China’s Offensive Cyber Operations In The Spotlight: What Does This Mean For Our Companies?

5–30–2023 (Tuesday)

Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io

Today is Tuesday May 30th, and we are back from the Memorial Day holiday here in the US, which is also the unofficial start of summer. It doesn’t quite feel like summer, temperature-wise, here in the Pacific Northwest, but the forecast has nothing but sun, so we’ll take it.

China’s Cyber Offensives & What It Might Mean

The past week put China’s offensive cyber operations front and center, starting with an assertion from Microsoft that a China-sponsored threat actor has targeted infrastructure in Guam and the US since mid-2021.

“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

David Sanger from the New York Times asked the question Microsoft was dancing around: Is Taiwan the Real Target?

“So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, the Chinese intelligence and military hackers usually prioritize espionage.

In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.”

At the same time, Reuters reports that “Chinese hackers targeted Kenya's government in a widespread, years-long series of digital intrusions against key ministries and state institutions” […] “aimed, at least in part, at gaining information on debt owed to Beijing by the East African nation.”

“The hacks constitute a three-year campaign that targeted eight of Kenya's ministries and government departments, including the presidential office” […] “the foreign, and finance ministries.“

This aligns exactly with a point made in a Forbes piece from the week, noting “China’s “peacetime” targeting of critical infrastructure that is used by both civilians and the US military erodes the principles of the law of war. The principle of distinction ordinarily forbids targeting civilian objects, such as civilian property and infrastructure. However, many computer networks are used for both civilian and military purposes. Such “dual use” objects may be targetable based on their nature, purpose, and use. However, combatants must still comply with the other principles of the law of war: military necessity, proportionality, and avoiding unnecessary suffering.”

The Joint Advisory expanded the cast of characters to include agencies from the Five Eyes countries (US, UK, Canada, Australia, and New Zealand). It included a significant amount of technical detail for this threat actor, including what to look for within your own systems as potential Indicators of Compromise, which brings us to the real takeaway for PE firms and their portcos.

I realize that it’s easy to throw your hands up - you’re not the US Government, you can’t defeat the Chinese cyber threat, what could you possibly do to help?

But I think that’s missing the point. The point is that we have an opportunity to test our defenses, awareness, and response capabilities here.

For example, the Microsoft advisory and the Five Eyes writeup both include details on which edge devices this threat actor is compromising. Ask yourself:

  • Do we have any of those devices in your environment?

  • Are they on the edge and exposed to the Internet?

  • Are we capturing logs from these devices?

  • Can I search those logs for these Indicators of Compromise?

  • Does my IT team have the capacity and capability to respond to something like this?

The next threat may not be such a good learning opportunity - it may just be the real thing.

The Sydney Morning Herald reminds us that we must reframe how we think about these hacking activities as something they’re calling “cyber persistence theory” - whereby “the winners effectively exploit their adversaries’ computer networks and determine the conditions those adversaries must compete in.”

As one of these articles concludes, “As tensions with China rise, continued cooperation between corporations and the government will be critical to protecting civilians. The Five Eyes reports noted the private sector’s close cooperation in discovering and exposing the cyberattacks. Such cooperation must tighten and continue. […] However, the corporate goal of de-risking from China is aligned with the government’s goal of protecting its citizens from harm in peacetime and wartime. Public-private partnerships have never been so critical for national security—and for protecting Americans from unnecessary suffering.”

By becoming more resilient, and more vigilant, you can both protect the businesses you’ve invested in and the systems that allow them to thrive.

Fundraising

Strong week of fundraising, with nearly $16.5B of newly committed capital. Worth notice a couple of points - one being the $11.5B raised by Chicago’s GTCR for their 14th flagship buyout fund, but also the $175M raised by OpenAI (themselves venture-backed) for their own venture capital fund.

This brings us to a monthly total of $72.25B, and a quarterly run of $169B and change - with a month left to go. Very possible to hit that quarter trillion number for Q2 2023.

You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.

Links

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

https://www.nytimes.com/2023/05/24/us/politics/china-guam-malware-cyber-microsoft.html

https://www.reuters.com/world/africa/chinese-hackers-attacked-kenyan-government-debt-strains-grew-2023-05-24/

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

https://www.forbes.com/sites/jillgoldenziel/2023/05/29/china-cyberattacked-the-us-corporations-are-on-the-front-lines/?sh=17be09120ddb

https://www.smh.com.au/world/north-america/persistence-theory-claims-cyberspace-operates-by-unique-rules-20230525-p5db84.html

Previous
Previous

Systemic Risk: Aggregators, Big Data, and Big Risk

Next
Next

Microsoft Reveals BEC Scope, Scale, Variety