Over just the last three years, Chinese cyber criminals have gone from relatively solitary players to adopting the same tactics favored by organized crime syndicates in Russia and other nations with lax cyber crime laws and enforcement.

These findings come from research conducted by Anne An, a senior security researcher in McAfee’s Advanced Programs Group, a lesser-known division of McAfee that conducts deep-dive, bespoke cybersecurity research and intelligence gathering to help companies counter threats before they become full-scale attacks.

SEE: Phishing and spearphishing: An IT pro’s guide (free PDF) (TechRepublic)

“I think the biggest take away from this research is that Chinese non-state actors; they’re no longer low-skill hackers trying to make extra money,” An said. “They have transformed from small local networks targeting mostly Chinese businesses and citizens to large well-organized criminal groups hacking international organizations.”

Just like their more-advanced counterparts in Russia, the motivation is simple: Money. The average income in China is around $8,000 per year, An said. Hackers can make $1,400 per day.

“China’s cybercrime enterprise is large, lucrative and expanding quickly,” An said in a blog post announcing her findings. “According to 2018 Internet Development Statistics, China’s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China’s cybercrime is growing at a rate of more than 30 percent a year. An estimated 400,000 people work in underground cybercriminal networks.”

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)


As Chinese hacking becomes more organized, it is moving off of platforms like Tencent’s QQ, a Chinese chat platform that is used by hackers to connect with peers, sell stolen data, and collect money in a one-to-one fashion, toward Dark Web chat rooms and forums where they can reach a broader audience of customers looking for malware and buyers looking to buy pilfered data. Just a few tens or hundreds of dollars can buy all manner of illicit goods from physical counterfeits of US and Canadian driver’s licenses to bank login credentials.

“They have continuously evolved their tactics to become more sophisticated, and they are learning a lot of those techniques from a more sophisticated cybercriminal underground like the Russians,” An said.
This includes adopting the same market-based approaches of any legitimate business to expand their market share. Instead of doing the hard work themselves, bad actors buy ready-made or bespoke malware that comes complete with 24/7 customer support. Buyers looking on Chinese black markets can find distributed denial of service (DDoS) botnets, traffic sales, source code writing services, email/SMS spam and flooding services, An said.

SEE: Why password management is critical to mitigating data breaches (TechRepublic)

“With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing,” An said. “Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs.”

One product for sale is a business dossier, An said. “It costs around $5,000 to $10,000, depending on how difficult the hack is. And, basically, the hackers would take whatever requests to hack into like places like top-50, high-profile Chinese companies, or even Fortune 500 US businesses. I’ve seen online the entire employee directory being sold on the dark market.”

Because of a very strictly controlled internet in China (access to the anonymous Tor browser network is completely blocked, for example), Chinese hackers are physically moving to find more favorable locations for their activities. Specifically, they are moving into Malaysia, Indonesia, Cambodia, and the Philippines. They also are using layered virtual private networks (VPNs) from inside China to access Tor via another country where Tor is available.

SEE: Disaster recovery: How to prepare for the worst (free PDF) (TechRepublic)

Cyber crime meets cyber espionage

The lines between criminal activity and more traditional espionage are blurring, An said. She has seen where Chinese cyber criminals are selling full business dossiers of business and government agencies. An has seen internal employee directories and intellectual property (IP), CEO contact information, company bank account credentials, marketing strategy documents, tax ID numbers, and funding histories all available for sale on the black market. To get this information, cyber criminals often recruit insiders or plant moles inside of organizations masquerading as new hires.

“As China’s cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets,” An said.

Also see

Image: ValeryBrozhinsky, Getty Images/iStockphoto

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays