New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search

The war in Ukraine and its impact on how China views Taiwan

Leading up to the most recent Russian invasion of Ukraine in February 2022, analysts and military experts alike feared a superior Russian army would overwhelm Ukrainian forces. As the invasion began, it became clear that Russian military leaders greatly underestimated both the capabilities of Ukrainian military, and the global support Ukraine would receive. Ukraine received support through NATO by governmental sanctions and military aid, as well as individuals leveraging social media to share accurate information surrounding the invasion by providing Open-Source Intelligence (OSINT) to the government of Ukraine.

As the invasion continues, U.S. intelligence officials noted that China has been closely observing, and potentially changing its own strategy on a possible conflict with Taiwan. Lu Shaye, Chinese Ambassador to France, recently stated that the Chinese Communist Party does not believe the invasion between Russia and Ukraine is comparable to their situation with Taiwan, because China does not recognize Taiwan as a sovereign country. On the contrary, Senior Taiwanese officials believe that Russia’s assault has highlighted the threat they face and growing similarities between Putin and Jinping’s leadership are of concern. The backlash Putin has received supports that he is making decisions on his own and the invasion of Ukraine is a “man’s mission” disguised as a “national mission.” With Jinping surpassing his two-term limit, he is consolidating personal power that China has not seen in decades. This is not only causing discontent within Jinping’s party, but also may enable him to make the same misjudgment as Putin.

Staggering improvements in Chinese military capabilities/capacities and a possibility of a Democratic Progressive Party being elected in Taiwan, suggest that the present through 2027 is an area of concern. As the war in Ukraine continues, China will be using the lessons from the West’s response to Russian aggression, as they shape their strategy to impose control over Taiwan. The Russian military was thought to be superior to Ukraine’s, just as the Chinese military is widely believed to be superior to Taiwan’s. Additionally, China should expect to receive Ukraine-like resistance from Taiwan. Fully aware of the sub-par performance of the Russian military, a Chinese approach through cyber means could be on the horizon.

Taiwan China Relations Background

Taiwan is about 100 miles off the coast of mainland China. In 1945, following a Japanese defeat during World War 2, China regained control of Taiwan for the first time since 1895. However, a civil war erupted between Chiang Kai-shek’s nationalist government (also known as the Kuomintang) and Mao Zedong’s communist party. With a communist victory in 1949, they took control of Beijing while the Kuomintang fled to Taiwan. China looks at this history to say that Taiwan is and always was a Chinese province. On the contrary, the Taiwanese argue that Taiwan was never a part of the modern Chinese state that was formed after Mao established the People’s Republic of China. The Kuomintang has been a prominent political party and has ruled Taiwan for a large portion of its history. Only the Vatican, and 13 countries recognize Taiwan as a sovereign country.

U.S. Leaders Comment on China and Taiwan

FBI director Christopher Wray spoke with business leaders in London in early July to discuss the growing threat of China and industrial espionage. Director Wray was straightforward about the issue stating “The Chinese government is set on stealing your technology—whatever it is that makes your industry tick—and using it to undercut your business and dominate your market. And they’re set on using every tool at their disposal to do it.” Director Wray said that China sees cyber espionage as a shortcut to cheat their way to economic dominance.

Director Wray went on to discuss what a Chinese invasion of Taiwan would look like for western business leaders.

“I’m confident in saying that China is drawing all sorts of lessons from what’s happening with Russia and its invasion of Ukraine—and you should, too.

We’ve seen China looking for ways to insulate their economy against potential sanctions, trying to cushion themselves from harm if they do anything to draw the ire of the international community. In our world, we call that kind of behavior a clue. But it’s not just Russia that’s hurt by what’s happened to their economy today because of sanctions and disruptions. There were a lot of Western companies that had their fingers still in that door when it slammed shut.”

Director Wray went on to explain that western organizations tied to Russia are estimated to have lost $59 billion as a result of the invasion and a Chinese invasion of Taiwan could be significantly more costly. Already agreed-upon contracts and long-standing relationships between Chinese and Western businesses would be held hostage should a conflict arise.

Following the comments from Wray, several Chinese political leaders condemned the statements. Some accused the leaders of tarnishing China’s reputation, and said they are only making China look like a threat so the west can justify its own cyber-attacks on China.

