Deception Unveiled: How the PRC Outsmarted the West for Cyber Tech

Western organizations may have been unwittingly supporting Chinese hackers for years, by collaborating with and selling technology to a shady research institution tied to state security.

Have you ever wondered how the most sophisticated hackers on the planet develop their best tricks? For example, steganography: the practice of concealing malware within a totally unalike medium, like an image or audio file. Chinese advanced persistent threats (APTs) have been weaponizing steganography for decades, giving them a distinct advantage in covert malware delivery.

That expertise doesn’t come from nowhere. For China’s primary civilian intelligence body — the Ministry of State Security (MSS) — it might be coming from just down the street.

Prior to Recorded Future’s new report on it, you would’ve been hard pressed to find any reference to the Beijing Institute of Electronics Technology and Application (BIETA) on the English language internet. Its subsidiary corporation, Beijing Sanxin Times Technology Co., Ltd. (CIII), is similarly shrouded. For decades, though, the MSS has been using BEITA, CIII, and its better-known university affiliate — the University of International Relations (UIR) — to recruit talent, develop cutting-edge information processing techniques, and develop or otherwise acquire from the West specialized military, intelligence, and cyber technologies. MSS-linked APTs might have also benefitted from this arrangement, though this link is as yet unconfirmed.

Related:‘Confucius’ Cyberspy Evolves From Stealers to Backdoors in Pakistan

For Devin Thorne, principal threat intelligence analyst at Recorded Future, “the existence of BIETA and other Ministry of State Security (MSS) domestic front organizations highlights the intelligence service’s use of ostensibly non-intelligence (in some cases, non-governmental) channels to engage with foreign businesses and influential people with the goal of obtaining some benefit for China (such as access to foreign technology) or disseminating China’s influence.”

Behind the Scenes at Chinese State Intelligence

In northwest Beijing, situated between two large parks, lies the gated compound “Yidongyuan.” Thousands of intelligence personnel and their families live in row buildings on one half of the sprawling facility and, in the other half, the MSS headquarters is a mere stone’s throw from BEITA.

Source: Recorded Future

Besides sharing real estate, the MSS and BEITA share high-level officers. In its report, Recorded Future highlights officers and researchers who have served in both organizations concurrently. BEITA personnel have also worked at the MSS-linked UIR. UIR’s science and engineering school appears to serve as a talent pipeline for BEITA.

Related:Google Sheds Light on ShinyHunters’ Salesforce Tactics

BEITA might simply be considered a government agency except, whenever it does pop up out of its hole, it presents as if it were an independent institution. Since 2012, its researchers have presented papers at international conferences, on topics relating to communications and cybersecurity. Not expressly associating with the Chinese government may be allowing them entry into research circles where they would otherwise be unwelcome, and they may have received feedback from researchers who didn’t realize they were in effect aiding an authoritarian state. BEITA researchers have even collaborated on articles with individuals from Western institutions, including Deakin University in Melbourne and the State University of New York (SUNY) in Buffalo.

Overall, BEITA’s research specializes in communications — satellite, microwave, spread spectrum, wireless — and information security technologies — signal positioning and jamming, information processing, computer vulnerabilities, etc.

A particular area of focus has been steganography. Just shy of half of all public research papers credited to one or more BEITA researchers have concerned steganography in one form or another: images, audio, video, text, etc. It may be no coincidence, then, that threat actors linked to the MSS have found success using steganographic techniques. Recorded Future cited examples such as APT40 — which used image files to transmit stolen trade secrets — APT15 — which hid malware inside of image files — and APT1 — tied not to the MSS, but the People’s Liberation Army (PLA), which is also suspected to have used steganographic techniques.

Related:‘Klopatra’ Trojan Makes Bank Transfers While You Sleep

Thorne warns against drawing clear lines, though. “BIETA is a research organization at the national level while most of China’s cyber operations against foreign targets have been conducted at the provincial level. There is no direct line we are comfortable drawing from BIETA to the activities or capabilities of specific APTs, or the tactics used by APTs.”

He clarifies that “there is almost certainly a pipeline through which BIETA’s research output gets incorporated (alongside other inputs) into product development for the MSS’s operational solutions, which ‘likely’ (meaning a 55-80% chance, and for this specifically we’d err on the lower end of the range) include those for covert communications and malware deployment. Ultimately, this is an assessment, not something seen directly in available information. Moreover, BIETA’s focus on steganography does not imply a particular interest in using steganography for cyber operations.”

Global Technology Theft

It would be one thing if the MSS was merely researching avant garde cyber techniques and technologies. Even more wily is how it obtains them from its adversaries.

CIII is a state-owned subsidiary of BEITA, with locations in three or four major Chinese cities. Like BEITA and the MSS, BEITA and CIII have historically shared select employees. CIII’s remit is different, though. It claims to have business in a variety of technical areas — developing Windows and mobile applications, penetration testing, running a data center, supplying technology to policy and campus security organizations. Recorded Future suspects that the company could be fundraising for BEITA, or generally supporting state initiatives. Or, perhaps, all of these unrelated activities are just cover for its primary mission.

CIII claims to be an “agent” for companies in the United States and Europe. A middleman, in other words, helping either manufacturers or distributors sell their wares in China. Its wares include penetration testing tools, steganography software, military technologies used for wargaming, and James Bond-level spy gear. Some of the cooler trinkets: a portable X-ray inspection device, a briefcase designed to interfere with recording devices, and a system for identifying, monitoring, positioning, blocking, and stealing calls and text messages from mobile phones in one’s vicinity.

Recorded Future couldn’t verify whether CIII’s website is up-to-date, and therefore whether it still actively functions as an agent, but it assessed that the MSS and PLA have “almost certainly” enjoyed access to whatever international high technologies have moved through the company. It’s also unclear whether manufacturers have had any idea of the implications of contracting with CIII, or if CIII instead works through third-party distributors. Either way, Thorne notes that it is likely just a common, conventional business practice for international companies to have such relationships.

It may seem surprising that Western governments don’t more closely police Chinese technology transfers. Thorne points out that “the US government’s approach to limiting exports has generally focused on specific technologies, not sales methods. Moreover, as long as the products are not designated for export controls, there is likely no legal requirement to monitor who the end user might be (not that this would necessarily preclude the use of agents).”

“This further highlights the importance of due diligence in gauging the possible risks of engagement related to potentially sensitive technologies. In international focus on China and technology transfer, a lot of the emphasis has been on military-civil fusion, which similarly blurs the line between civilian and military engagement. With BIETA and other MSS fronts, we see that blurriness in the realm of espionage, counterespionage, and intelligence,” Thorne says.