East Asia

​Over the last decade, the cyberthreat landscape in this region has been greatly impacted by the growing influence of China as an economic, political and cultural player. China has sought to structure its presence by creating international organisations in the region and using them to exert its influence. Furthermore, the New Silk Roads project launched by Chinese President Xi Jinping in 2013 directly serves Chinese foreign policy. This project is supported by organisations with significant funds, such as the Asian Infrastructure Investment Bank (AIIB). Today, China is a key player in the region and has been competing with the Western powers for the last decade. The growth of China as a focal point has prompted the other Far Eastern countries to adopt a cautious posture with respect to Beijing. For the main countries of the zone, two objectives are emerging: that of creating counterweigts to Chinese influence with the aim of strategic rebalancing, and that of maintaining a peaceful relationship with Beijing in order to preserve the economic ties. Within the Association of Southeast Asian Nations (ASEAN), for example, trade between China and its southern interface has created a strong interdependence, so much so that China has become the largest trading partner in the zone.

In turn, Japan has established trade with the various countries in the region and has maintained relations with China, despite a difficult shared history and China’s claim to certain islands in the archipelago. Tensions between the two countries are ongoing in the East China Sea over the delimitation of their exclusive economic zones (EEZs).

North Korea is heavily reliant on China, which accounted for 90% of its trade before the Covid-19 crisis. In addition, North Korea remains the only country with which China has signed a defence treaty.

Seoul remains relatively close to Beijing, with regular bilateral talks, which began to normalise in late 2019. Trade between the two countries is extremely limited, however, since China introduced economic sanctions against South Korea in 2017. These sanctions follow South Korea’s agreement to host America’s Terminal High Altitude Area Defense (THAAD) anti-ballistic missile defence system4. On the other hand, relations between ASEAN, Japan and the two Koreas remain cordial. The Far East appears as a breeding ground for cyber threats. At the regional level, a decisively important game is clearly being played out, fuelled by China’s desire to influence the zone and the responses of the other countries. Agendas are also being played out in smaller arenas, as we will see with the Korean question.

From a geostrategic viewpoint, Chinese domination is often presented as overwhelming and hard to contest. Yet the cyber tool creates a discrepancy in this logic of seemingly one-way domination. Indeed, the level of discretion and military effectiveness of this weapon allows for a strategic rebalancing. This creates opportunities for other players to assert themselves in the region. This is evidenced by the activity of several APT groups seeking to be counterweights to Chinese influence.

_SIGNIFICANT ACTIVITY BY GROUPS OF CHINESE ORIGIN

There are no less than 45 ATK groups, known under more than 200 aliases, which appear to originate in China.

_THESE GROUPS SHARE A LOT OF TOOLS AND MALWARE WITH EACH OTHER, WHICH MAKES IT DIFFICULT TO DELINEATE THEIR ACTIVITIES

In 2014, the ATK34 group (Goblin Panda) aided by the 1937CN group5, launched cyber-espionage operations on Vietnam’s oil sector. In 2016, the same two groups carried out sabotage operations on the country’s transportation sector, then in August 2017 attacked its political institutions. This attack came a few days after the re-emergence of tensions around control of the South China Sea between China and Vietnam, which is set against the backdrop of historic discord over the Paracel Islands6. On 5 August 2017, the meeting of foreign ministers of ASEAN countries in Manila had resulted in a resurgence of tensions provoked by Vietnam against China.

In addition to the ATK34 group, of which Goblin Panda is a part, the ATK1 group (Lotus Blossom) regularly attacks the region. Before 2013, one of the group’s hackers called Elise installed backdoors on Southeast Asian networks, focusing especially on electronics manufacturers and telecommunication companies, which enabled attackers to penetrate the systems7 . In 2015, ATK1 conducted massive espionage campaigns aimed at government and military organisations across Southeast Asia8. These campaigns, whose objective was to weaken political organizations and spy on group members, are still ongoing. The most prominent example is the ASEAN, which suffered from a cyber espionage attack operated by ATK1 in January 2018.

Other groups, considered less prolific, appear to be more responsive to a political agenda. ATK34’s campaign of attacks on Vietnamese institutions in August 2017, for one, reflects intensifying tensions with China. The ATK29 (TEMP.Periscope) group has also demonstrated its ability to exploit local contexts and leverage them into cyber attack opportunities. ATK29’s campaign in Cambodia in July 2018 during the legislative elections is indicative of this trend. ATK29 group is interesting because the first evidence of its activity dates from the start of the Silk Roads project in 2013.

Initially focusing on the maritime domain, its range of targets was later extended to the defence, transportation, engineering and space sectors. In recent campaigns, it has directed its attacks at the countries involved in the Silk Roads project, reflecting a shift in targets and paradigm. Its activities have turned more particularly to industrial espionage and destabilisation. It was to this end that ATK29 targeted Cambodia in July 2018. From September 2017, the country had been plunged into significant political stagnation, making the attack all the easier. The leader of the Cambodia National Rescue Party (CNRP) had been charged with treason and spying by Prime Minister Hun Sen10. He had also dissolved the CNRP, the only opposition party, ahead of the July 2018 legislative elections, which is when the attack occurred. This created an opportunity for the Chinese actor to leverage its cyber arsenal to gain high visibility on Cambodian politics and the actions under consideration by the government.