While Director Wray discussed the industrial espionage and cyber aspects China is focusing on, CIA Director William Burns feels China may be learning other lessons from Russia’s underestimation of Ukraine. Speaking at the Aspen Security Forum, Burns said, “I suspect the lesson that the Chinese leadership and military are drawing is that you’ve got to amass overwhelming force if you’re going to contemplate that in the future.” Burns believes a more forceful approach may be viewed as more appropriate by the Chinese government after watching what has been called a strategic failure by Vladimir Putin in Ukraine. Either way, both Wray and Burns believe the threat of China imposing control on Taiwan grows each day. The two intelligence professionals also undoubtedly believe China is using the Ukraine invasion as a playbook for their own strategy in Taiwan.

Despite heavy warnings from Beijing, on August 2, 2022, Speaker of the United States House of Representatives, Nancy Pelosi, arrived in Taiwan on a non-Whitehouse supported trip. Following rising Chinese anger, four United States warships and an aircraft carrier were positioned in waters east of Taiwan. Pelosi, along with supporters of the visit, believe that it is critical for US representatives to show support for Taiwan and to demonstrate Washington’s legal commitment to offer the island the means of its self-defense.

Foreign ministry spokeswomen, Hua Chunying, spoke on China’s behalf about the matter.

“The US side will bear the responsibility and pay the price for undermining China’s sovereign security interests.”

In response, China sent warplanes up to the median line in the Taiwan Strait and began holding live-fire military exercises in areas encircling Taiwan. Taiwan’s defense ministry reassured that it had a full understanding of the military exercises near the island and was determined to defend itself from any Chinese threats.

President Joe Biden has recently reduced ambiguity on how the US would respond to a Chinese attack against Taiwan. He acknowledged the commitment they made and reassured that the US will continue to keep that promise. This promise extends to any form of a Chinese attack. In the event of a Chinese pursuit for Taiwan, how they will attack is up for debate, but preparing for a cyber approach rather than a military one could potentially be difficult for the US.

Former Defense Secretary Robert Gates firmly believes that China will not invade Taiwan as they can bring them “to their knees” through cyber measures. China’s state-sponsored hacking program is bigger than that of every other major country combined. Their relentlessness in searching for new ways to exploit network devices and infrastructure is increasing as they continue to get stronger. It is likely that we will see these new techniques present in the wake of a Chinese attack against Taiwan.

According to James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, 600,000 cybersecurity positions remain unfilled in the US. He also went on to call the US federal workforce “aging.” In response, Kristen Gillibrand suggests that the US place a priority on developing cyber programs. She believes that one of the greatest threats the US has in its future is the possibility of a large-scale cyber-attack or cyber war. To be able to effectively respond to this type of threat, she wants the youth to be able to serve the US in a cyber capacity by creating a national cyber education academy. It would provide young Americans the opportunity to get an education debt-free with a 5-year commitment to serve the US government.

Hacktivism

Hacktivism was and will continue to be seen in the Russia-Ukraine invasion and could play a similar role in light of a conflict between China and Taiwan. Despite hacktivism being praised in the media, it brings a difficult task for analysts to verify and attribute hacktivist actions to specific groups. Additionally, the results of so-called “hacktivists” or private actors, are routinely exaggerated.

According to the Center for Strategic and International Studies, cyber campaigns against Russian websites had little to no effect on Putin’s strategic calculations. Although it may not have directly changed Putin’s strategy, it is too soon to properly assess the true affects hacktivists have had on Russian strategy in the Ukraine invasion.

Global awareness of the invasion was greatly magnified by hacktivism. The atrocities of war were projected across social media creating a huge outcry against Russian forces and helped garner global aid to Ukrainian forces. This will absolutely change the way China views direct conflict with Taiwan. They know an invasion will come with extreme financial sanctions from the West and will likely generate unanimous global support for the people of Taiwan.

The most challenging problems with an army of civilian volunteers aiming to be hacktivists are coordination and strategic restraint. Advanced preparation is required for these groups to have any effect at all. A perfect example would be Estonia’s Cyber Defense Unit who assisted Ukraine prior to the Russian invasion. The way Estonian volunteers were organized avoided duplication of efforts and identified gaps – making them a reliable cyber ally. Lessons that other countries (i.e., Taiwan and its allies) could learn from this is that volunteers can provide valuable assistance but coordination between them and government agencies must be developed in advance of conflict.

The success of hacktivism is dependent on the political situation of the country. Hacktivism is a bigger threat to a country that has an upset population. To a weak government that feels vulnerable, hacktivism is typically seen as a precursor to something more drastic. On the contrary, an authoritarian country with a suppressed population will not see it as a serious threat. These countries have well-developed propaganda and social control tools to suppress any opposition. It is not unusual for the media to underestimate the capabilities of Russian and Chinese media control and propaganda.

