Staff monitor developments at their work stations at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, Tuesday. (Photo: AFP)

In recent years, without factual basis, some Western countries accused Chinese individuals or groups of conducting cyberattacks in an attempt to steal commercial and military secrets from other countries. 
The most recent example is the Marriott data breach that affected 500 million guests' information. In a recent article, Reuters cited unnamed sources as saying that China is the lead suspect in the case.
In reality, China has always been a victim of cyber attacks. The Global Times (GT) interviewed Xiao Xinguang (Xiao), the chief technical architect of Beijing-based Antiy Labs, on the cyber threats China has been facing in recent years. 
Antiy Labs provides antivirus solutions to clients with high security needs such as China's cyberspace affairs authorities, the military, State secrets protection departments and other government authorities.

Foreign intelligence agency background

GT: Since the beginning of the 21st Century, the development of network-based applications has been in full swing. What are the characteristics of cyberattacks that pose a security risk to China in different phases?

Xiao: From 2000 to 2005, worms and Distributed Denial of Service (DDoS) attacks, which had a major impact on the internet experience, attracted the most attention. After 2005, as the internet had deeper ties with users' property and privacy, profit-driven cyber attacks such as Trojan attacks grew explosively.
With the rapid development of information technology, the value of information assets changed dramatically. Information systems, whether or not they are connected to the internet, became pivotal to national security, people's livelihood and social operation.
The main consequences of cyber threats are no longer the impact on public internet efficiency or online experience, but impacts on fields including politics, the economy, the military, science, technology and the environment. Most of these attacks are from advanced cyber threat actors.
This is not to say that advanced cyber threat actors have only appeared in recent years. According to public information, since at least 2000, the Equation Group, a hacking group under the US National Security Agency, has invaded important targets of the global internet. Due to its high level of stealth, its threat was revealed only gradually.

GT: Which areas of China are most subject to cyber attacks?
Xiao: China has encountered advanced cyber threats mainly focusing on high-value targets in the political, economic, military and scientific fields. For example, the threat actor DroppingElephant mainly targets the Chinese government, the military, industries, colleges and universities. GreenSpot is mainly aimed at the government, aviation, military, scientific research and other targets. 
OceanLotus carries out intrusions into Chinese maritime institutions, research institutes and shipping companies.
Rather than making intensive attacks, their behavior is often small, hidden and hard to detect.

GT: Can you give an example of how advanced cyberthreat actors conduct cyberattacks?
Xiao: Take DroppingElephant as an example. The hacker group sends an email to our scientific research staff disguised as news containing a malicious link. After clicking it, it will download Office files containing exploit codes, which will release the Trojans and control the computer.
Email servers and even network firewalls and other security devices are all preferred targets for advanced cyberthreat actors. For example, the NSA once attacked the largest financial service institution in the Middle East by controlling two layers of firewalls through undisclosed vulnerabilities and penetrating into the intranet.
In some cases, the hacker group will bring the Trojan and weapons to its target by hijacking computer appliances being delivered to the target, buying off employees working at the target institution, or sending an agent to go undercover in the target institution.
Once the attacker enters the intranet, it will "laterally move" through the vulnerability, and the Trojan will be launched to gain control of more nodes to access higher value nodes and obtain high-value sensitive information. At the same time, the attacker will also persist in the attacked network by hiding in the system firmware.

GT: Are the highly organized and professional overseas hacker organizations such as OceanLotus increasing the number of attacks on China?
Xiao: With rising big-power and geopolitical competition, China is bound to face an increasingly stern cyber security challenge. The advanced cyberthreat actors we face often have a foreign intelligence agency background. They have a firm will to attack and can withstand the high cost of the attacks. With the support of an advanced engineering team, a high-level team of personnel selects the appropriate equipment from the attack arsenal for a combined attack.
Detect, analyze and trace

GT: Using DroppingElephant as an example, could you explain how an Advanced Persistent Attack (APT) is detected, analyzed and traced?

Xiao: First of all, it relies on the situational awareness platforms and advanced threat protection products deployed on the user side to help users detect attacks and intercept them. At the same time, Antiy deployed a large number of monitoring sessions to conduct active threat capture and automated analysis, and to share threat information with companies and organizations in the industry. The Antiy analysis team combined public information with its analysis results to profile the DroppingElephant hacker group and pinpointed a natural person.

GT: Maintaining cybersecurity is like doctors treating people and saving lives. Can the development of medical skills keep up with the growth of diseases?
Xiao: The essence of cybersecurity is confrontation. The essence of confrontation is the ability of both sides to attack and defend. This confrontation is long-term and dynamic, and whoever takes the initiative in a confrontation depends on many factors.
In various confrontations, the attacker has a certain initiative, but the defender can also deal with systematic attacks with a systematic defense. They can minimize the area of the attack, drain the attacker's resources, and weaken and block the attack.

The enemy has penetrated us

GT: Cybersecurity has become a normal point of conflict in big-power and geopolitical confrontation. What is China's weakness in cybersecurity?
Xiao: According to what we have seen, the lack of situational awareness and lack of defense of important information systems and key information infrastructure is a very urgent problem we are facing now. We are vulnerable to low-level attacks such as ransomware, to say nothing of attacks by advanced cyberthreat actors. Cyberdefense capabilities have become a key capability for big countries.
We must comprehensively improve the security and defense capability of China's information infrastructure. In every important information system and key information infrastructure, we need to achieve all-day all-round awareness and effective defense.
To master network security defense, we need to objectively assess what the enemy is like. This is a comprehensive analysis of the intentions, systems, capabilities, resources, and plans of the cyberthreat actors. For scenarios with a high information value, high defense level, and high threat confrontation, it is unrealistic to physically isolate the enemy.
We must carry out the mentality, "The enemy has penetrated us, and the enemy will penetrate us."
GT: What is your assessment of the capability of the US in cyberattacks and defense? Is the gap between China and the US large? Is international cooperation required in the field of cybersecurity?
Xiao: The United States has the largest engineering system in the world that supports signal intelligence and cyberattack operations. It has the largest and most complex organizations and personnel. It also has the world's largest cyberspace attack arsenal, including advanced malicious code covering all system platforms, a large number of exploit tools, attack platforms and devices for undisclosed vulnerabilities.
The US has not only built a large number of intelligence and attack operations engineering systems, but also spared no effort to carry out various battlefield predictions. From the perspective of defense capability, the US gradually moved from a threat-oriented construction model to a capacity-oriented construction model at the beginning of this century, and carried out systematic and comprehensive security investment. In terms of network security planning, construction and operation, the US has accumulated a large number of methods, frameworks, standards, etc, and has a lot of successful practical experience.
Dealing with advanced cyberthreat actors is a very serious challenge for China's important information systems and key information infrastructure. This requires solid construction and investment. It can be said that the level of defense of important information systems and critical infrastructure will determine how much initiative China has at critical moments.
Although each country has different national situations and different interests, they also face common threats and challenges. For example, in response to major network virus outbreaks and serious loopholes that threaten critical information infrastructure, they need corresponding emergency mechanisms to maintain cyberspace security together.