By Jamie MacColl
In the second part of our series on the long-term implications of COVID-19 on the cyber threat landscape (part one here), Orpheus analysts examine the impact of the worsening US-China trade war on Chinese cyber espionage, as well the potential proliferation of disruptive operations due to the potential shift towards localised and on-shored supply chains.
As outlined in our previous blog in this series, the pandemic has exacerbated existing geopolitical tensions. In this blogpost, we conclude our analysis of the impact of these tensions on long-term cyber threats and explore two findings.
First, due to increased tensions with China, Western governments are facing calls to localise or on shore supply chains, to both limit a reliance on adversarial states and create resilience against future shocks like COVID-19. We expect this trend towards localisation could lead to less restraint on targeting of disruptive cyber operations, increasing the likelihood of unintended consequences, as seen in the NotPetya attack. Second, criticism of China’s initial handling of the COVID-19 outbreak have accelerated demands in Washington and other Western capitals to deny Beijing access to strategic technologies – particularly semiconductors – and to limit the role of some Chinese telecommunications companies in critical national infrastructure. As a result, we assess that Chinese state units and contractors will become more assertive in collecting intelligence on commercial and technical intellectual property from strategic industries.
The “retreat of globalisation”: global supply chains after COVID-19
To date, COVID-19 has caused considerable disruption for global supply chains. Significant shortages of personal protective equipment (PPE), in particular, have plagued hospitals and exposed many countries’ dependence on China for supplies. As such, political leaders, businesses and consumers are re-evaluating the value of globalised supply chains and the just-in-time manufacturing model (a strategy which aims to increase efficiency by receiving goods as they need them for the production process, which reduces inventory and storage costs).
In reality, this trend was already developing before the crisis broke, but the fragility of globalised supply chains in the face of COVID-19 is accelerating the desire to reduce reliance on China in particular. Business decisions about the future of supply chains are increasingly caught up in the geopolitical calculations of Western governments – particularly the US – about China, with downward pressure forming on strategic industries to reduce their dependencies.
This is a bottom-up as well as a top-down phenomenon. For some consumers, COVID-19 revealed the danger of relying on China for manufactured products, with one survey finding that 78% of US consumers would be willing to pay more for a product if the company moved manufacturing out of China. Businesses too have suffered from the absence of the supply of information from the Chinese government – according to the Institute for Supply Management, in March 53% of businesses reported difficulties in getting information out of China necessary to maintain their supply chain. More broadly, as the survey results below illustrate, businesses are anticipating the growing unease with globalisation will lead to changes in supply chain management well after the pandemic has receded.
From supply-chain disruption to cyber sabotage operations
While there is a danger of both overstating these changes and underestimating how long localising supply chains may take, it is clear COVID-19 is intensifying debates around the merits of globalisation and reliance on China in particular. Although the full scope of on-shoring or localising supply chains after COVID-19 remains to be seen, this growing trend could have significant long-term implications for the cyber threat landscape.
One possible consequence of localising supply chains is less restraint on targeting, and greater risk of unintended consequences from nation-state cyber operations aimed at sabotaging critical functions and services. To date, Orpheus’s intelligence reporting database illustrates that sabotage attacks mostly intend to punish specific targets in a single country (see figure 2 below). Examples include Iran’s Shamoon wiper attack against Saudi Aramco in 2012, Russia’s disruption of the 2018 Winter Olympics opening ceremony, the Stuxnet operation against Iran’s nuclear weapons program, and APT28’s disruption of French TV channel TV5Monde in 2015.
At present, the interconnectedness of global supply chains arguably acts as a restraint on the further proliferation of the kind of disruptive cyber attacks against private and public organisations described above. A nation-state operation sabotaging a multi-national manufacturer or global financial institution is liable to cause disruption at home too, as the target is likely to have some form of operation in the country (or its allies) where the attack originated (with perhaps the exception of North Korea or, in some cases, Iran). For instance, Russia is still sufficiently integrated into Western financial institutions that a major disruptive attack on them would also cause problems for Russian organisations and individuals. Reducing supply chain and other business connections may therefore increase the threat posed to organisations by disruptive cyber-attacks motivated by geopolitics.
If nation-state disruptive operations do proliferate, organisations may be exposed to an additional threat: the unintended consequences of these attacks. Although most disruptive cyber-attacks do aim at specific targets, intentions do not always match the messy reality. Perhaps the most notable example of this is Russia’s NotPetya campaign. In June 2017, a Russian cyber unit linked to the Main Directorate of the Russia military (otherwise known as the GRU), targeted Ukraine with wiper malware aiming to cause widespread disruption. Though the attack was intended to target Ukrainian users specifically via a prior compromise of M.E.Doc accounting software widely used in the country, the malware’s worming capabilities quickly spread it to other countries, causing global disruption to the tune of USD10 billion. That the attack even ended up causing disruption to Russian businesses (see the map below) illustrates the how disruptive attacks can spread well beyond the scope of operators.
If disruptive operations carry a smaller risk of this ‘blowback’, it follows logically that states will be less restrained in their future use. Moreover, many of the practices that enabled NotPetya to spread – such as lacklustre patching processes and shortcomings in network segmentation – are still prevalent, and arguably more so since the onset of the COVID-19 pandemic.
The re-orienting of supply chains towards on-shoring or localisation may, therefore, increase the risks to organisations from disruptive attacks, even if they are not directly targeted. Put another way, the desire to increase the resilience of supply chains from major shocks may in expose them to new and unforeseen cyber threats. While we do not predict a significant uptick in sabotage operations or disruptive operations, the rollback of globalisation will remove at least one restraint on them.