With the low awareness of China’s advanced media control, it is likely they will still be targeted by hacktivists. Recently, China has further tightened its grip over its internet users. The Cyberspace Administration of China has required that users use their real full name when registering for online services or they will not be provided service. If an online service finds a user violating the law, they are required to close the current account, ban the user from making new accounts, and report the case to authorities. China also enacted rules that allow the government to delete or close social media accounts or posts that could harm national security and social order. These obvious moves to strengthen its control over the internet could make hacktivism completely ineffective.

China, Russia, and Dark Web Criminal Forums

Russian threat actors have always maintained a large presence on dark web forums. Although Chinese speaking dark web forums exist, they are far less popular than Russian and English-speaking forums. Russian forums have largely been a place to learn cyber-attack techniques, purchase malware, recruit threat actors, and buy and sell stolen sensitive data from individuals and organizations. The same goes for English-speaking forums, although they are likely to have more database leaks than sophisticated malware for sale.

Following a dramatic falling out of prominent ransomware threat actors in the fall of 2021, RAMP forum was created. The forum was created with the intention of creating a place for ransomware operators to gather. Most dark web forums banned the discussion of ransomware after the infamous Colonial Pipeline attack, fearing it would bring to much attention from law enforcement. RAMP forum was one of the first to welcome Chinese speaking threat actors and openly use Mandarin as well as English and Russian. Although the forum has grown somewhat in popularity, it is still not nearly as popular as other Russian criminal forums.

After the invasion of Ukraine, English speaking dark web forums became a haven for hacktivists supporting Ukraine. Data from Russian organizations became increasingly available on forums such as Raid forums, a popular English speaking dark web forum and marketplace. In April of 2022 Raid Forums was seized and taken down by U.S. law enforcement agencies. In typical dark web fashion, a new forum, dubbed Breached, was created to take the place of Raid. Not long after its inception, a database from the Shanghai Police Department was advertised for sale on Breached, gaining an immense amount of attention. The excessive amount of attention led to Breached administrators removing the advertisement from the forum.

Following the removal of the advertisement, an administrator released a letter to Chinese users and went on to discuss the future of the forum.

“Dear Chinese users, welcome to our forum. You most likely came here because of the Shanghai police database leak. The data is no longer being sold, and posts related to this topic have been deleted. But we also have many similar and high-quality Chinese databases for sale, if you want to use our forum, please understand, and abide by the following:

-Our forum is only for communication in English, please do not send Chinese characters. If you don’t speak English, use translation software to talk to others

-Relevant content on our website can be obtained by unlocking points. Points can be earned by providing valuable content or purchasing from the following links: https://payments.breached.to/

-If you need a transaction guarantor, please contact our staff.

-We are not in China, and we are not Chinese, so we do not have to obey Chinese laws.

-If you have any questions, please contact me or another staff member.”

Due to the strict internet restrictions imposed by their government, the Chinese cybercriminal underground exists on the clear web and Chinese-language dark web platforms. Reassurance that Chinese threat actors can move freely without Chinese government interference on Breached could play a large role in the future of the forum. Currently, there are still multiple Chinese databases for sale on Breached. These come from multiple entities including companies and organizations as well as software developer networks, IT information, citizen data, and passport data. University and student information has also made its way onto the platform. The amount of activity from Chinese threat actors is something that should continue to be monitored.

Conclusion

China’s strategy in Taiwan undoubtedly will be affected by lessons learned from the Russian invasion of Ukraine. From a tactical standpoint, there are several obvious strategic differences between Taiwan and Ukraine. As tensions continue to rise, US leaders will continue to monitor the situation to make sure they can fully respond to a Chinese invasion regardless of the approach taken. The use of technology, social media, hacktivist support, and global sanctions would all likely mirror the Russian/Ukraine war, should China choose to invade Taiwan. This may force China to focus on a more business-focused cyber espionage campaign to dominate Taiwan. Analysts have already seen a shift in dark web forums providing more and more stolen data from Chinese organizations. It is clear which forums would show support for Taiwan, should a conflict erupt. With more robust cyber capabilities, China may view the issues Russia encountered as minor hurdles.

China is not the only country whose strategy will be altered by the lessons learned from the Russian invasion of Ukraine. All who will be affected by a possible invasion are watching closely, including the US. As tensions continue to rise, US leaders will continue to monitor the situation to make sure they can fully respond to a Chinese invasion regardless of the approach taken. This situation is extremely fluid and Binary Defense analysts will continue to monitor current events to best understand how a conflict could impact US private organizations.   

By Anthony Zampino