatically. This ability, where offered, should be turned on. Users should also pay attention to where they are downloading applications from, making sure to use only official Google and Apple stores.
Users are also advised to protect physical access to their devices with passwords and PINs, and if they are iPhone users, to activate Apple’s Lockdown mode. They should also consider replacing older devices, which may be out of support.
If users suspect they are being targeted in this way, they should be particularly alert to suspicious emails, and avoid clicking on any links or replying until certain the comms are genuine. Nation-state advanced persistent threat (APT) actors have been known to impersonate trusted contacts to get information out of their targets, so verifying contacts is also important.
If a user clicks on a link, or thinks they have been hacked, they are advised not to panic and to report it immediately.
Living off the land
The UK’s latest action comes just days after the NCSC and its Five Eyes counterparts, including the US Cybersecurity and Infrastructure Security Agency (CISA), issued an updated warning over the activities of Volt Typhoon, a Chinese state-backed APT actor that has been heavily targeting operators of critical national infrastructure.
This followed a previous warning in February, in which the Five Eyes agencies detailed how Volt Typhoon – and other state-backed APTs, not just Chinese ones – were exploiting existing, legitimate tools on victims’ networks as part of their cyber attack chains.
This tried-and-tested technique, which is widely referred to as living off the land, enables a threat actor to blend into “naturally occurring” traffic and operate discretely without being detected. In this way, they can operate undetected until it is too late for the victim to do anything about it.
Toby Lewis, global head of threat analysis at Darktrace, said the 2023 attack on the Electoral Commission was a good example of a living-off-the-land incident, its attackers having lain undetected in its network for some time.
“This latest incident highlights how nation-state hackers are skilled at blending into normal network activity,” he told Computer Weekly. “The only initial indicator was a series of suspicious log-in events – there were no other overt signs of a cyber intrusion using traditional detection methods. This is a valuable reminder that we can no longer solely rely on hunting for known indicators from past attacks.”
Secureworks Counter Threat Unit vice-president of threat intelligence, Don Smith, added: “Chinese state-sponsored cyber espionage is not a new threat. The UK and the US have been calling out these covert operations for several years now. The purpose of cyber espionage from China’s point of view is to access information that will advance the People’s Republic of China’s agenda.
“[However], over the past couple of years, tired of having their operations rumbled and publicly outed, the Chinese have placed a growing emphasis on stealthy tradecraft in cyber espionage attacks. This is a change in MO from its previous ‘smash and grab’ reputation, but it is viewed by the Chinese as a necessary evolution to, one, make it harder to get caught and, two, make it nearly impossible to attribute an attack to them.
“Specifically, this has manifested itself in four key areas: obfuscated networks; living on the edge; living off the land; and living in the cloud. Combined, these tactics make identification of malicious activity harder, but more importantly make attribution more complicated,” he said.