In this captivating interview, Sherrod DeGrippo, a seasoned threat intelligence expert with over 19 years of experience, conducts a deep dive into the realm of cyber espionage. Joined by Judy Ng and Sarah Jones, two formidable specialists dedicated to untangling the intricate web of cyber threats originating from China, they bring into focus the covert activities within the modern threat landscape. Together, they discuss the challenges faced by those who safeguard our interconnected world. Prepare to be immersed in the untold tales and extraordinary expertise of these digital detectives as they navigate the hidden realm of China’s cyber battlefield.
On the frontlines: Decoding Chinese threat actor tactics and techniques
Sarah Jones
As a senior threat analyst, I research APT (advanced persistent threat) groups that originate from China and work on behalf of the Chinese government. I track their malware development over time and research their methods for creating infrastructure and compromising victim networks. Before joining Microsoft Threat Intelligence, I primarily focused on China, but I have also worked on Iranian and Russian groups.
Most of my background, especially early in my career, I worked in Security Operations Centers and focused on internal security for government and corporate networks.
One of the great things about studying China threat actor groups is the ability to track them over such long periods of time. It’s very interesting to be able to research groups that I remember from 10 years ago and watch their evolution over time.
Judy Ng
Like Sarah, I’m also a senior threat analyst, leveraging geopolitical analysis on top of cyber threat analysis. I’ve followed China-based actors from different perspectives for the past 15 years of my career— including roles supporting the US government, startup positions, different places in corporate America, and of course at Microsoft, where I have been since 2020.
I got started with a focus on China because I’ve always had an interest in it. Early in my career, that interest helped me provide context that eluded colleagues who may not have understood some of the nuance of Chinese language or culture.
I think one of my first questions was, “Judy, what is ‘meat chicken’? What does ‘meat chicken’ mean in Chinese?”
The answer was “botnet.” “Meat chicken” was the Chinese slang that threat actors were using on online forums to describe zombie botnets
Judy Ng
In this work, you just don’t do the same thing every day. It’s exhilarating. You can harness all the powerful signals Microsoft gets, and just let that data guide you.
You’ll never get bored of the data set here. You’ll never say, “Oh, there’s nothing to hunt”. There’s always going to be something of interest, and it helps that most of our teammates on the China team are just a curious bunch.
Whether it’s self-guided hunting or a group effort at looking at a subject, it’s just great that we’re all curious and can run down different avenues.
Sarah Jones
I have to agree with Judy. Every day is a new and different problem set. Every day I’m learning about a new piece of technology or new software that an actor is trying to exploit. I have to then go back and read the documentation if it’s a technology or software program that I’ve never heard of. Sometimes I’ll have to read the RFC (request for comments) for a protocol because the threat actors are manipulating or abusing some aspect of it, and that requires going back to the original documentation and reading it.
These things are really exciting for me, and I get to work on them every day. Every day I get to learn about a new aspect of the internet I’ve never heard of and then race to catch up with the threat actors so I can become an expert in the thing that they have decided to exploit.
Sarah Jones
With COVID, we saw a lot of changes. For customers, the world has changed. Overnight, everyone went home and tried to keep doing their work. We saw a lot of companies having to completely reconfigure their networks and we saw employees changing the way they worked, and, of course, we saw our threat actors responding to all of that.
For example, when work-from-home policies were first rolling out, many organizations were having to enable access from many different locations to some very sensitive systems and resources that weren’t usually available outside corporate offices. We saw threat actors then attempting to blend in with the noise, pretending to be remote workers, and accessing these resources.
When COVID first happened, access policies for enterprise environments had to be established quickly, and sometimes they were done without time to research and review best practices. Because so many organizations haven’t revisited those policies since that initial rollout, we see threat actors today trying to discover and exploit misconfigurations and vulnerabilities.
Putting malware on desktops isn’t as valuable anymore. Now it’s about getting passwords and tokens that enable access to sensitive systems in the same way remote workers are doing.
Judy Ng
I don’t know if the threat actors got to work from home, but we do have data that provides some insights into how COVID shutdowns impacted their activity in the cities where they lived. No matter where they did their work, their lives were impacted—just like everyone’s.
Sometimes we could see the effect of citywide shutdowns from the lack of activity on their computers. It was so interesting to see the impact of all those district-wide rolling shutdowns in our data.
Judy Ng
I have a great example—one of the threat actors we track, Nylon Typhoon. Microsoft took action against this group in December 2021 and disrupted infrastructure used to target Europe, Latin America, and Central America.
In our assessment, some victim activity likely involved intelligence collection operations intended to provide insight into partners involved in China’s Belt and Road Initiative (BRI) for Chinese government-run infrastructure projects around the globe. We know Chinese state-sponsored threat actors conduct traditional espionage and economic espionage, and our assessment is that this activity likely straddled both.
We’re not 100% sure because we don’t have a smoking gun. After 15 years, I can tell you that finding the smoking gun is really hard. What we can do, though, is analyze information, bring in context, and say, “We assess with this confidence level that we think it’s likely for this reason.”
Sarah Jones
One of the biggest trends involves shifting focus from user endpoints and custom malware to actors really living on the edge—concentrating resources on the exploitation of edge devices and maintaining persistence. These devices are interesting, because if someone gains access, they could reside there a very long time.
Some groups have done impressive deep dives into these devices. They know how their firmware works. They know the vulnerabilities each device has, and they know that many devices don’t support antivirus or granular logging.