Strategic technologies in the “New Cold War”
As we outlined in our previous blog, China’s handling of the COVID-19 outbreak has turbo-charged debates about the West’s relations with Beijing. As a result, the movement to deny China access to strategic technology and removing Chinese technology from Western critical national infrastructure has strengthened.
In 2020, semiconductors and communications technology, in particular, have become the focal point of tensions over trade and intellectual property. While concerns in the US over China’s access to strategic technologies preceded the pandemic, bitterness of China’s initial cover-up has legitimised hawkish sentiments.  In May, the US Commerce Department announced that any company selling semiconductor chips to Huawei will require a license if the design and production process uses US intellectual property, software or equipment. Within three days, TSMC, a major Taiwanese manufacturer of semiconductors, announced it would stop taking orders from Huawei.
Such measures are not limited to US policymakers – in the UK, an attempt in May to take control of the board of British semiconductor intellectual property company Imagination Technologies by an investor linked to the Chinese Communist Party was blocked by the British government. Geopolitical, supply-chain and cyber security considerations all weigh more heavily on these decisions than they did in January before the outbreak of the COVID-19 pandemic.
In response, China has increased support for SIMC, a Chinese chip manufacturer and sought to bolster domestic design and production of semiconductors. More pertinently, Chinese cyber espionage units are also likely to accelerate their support of their government’s strategic goal of reducing its reliance on foreign suppliers of critical technologies, as characterized by its Made in China 2025 policy.
Chinese cyber espionage accelerates
As a consequence, we expect to see a re-tasking of resources by Chinese state units and contractors to double-down on collecting commercial and technical intellectual property related to strategic technologies such as semiconductors and artificial intelligence.
These operations will likely target semiconductor manufacturers in the US and Taiwan, as Chinese groups such as BlackTech have frequently preyed on this industry. With China’s options increasingly limited, Taiwan’s technology sector, which manufactures more than two-thirds of the world’ semiconductors, presents a vulnerable and accessible target for operations targeting intellectual property. This targeting is likely to become more assertive as Taiwanese companies such as TSMC are seen to fall into line with US policy.
This type of activity does and will extend well beyond Taiwan: countries with strong technology and manufacturing sectors, such as the US or the UK, are also likely to see an increase in Chinese cyber espionage as they escalate efforts to deny strategic technologies to Chinese companies such as Huawei or ZTE.
At the same time, it is important to emphasise this does not indicate a dramatic shift for Chinese nation-state cyber threats. Although the 2015 agreement between China and the US is believed by some to have stymied Chinese cyber espionage against strategic industries, Orpheus’ intelligence reporting indicates such activity has not abated (see graph below). Recent examples include the Chinese group AVIVORE targeting the aerospace industry, and extensive activity by APT10 against a variety of sectors related to China’s strategic goals.
Far from reducing operations, Chinese state units and contractors – now under the direction of the Ministry of State Security rather than the People’s Liberation Army – have merely become more sophisticated and disciplined in their efforts to evade detection and avoid international censure. As a consequence, we assess that the geopolitical impact of COVID-19 in this case is serving to reinforce China’s intent to collect intelligence and steal IP related to strategic technologies, rather than fundamentally reshaping it.
Finally, COVID-19 is also shaping Chinese group’s capability to conduct this type of cyber espionage. Over the last several months, numerous Chinese groups have increasingly targeted known vulnerabilities on public-facing infrastructure, such as CVE-2019-19781, which affects Citrix Netscaler servers. For instance, the recent cyber espionage campaign against Australian government bodies and private companies, which we assess to have been carried out by Chinese state actors or contractors, largely relied on exploiting known vulnerabilities to achieve remote code execution, rather than custom malware. Despite numerous instances of these types of vulnerabilities being exploited in the wild, organisations have been slow to patch them. As we have outlined in a previous blog post with regards to CVE-2019-19781, this is in part due to the effects of COVID-19, which is delaying the patching process in many organisations – thus providing ample opportunities for exploitation for China and other adversaries.
As we have outlined in the first two parts of this blog series, COVID-19 has significant geopolitical consequences. The international tensions that the pandemic is reinforcing, particularly those now seemingly inherent to the US-China relationship, will influence the tasking and prioritisation of nation-state activity long after COVID-19 has passed. This will extend beyond the kind of cyber espionage operations we expect to see as China is denied access to strategic technologies and patents made in the West. The shift towards localising supply chains and rejecting some of the key tenets of globalisation may inadvertently increase the risks to public and private organisations from cyber attacks aimed at sabotage or disruption.
A threat-led intelligence approach is essential for understanding how sophisticated nation-state groups will continue to adapt their targeting and tactics, techniques and procedures. To better understand cyber threats to your own organisation, click here.
Jamie MacColl is an Orpheus researcher.
 https://uk.reuters.com/article/us-health-coronavirus-usa-china/trump-administration-pushing-to-rip-global-supply-chains-from-china-officials-idUKKBN22G0BZ ; https://www.ft.com/content/4ee0817a-809f-11ea-b0fb-13524ae1056b
 For a sceptical take on de-coupling supply chains from China, see https://www.csis.org/blogs/trustee-china-hand/decoupling-between-washington-and-western-industry or https://www.ft.com/content/4ee0817a-809f-11ea-b0fb-13524ae1056b
 See also the UK government’s re-evaluation of using Huawei technology in its 5G networks.