China vs. Russia: A Who’s Who in Technology Supply Chain Attacks

The recent SolarWinds campaign has heightened interest in supply chain attacks, particularly via compromised technology products and services. The U.S. Government attributed this technology supply chain attack campaign to the state-sponsored Russian cyber espionage group APT29, which is believed to be operating under the authority of the SVR, Russia's foreign intelligence service. The attribution to the SVR cited the similarities in tradecraft between attacks previously attributed to the SVR and subsequent stages of individual breaches resulting from the SolarWinds supply chain compromise. The statement nonetheless noted that technology supply chain attacks are not typical of SVR cyber espionage: “The SVR's modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR's historic tradecraft.”

IntSights concurs with this observation and further notes that technology supply chain attacks are not typical of state-sponsored Russian cyber espionage in general. On the contrary, state-sponsored Chinese cyber espionage groups have been the leading practitioners of technology supply chain attacks for years, long before the SolarWinds attack. Indeed, it is possible that state-sponsored Russian actors observed the significant impact of technology supply chain attacks by Chinese actors and decided to emulate this tactic. Many threat actors, including both criminals and state-sponsored attackers, read the same security news and research as security professionals. It is difficult to estimate the degree to which such publications may inspire threat actors to emulate their counterparts and competitors.

Why China?

Reasons for the greater involvement of Chinese actors in technology supply chain attacks include China's huge manufacturing market share, particularly in the technology sector, as well as its extensive targeting of foreign technology companies for additional reasons other than enabling supply chain attacks, such as to give its own technology companies advantages over foreign competitors by stealing intellectual property or collecting competitive intelligence. These factors are less applicable to Russia, where the technology sector is a less significant segment of the economy. Sectors other than technology, such as energy and defense, have historically been more important targets for state-sponsored Russian actors, due in part to their greater relevance to the Russian economy and Russian geopolitical strategy.

Who Is Behind the Chinese Supply Chain Attacks?

Three specific Chinese cyber espionage groups stand out as the most significant perpetrators of technology supply chain attacks: APT10, APT17, and APT41.

APT10

• APT10 specializes in the use of compromised MSPs as an attack vector against MSP customers in other industries. The impact of APT10, which has been active since 2006, and its attacks were such that the U.S. Department of Justice indicted APT10 members in 2018.

• APT10 also targeted cloud service providers in its “Cloud Hopper” campaign, in order to gain access to their customers.

APT17

• APT17 conducted at least two supply chain attacks via compromised software from technology companies to deliver ShadowPad malware in 2017. In the first campaign, APT17 infected enterprise networks via compromised versions of software from Netsarang, which specializes in server management and security connectivity software. Later that year, APT17 also used compromised versions of the CCleaner computer optimization software to infect targets – specifically, users at other technology companies.

• APT17's earlier “Operation Aurora" campaign that targeted Google, Adobe, and other technology companies went further in targeting those companies' source code management systems, which would have enabled the attackers to alter source code so as to enable supply chain compromises.

APT41

• APT41 used a malicious version of the ASUS Live Update utility on computers from Taiwan-based ASUS to infect ASUS computer users. APT41 signed those malicious payloads with compromised code signing certificates. APT41 has also targeted video game companies and used its unauthorized access to their production environments to deliver malicious code via updates to gaming software.

• The code signing certificates of software companies are another valuable target within the technology industry, particularly for state-sponsored threat actors, including APT41. They can add stolen code signing certificates to their malware payloads in order to increase their ability to evade detection, as the malware will appear to have come from the legitimate issuer of the compromised certificate. The use of stolen code signing certificates is more typical of state-sponsored cyber espionage groups, which generally go to greater lengths than criminals to prevent the detection and attribution of their attacks.

How Should Technology Companies Respond?

One of the key challenges of any cyber threat intelligence program is to formulate priority intelligence requirements (PIRs) and manage the flow of incoming reports to ensure coverage of the most relevant topics. In the case of the technology industry, Chinese cyber espionage groups stand out as the single most significant threat. They target technology companies both as primary targets in their own right and also as infection vectors for supply chain attacks on those technology companies' customers. Accordingly, technology companies should make Chinese APTs – specifically APT10, APT17, and APT41 – high-priority topics for coverage in their cyber threat intelligence programs.

Learn more about the threats facing the information technology industry and how you should respond in our new “2021 Technology Industry Cyber Threat Landscape Report.”