cyber attack Photo:VCG

In an exclusive report the Global Times published on July 26, it was revealed that Wuhan Earthquake Monitoring Center under Wuhan Municipal Emergency Management Bureau found some seismic early warning data collection network devices at the front-end stations have been implanted with backdoor programs. Local public security authorities have launched an investigation and preliminary evidences suggest the cyberattack was initiated by hacker group and lawbreakers with governmental backgrounds from outside the country.

What is the purpose of this cyberattack and what new development has it made? What kind of information has been released by the attacked organization in its transition from "passive" to "active" mode of disclosure? In an exclusive interview with Global Times (GT), Zhou Hongyi (Zhou), co-founder of 360 Security Technology, said that both Northwestern Polytechnical University (NWPU), which suffered and cyberattack from outside the country in June 2022, and Wuhan Municipal Emergency Management Bureau, dared to face up to national-level cyberattacks, which have created important opportunities for detecting and preventing large-scale national-level cyberattacks. This is of great significance and deserves recognition.

GT: Has the joint investigation team composed by the National Computer Virus Emergency Response Center (CVERC) and the internet security company 360 made any new discoveries regarding the cyberattack on the Wuhan Earthquake Monitoring Center?

Zhou: Currently, experts from CVERC and the company 360 have arrived in Wuhan to conduct investigation collection work. Preliminary evidence suggests that the purpose of the cyberattack on the Wuhan Earthquake Monitoring Center was to steal geological data. Geological information is closely related to battlefield terrain, and once stolen and associated with military activities, it will have severe consequences.

GT: We have also noticed that both NWPU and Wuhan Earthquake Monitoring Center have proactively issued public statements stating that they have been subjected to cyberattacks initiated from overseas and have reported the incidents to the public security bureau. How do you comment on this "proactive" approach taken by the attacked organizations in disclosing the information?

Zhou: There is no doubt that this behavior deserves high recognition. Faced with attacks from national-level Advanced Persistent Threats (APT), it requires the collaboration of multiple parties, including the government, enterprises, internet security companies, and organizations, to form a strong collective force to jointly respond. However, in realities, many involved units fear of taking responsibility, which leads to significant resistance in APT investigations. This results in incomplete and inadequate analysis of APT investigations, which is extremely detrimental to the country's response to APT attacks.

Therefore, both NWPU and Wuhan Municipal Emergency Management Bureau, dared to face up to national-level cyberattacks, which have created important opportunities for us for detecting and preventing large-scale national-level cyberattacks. This is of great significance and deserves recognition. By fully exposing cyberattacks from overseas, it is of great significance from the perspective of safeguarding the national interests of our own cyberspace, as well as ensuring peace and security in the global cyberspace. This deserves recognition and reference.

GT: When involved units fear of taking responsibility, what obstacles have they brought?

Zhou: Firstly, there is the issue of "difficult access". Company 360 can use comprehensive security data to locate specific victims of APT attacks, but we are often denied access due to "lack of official authorization". Secondly, there is a lack of cooperation, as the victims refuse to provide the necessary security logs and network data for investigation, citing various reasons. Thirdly, there is a denial of the attack, as the victims refuse to acknowledge the fact of being subjected to APT attacks and may even delete relevant log records, leading to the loss of crucial evidence for APT attack analysis.

GT: What are the characteristics of the cyberattacks launched by national-level APT organizations against China's critical infrastructure at present?

Zhou: National-level APT organizations often target Chinese government, leading companies of certain industry, universities, medical institutions, research units, and so on, to launch cyberattacks, aiming to steal data, intelligence, and cause damage. Their biggest challenge is being "invisible".

APT attacks have six main characteristics. First, the attackers are usually professional hacker organizations or state-sponsored cyber armies, possessing national-level capabilities and resources. Second, they commonly exploit unknown security vulnerabilities, making it difficult to defend against them. Third, the attacks are continuous processes, using multiple nodes on the network as stepping stones to penetrate deeper, forming a long chain of attacks. Fourth, they involve long-term infiltration, with the attackers remaining hidden for perhaps over a decade, displaying high levels of stealth.

Fifth, attack tools are weaponized, as seen in the company 360's investigation of the cyberattacks on NWPU, where the NSA of the US utilized 41 specialized cyberattack weapons. Sixth, the attacks exhibit characteristics of automation, systemization, and intelligence, with various attack techniques interconnected and interdependent.

GT: The cyberspace is evolving into the main battlefield for international game, especially in the Russia-Ukraine conflict, where cyber warfare has moved from the shadows to the forefront. Both Russia and Ukraine have been subjected to sustained and systematic cyberattacks. What are the characteristics of cyber warfare?

