McAfee Confidentiality Language
Is China the new Russia?
Analyzing the Similarities and Differences of Chinese Threat Actors from their Russian
Counterparts
Dave Marcus, Principal Engineer and Consigliere
Advanced Programs Group, OCTO
2Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
02
Key Similarities and Differences between the
Chinese and Russian Cybercrime Underground
History
The Current State of the Chinese
Cybercriminal Underground
Growth of Chinese Cybercrime with Global Operations
Conclusion
Why It is Increasingly Difficult to Isolate Cybercrime
from Cyber Espionage Activity
Agenda
03
04
05
06
01
3Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
China Russia
1994
2006
2011
One of the first!! $10 million
attack against Citibank
Chinese Academy of Sciences
built the first cable connection
to the World Wide Web
First cybercrime arrestsRussian cybercriminal
underground was worth
between $2.5 and $3.7 billion,
accounting for 35% of the
global cybercrime revenue
(total $8 to 10 billion in 2011)2018
The Chinese cybercriminal
underground was worth $15
billion, roughly 1% of the
global cybercrime revenue
(total $1.5 trillion in 2018)
Source: Infosec Island
Sources: Xinhua News and Dark Reading
4Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
The Chinese Cybercrime Underground
Estimated number of cybercriminals making up China’s
thriving cybercrime underground400,000
30% The growth rate of China’s cybercrime annually
$15 billionThe worth of China’s cybercrime in 2018, nearly twice the
size of its information security industry
THE MARKET
Estimated monthly earning of a skilled organized phishing
scam group$43,590
Sources: Xinhua News, sec-un.org
5Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Similarities Between the Chinese and Russian
Cybercrime Underground
6Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Tactics, Techniques and
Procedures
7Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Baidu Tieba QQ groups Sina Weibo
8Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Screenshots of Chinese underground
hacker groups
Guarantee DDoS service group
Data exfiltration group
Magic sword phishing group
9Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Screenshot of online engagement with Chinese
cybercriminals via QQ instant messenger
10Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
11Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Attack-as-a-Service
12Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
The screenshot of pen-testing software offered by an underground hacker
13Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
The screenshot of an online advertisement titled “the most up-to-date and dangerous cyber-
attack software in 2013”
14Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Geographical Operations
15Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
The Philippines
Malaysia
Cambodia
Indonesia
China
16Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Phishers Marketers Blackmailers Infiltrators
Malware writersQQ hacking group masters
Malware wholesalers
Money laundersAntivirus detection evasion experts
Prawns 大虾 or Car masters 车主
拉单人 (Ladanren ) 免杀人员 (Miansharenyuan)
Middleman
(aka pack mull 包马人)
17Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
China Russia
Motivation Financial Financial
Communication and
advertising tactics
One on on engagement but
slowly changing
Centralized/standard service
process
Geographical operation Global but mainly focus on Asia Global
High demand productsHacking tutorial or training
services, DDoS botnet
DDoS tools
Remote access trojan
Pen-testing services
Preferred payment method Alipay, bank trasfer and bitcoin Bitcoin and Monero
Recruiting strategy Master-apprentice mechanism Social media
18Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
QQ hacking group
Phishers Marketers Blackmailers Infiltrators
Malware writersQQ hacking group masters
Malware wholesalers
Money launders Antivirus evasion experts
Master
Apprentices
19Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Products and Services Offering in the Chinese
Cybercrime Underground
20Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
United States
Canada
South Korea
• Scans of counterfeit US driver’s licenses
• Physical counterfeit US driver’s licenses
• Hacked US cell phone numbers
• Counterfeit US social security cards
• US citizens PII
• Hacked email accounts (gmail, hotmail,
yahoo)
• Stolen US social media accounts
Taiwan
• Scans of counterfeit Canadian driver’s
licenses
• Physical counterfeit of Canadian
driver’s licenses
• Counterfeit Taiwan
identification cards
• Hacked email accounts
• Scans of South Korean
passports
• Social security cards
• Stolen email accounts
China
• Physical counterfeit
Chinese identification
cards
• Social security number
• Baidu internal employee
directory
• Huawei internal employee
directory
• Tencent internal employee
directory
• Alibaba company data
• Verified Chinese bank
accounts with large
balances
• Chinese airline customer
data Singapore
• Singapore citizens PII
Regional Specializations Within Chinese Cybercrime
Japan
• Hacked email accounts
21Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Training and Educational Services
22Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
1 million stolen US email accounts for sale
Counterfeit US and Canadian driver’s license
for sale
15 million hacked Experian accounts for sale
PII and Credential Sales by Region and Sector
23Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Large scale, global breaches have made data a buyer’s market
24Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
It will be increasingly difficult to separate
cybercrime from cyber espionage activity.
v.s.
25Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Huawei internal employee directory
China’s billionaire club: names, telephone numbers, cars,
philanthropy, personal assets, and residences
Internal documents detailing high-level CCP officials’
personal information
26Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Conclusion
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee LLC.