Of course, actors know devices like VPNs are now like keys to the kingdom. As organizations add layers of security like tokens, multifactor authentication (MFA), and access policies, actors are getting smart about circumvention and slipping through defenses.
I think a lot of actors have realized that if they’re able to maintain long term persistence through a device like a VPN, they don’t really need to deploy malware anywhere. They can just grant themselves access that lets them log in as any user.
They essentially give themselves “god-mode” on the network by compromising these edge devices.
We also see a trend where actors are using Shodan, Fofa, or any sort of database that scans the internet, catalogs devices, and identifies different patch levels.
We also see actors conducting their own scans of large swaths of the internet—sometimes from pre-existing target lists—in search of things that are exploitable. When they find something, they’ll do another scan to actually exploit the device and then come back later to access the network.
Sarah Jones
It’s both. It depends on the actor. Some actors are responsible for a given country. That’s their target set, so all they care about are devices in that country. But other actors have functional target sets—so they will focus on specific sectors like finance, energy, or manufacturing. They will have built a target list over several years of companies that they care about and these actors know exactly what devices and software their targets are running. So we observe some actors scanning a predefined target list to see whether targets have patched for a particular vulnerability.
Judy Ng
Actors can be very targeted and methodical and precise, but they also luck out sometimes. We have to remember they’re human. When they run their scans or grab data with a commercial product, sometimes they just get lucky and get the right set of information right from the start, to help initiate their operation.
Sarah Jones
That’s definitely it. But the right defense is more than just patching. The most effective solution sounds simple but is very difficult in practice. Organizations have to understand and inventory their devices that are exposed to the internet. They have to know what their network perimeters look like, and we know that that is especially hard to do in hybrid environments with both cloud and on-premises devices.
Device management is not easy, and I don’t want to pretend it is, but knowing about the devices on your network—and the patch levels for each of them—is the first step you can take.
Once you know what you have, you can increase the logging capability and the telemetry from those devices. Strive for granularity in the logs. These devices are difficult to defend. A network defender’s best bet for defending these devices is logging and looking for anomalies
Judy Ng
I wish I had a crystal ball into what China’s government plans are. Unfortunately, I don’t. But what we can see is probably an appetite for access to information.
Every nation has that appetite.
We like our information too. We like our data.
Sarah Jones
Judy is our Belt and Road Initiative (BRI) expert and geopolitical expert. We rely on her insights when we’re looking at trends, especially in targeting. Sometimes we’ll see a new target come up and it doesn’t really make any sense. It doesn’t fit with what they’ve previously done, and so we’ll take it to Judy, who will tell us, “Oh, there’s an important economic meeting happening in this country, or there are negotiations around the construction of a new factory in this location.”
Judy gives us valuable context—essential context—about why threat actors do what they do. We all know how to use Bing Translate, and we all know how to look up news stories, but when something doesn’t make sense, Judy can tell us, “Well, that translation actually means this,” and that can be all the difference.
Tracking Chinese threat actors requires cultural knowledge about how their government is structured and how their companies and institutions operate. Judy’s work helps untangle the structure of these organizations and lets us know how they function—how they make money and interact with the Chinese government.
Judy Ng
Like Sarah said, it’s communication. We’re always on Teams Chat. We’re always sharing the insights we may have seen from telemetry that helped us work towards a possible conclusion.
Judy Ng
What’s my trick? Lots of hanging-out time on the internet and reading. Seriously, though, I think one of the most valuable things is simply knowing how to use different search engines.
I’m comfortable in Bing, but also with Baidu, and Yandex.
And that’s because different search engines deliver different results. I’m not doing anything special, but I do know to look for different results from different sources so I can analyze the data from there.
Everybody on the team is very knowledgeable. Everyone has superpowers—it’s just knowing whom to ask. And it’s great that we work on a team where everyone’s comfortable asking one another questions, right? We always say there’s no silly questions.
Sarah Jones
This place is powered by silly questions.
Sarah Jones
Now is the perfect time to get into IT security. When I first started, there weren’t a lot of classes or resources or ways to explore. Now there are undergraduate and masters programs! Now there are many ways to get into the profession. Yes, there are paths that can cost lots of money, but there are lower-cost and free paths too.
One free security training resource was developed by Simeon Kakpovi and Greg Schloemer, our colleagues at Microsoft Threat Intelligence. This tool, called KC7, makes getting into IT security, understanding network and host events, and hunting for actors accessible to anyone.
Now it’s possible to get exposure to all kinds of different topics, too. When I first started out, you needed to work at a company that had a multi-million-dollar budget to afford these tools. For many, that was a barrier to entry. But now, anyone can analyze malware samples. It used to be hard to find malware samples and packet captures. But those barriers are coming down. Today, there are so many free and online tools and resources where you can learn on your own at your own pace.
My advice is to figure out the niche that drives your interest. Want to do malware research? Digital forensics? Threat intelligence? Zero-in on your favorite topics and take advantage of publicly available resources and learn as much as you can with those.
Judy Ng
The most important thing is to be curious, right? Along with curiosity, you have to work well with others. You have to remember this is a team sport—no one can do cyber security alone.
It’s important to be able to work in a team. It’s important to be curious and open to learning. You have to be comfortable asking questions and finding ways to work with your teammates.
Sarah Jones
That’s definitely, definitely true. I’d want to emphasize that Microsoft Threat Intelligence works with a lot of partner teams at Microsoft. We rely heavily on the expertise of our colleagues to help us understand what actors are doing and why they’re doing it. We couldn’t do our work without them.
Follow Microsoft Security