A similar scenario happened in the Philippines in 2015. China refused to take part in an arbitration procedure with the Philippines at the Permanent Court of Arbitration (PCA) in The Hague to settle territorial issues in the Philippine Sea. In the same year, Barack Obama raised the issue of control of the South China Sea at the Asia Pacific Economic Cooperation (APEC) Summit, which was endorsed by the host country, the Philippines. Shortly after, ATK29 (NanHaiShu) attacked the Philippine Department of Justice.

_VIETNAM AND THE ATK17 GROUP (APT32)

VIETNAM ALSO MAINTAINS THIS STANCE OF NON-SUBMISSION TO ITS GIANT NORTHERLY NEIGHBOUR.

Relying on a highly successful group called ATK17 (APT32), Vietnam conducts almost continuous espionage campaigns against diverse but well-defined targets. The techniques implemented by ATK17 include the use of decoy documents that allow for initial access to multiple platforms (Windows and MacOS in particular). The group was thus able to achieve its objectives by carrying out numerous attacks against Chinese interests.

SOUTH KOREA IS ALSO RESPONDING TO CHINESE PRESSURE. KOREAN-SPEAKING GROUP ATK52 (DARKHOTEL) IS VERY ACTIVE AGAINST CHINA

While some experts link this threat actor to North Korea, especially given the overlap between it and ATK4 (APT37), the consensus is that it is actually linked to South Korea. It targets government entities, especially in the areas of diplomacy, de - fence and justice. Its activity is focused in particular around the Sea of Japan and the East China Sea. Its purpose is to spy on specific people, especially Chinese individuals. The group leverages its cryptographic skills to produce fake certificates and use zero-day. It also has access to an extensive and reliable network infrastructure, which enables it to maintain long-term access to its targets.

_THE PHILIPPINES AND THE NATIONAL BRANCH OF THE LULZSEC MOVEMENT

TK129 (Pinoy LulzSec) is the Philippine branch of the international LulzSec movement, embracing its anarchist ideology. According to sta - tements by its members, ATK129 has been active since 2012, with a surge of its activity in 2017 and 2018. In April 2019, the Philippine govern - ment and its defence institutions and industry were the victims of an April Fools’ targeted campaign. The hackers conducted dozens of attacks during these campaigns, mainly we - bsite defacement and theft of data, which was then leaked on online file sharing platforms. The hackers primarily attacked government-related targets, but they also targeted the education sector. These campaigns against the Philippine government came after President Duterte signalled a rapprochement with China. More recently, the group’s attacks have directly targeted the People’s Republic, with the idea to pursue efforts to defend the country’s sovereignty against Chinese influence.

_TAIWAN AND THE ATK153 GROUP (APT-C-01)

Taiwan, with Hong Kong, is one of the states most subject to Chinese pressure and cyberattacks by groups believed to be based in China. However, the island state is sup - ported by ATK153 (APT-C-01), an APT group that has been conducting cyber-espionage campaigns against key Chinese units and departments such as government, national de - fence, science and technology, edu - cation and maritime agencies for 11 years. The group mainly targets the defence industry in connection with strategic issues such as Chinese-US relations, Cross-Strait relations and maritime-related issues. This 11-year series of cyber-espionage campaigns in China includes no less than 15 major attacks on Chinese strategic interests.

_THE KOREAN CHESSBOARD

Contrary to appearances, the Asian chessboard is not only structured around China as the focal point. The Korean conflict is ongoing and is guided and shaped independently according to its own logics. On July 27, 2021, the two Koreas decided to reestablish communication channels, witnessing a rapprochement. Diplomatic ties had been cut a year earlier, as a result of the stalled dis - cussions. This resumption of dialogue comes at a time when North Korea is going through a crisis related to the decline of its agricultural production, causing food shortages in the country.

The history between the two countries is complex and periods of escalation have followed periods of relaxation. The rapprochement, initiated in the late 1990s around economic assistance, ended in 2008 with the arrival in power of the conservative Lee Muyung-bak. The dispute over the disputed maritime zone regularly results in deaths on both sides and the escalation of tensions often lead to surges in cyber-activity from both sides.

_THE MANY KNOWN ATTACKS TO DATE ARE STRUCTURES AROUND TWO EMBLEMATIC GROUPS

On the South side, ATK52 (DarkHo - tel), regularly targets North Korean interests, reinforcing the hypothesis of a South Korean origin. In the Nor - th, the People’s Democratic Republic relies on the Lazarus nebula to carry out espionage and destabilization missions on its southern neighbour and attack it. Lazarus comprises se - veral known entities. ATK117 (APT38, Bluenoroff) specialises in recovering funds for the country and is belie - ved to be the source of the Wan - nacry attack in 2017. ATK4 (APT37) appears to be a more independent group, specialising in cyber espio - nage of foreign interests, especially in South Korea.

Contextually, the cyberthreat in the Far East is primarily driven by the rise of Chinese influence. For over a decade, this geopolitical focal point has prompted threat groups in the region to step up their activities in support of the national interests of their respective countries. However, the cyberthreat is not only driven by these regional factors. Certain geopolitical spaces have specific features linked to their historic context, as is the case with the Korean peninsula.