In our recent Dark Side of Asia research report, we uncovered some of the key goods, services, threat actors and motivations behind the growing underground Asian Internet community. One of the largest forces of this community is China, whose Internet population has grown immensely over the past 5 years, both in size and capabilities. A range of new threats have emerged from this community, which pose a large risk to organizations all over the world. To build an effective threat intelligence strategy, you need to understand the motivations and uses of your adversaries.
Here are the key motivations and uses we found in our research of the Chinese underground Internet community.
Chinese Internet Motivations and Uses
During our research, we observed that Chinese cyber groups are using the Internet for several main activities (i.e. motivations).
- Nationalism: This is one of the distinguishing characteristics of Chinese Internet users. They have a strong sense of national pride and believe that any activity that contradicts or impedes Chinese interests should be countered with a cyber response. We'll get into this more in the next section.
- Cybercrime for Financial Profit: This activity includes planning, gathering information, looking for exploits, trading carding and other scam methods, all with the goal of making money.
- Stealing Foreign Intellectual Property: This is done for the sake of advancing Chinese interests and is sometimes being conducted by state-affiliated hacking groups.
- Technical Interest: Some hacking is just done for sport. There are many Chinese forums for computer system experts and cyber researchers.
- Hacktivism: These attacks are done to protest against the Chinese government and the Communist Party.
- Fame: Chinese hackers are adored by the Chinese people. Hacking in China is portrayed as a lucrative and even respected occupation, and many people aspire to be hackers. As a result, many hackers are hacking for the fame.
- Opinion Sharing: Other than hacking, Chinese citizens have used the Internet as a way to manifest their opinions and protest. Studies show that since 1996, the Internet has become a powerful channel for expressing social opinion and protest. Chinese netizens have been constantly seeking new ways to express their thoughts.
Cyber Hacktivism in China
Hacktivism in China has been represented by two main types of underground communities:
- The groups that resist the Communist Party
- The groups that support Chinese nationalism and patriotism
Groups Resisting the Communist Party
The first community is composed of individuals and groups who are against the Chinese Communist Party. Their method for protesting and resisting the Communist Party is through cyberattacks against national targets, such as government websites and TV stations. They usually conduct defacement attacks, in which they “push” their messages denouncing the ruling Communist Party. Fangongheike (反共黑客) is one example of these groups. They have a webpage and a Twitter account, which has over 14.5K followers. They update their website and Twitter account regularly to show their successful defacement campaigns. Another example took place In 2015, where a software engineer was sentenced to 12 years for committing a defacement attack on one of the popular TV stations in China. As part of the attack, he managed to inject anti-Communist slogans on screen during the famous TV show “The Voice of China”.
Groups Supporting Chinese Nationalism
The Nationalism community has become one of the most significant influences behind many Chinese cyber groups’ actions. In 1998, riots in Jakarta, Indonesia erupted and targeted the ethnic-Chinese community. For 3 days, the Indonesian mob assaulted, raped and killed people from the Indonesian Sino-community, as they were seen as responsible for the country’s inflation. Chinese hackers were outraged by the events in Jakarta and started gathering in IRC chat rooms. This led to the formation of the first Chinese hacktivist groups. These groups conducted many cyberattacks against the Indonesian government’s websites.
Before the riots in Indonesia, there was only one hacking group in China, called the Green Army. This group, which was formed in 1997 by a hacker named Goodwell, had 3000 members. The riots led to the formation of the term “Red Hacker” (Hongke 红客, which literally means “red visitor”), as compared to the usual Chinese transliteration of hacker (hēikè 黑客, which literally means “Black Guest”, as in black hat). The riots have also led to the formation of the Red Hacker Alliance (Zhongguo Hongke Lianmeng 中国红客联盟). This alliance was a large coalition of smaller groups that combined and had over 80,000 members. Before the formation of this group, there were only individual hackers and very small cyber groups that were operating in China.
In 1999, during the Kosovo conflict, the U.S. accidentally bombed the Chinese embassy in Belgrade, killing 3 Chinese reporters. In response to the attack, members of the Red Hacker Alliance hacked U.S government websites and planted messages against “NATO’s brutal action”.
Knowing the motivations behind your adversaries is a key component of an effective threat intelligence program. For example, someone hacking for financial profit versus hacking for national pride have very different interests, and therefore will target your company through different attack vectors. Understanding motives can help you make the right strategic decisions and take the appropriate steps to mitigate the threats that pose the largest risk.
To learn more about the growing underground Asian Internet, download our Dark Side of Asia report.