Zhou: Currently, the international situation is complex and turbulent, accompanied by the intensification of great power game. The militarization of cyberspace is also accelerating, and cyber warfare is increasingly being used by countries or forces as a "weapon" to attack other countries. The security threats in cyberspace are more lethal and destructive. In our years of tracking and researching cyber warfare, we have found that unlike other modes of warfare, cyber warfare does not distinguish between wartime and peacetime. Attacks can be launched at any time, and it has become the preferred choice for warfare due to its low cost, effectiveness, controllable intensity, and the difficulty of identifying the attacker for counterattacks.

GT: Is the self-defense capability of Chinese government and enterprise units sufficient in response to the characteristics of cyber warfare?

Zhou: Cities, enterprises, and governments, as the core scenes of digitization, face dual challenges from both internal and external sources, with risks permeating all digital scenarios. Due to the difficulty in detecting APT attacks, traditional cybersecurity measures that focus on product accumulation, neglect operations, and lack expertise are unable to effectively intercept these attacks. This has resulted in the reality of "no network that cannot be breached" and "the enemy is already within," but it cannot be seen, prevented, or managed.

GT: Facing powerful attacks but ineffective methods, how should we efficiently build a practical security defense system and quickly acquire security capabilities   

Zhou: Firstly, we need to build a secure big data infrastructure and establish a comprehensive database of security incidents across the network to help users defend against threats and attacks. Secure big data, intelligence, and knowledge are the foundation and key to identify and capture traces of cyberattacks. Government and enterprises need to establish a dynamic database of security incidents across the network to "see" threats to the industry with a broader perspective and understand the overall security situation. Among these, endpoint data is particularly important as 80 percent of APT attacks target the endpoint environment. Endpoints are the eyes that can see the threats.

Next, it is necessary to deploy defense in advance, quickly and timely detect security clues, and achieve early detection, early disposal, and early loss prevention.

Third, there is a need for AI technology to enhance the level of automation and intelligence. In order to further improve efficiency, we need to apply artificial intelligence technology to enhance the level of automated analysis, screening, and correlation of massive security events. This will enable us to quickly discover cyberattack clues and take automatic responses, thereby enhancing the efficiency of security defense.

Fourth, we need experts with extensive experience in cyber security real battle. We need to form a multi-level expert team composed of professionals in vulnerability discovery, threat detection, and intelligence analysis. This team should have years of experience in continuous detection, analysis, response, and disposal, and should be able to engage in 24/7 uninterrupted operations against cyber armies and hacking groups from various countries.

Fifth, to achieve big data analysis, command and control, and collaborative operation by experts, a powerful security operation platform is needed to support the entire lifecycle of security operations. By combining automated response and expert judgment, it establishes the capability for rapid response and disposal, builds a response and disposal platform, integrates security analysis results, and coordinates with security devices. It enables timely control of the situations and restoration of damaged systems after security incidents occur, thus achieving rapid response.

GT: On one hand, the cyberspace has become the main battlefield for competition and geopolitical conflicts among major powers, and cybersecurity has evolved from a specific field issue to a major global concern. On the other hand, there are some outdated concepts within government and corporate entities in China, for example, the attacked company didn't cooperate or admit, as you have mentioned. In the face of such contradictions, do you have any suggestions?

Zhou: First, relevant government departments should establish an APT attack exemption mechanism and reward those who proactively report important clues. APT attacks are different from general cybersecurity incidents and have exceeded the security capabilities of government and enterprises. Therefore, government and enterprises should not be seen as responsible parties but as victims. It is recommended that relevant departments clearly stipulate that, under the premise of government and enterprises meeting the requirements of national cybersecurity laws and regulations, they will not be held accountable for APT attacks on their network security. At the same time, they should reward units that timely report APT attack clues, transforming the accountability into positive guidance.

Secondly, it is suggested that relevant departments establish a mechanism for APT investigation, guiding key infrastructure units and important sensitive units (Party and government, national defense, military industry, cutting-edge scientific research units, etc.) to actively cooperate with capable cybersecurity companies to investigate their own APT attack clues and hidden security risks. Any discovered APT attack clues should be promptly reported to relevant authorities for analysis and judgment, and a comprehensive network-wide investigation should be conducted to ensure that any APT that has infiltrated is promptly, comprehensively, and thoroughly eliminated, thereby reversing the passive situation of "the enemy is already within us".

The third is to concentrate the civil defense forces and establish a community of white-hat hackers to attract security talents. The essence of cybersecurity is the confrontation between people, and it cannot be solved simply by purchasing and deploying a batch of cybersecurity devices or installing software. The confrontation cannot rely entirely on automation. Only security experts can systematically absorb, understand, and transform attack knowledge into targeted countermeasures. Therefore, it is recommended that relevant organizations take the lead in establishing a large security community, calling on capable security experts to exchange technical experiences, share knowledge, conduct practical exercises, and jointly improve their capabilities. This will help fill the talent gap in our country and prepare for the shortage of talents in the event of a "cyberspace hot war". In addition, it is also recommended that relevant government departments support security companies in expanding their business ecology, such as security services, to expand the employment scale of the cybersecurity industry and attract and retain more talent.