Parameter

Characteristic(s)

Functional autonomy

Low: All groups are strictly controlled by the Ministry of State Security. The 14th Bureau responsible for technical reconnaissance is the primary designated body of control.

While the operations are broadly assigned by (or through) the 14th bureau, some reporting teams are allowed a little wriggle room to try out new tactics to breach designated targets. The functional autonomy is purely dependent on the success logged by the APT group in the past.  

Use of AI

China has been using AI for domestic surveillance since a while and a natural fallout of this was the need for automated data crunching to identify patterns of interest. China linked its domestic surveillance data to “naturalized” LLMs in the last decade and in the process, it was able to evolve by leaps and bounds in the area of AI-driven data processing.

Since the pandemic, China shifted its attention to the use of AI to run initial probes on target networks. This included automated pinging, collecting stolen credentials belonging to key employees of target enterprises, developing and manipulating malware and phishing. Since 2023, attacks, data exfiltration and data crunching have all been automated through AI. 

Teams within the MSS are now experimenting with use of AI for injecting fake data packets in order to poison data sets within breached environments. 

Hierarchy

APT 1, 41 and 10 are considered relatively senior and used for high-end projects while  other APT groups and sub-groups are used to open or create an opening in case of strategic targets. APT 41 is used by the MSS to also create breach chains that go upstream and downstream.

Sub-groups that can manage projects on their own may be upgraded for certain projects. Senior groups like APT 41, 1 and 10 are also tasked with mentoring sub groups as well.

Travel

Employees of these groups are not allowed to travel to other countries except under Chinese diplomatic cover (that is a rare occurrence too).  APT 1 and 10 are known to have active knowledge and information exchange programs running with their counterparts in North Korea. We have reasons to believe that North Korean threat actor Lazarus (APT 38) maintains a small presence within China.

The presence may indicate a high level of collaboration and joint targeting including payment of royalty or equivalent by Lazarus to an unknown Chinese entity. 

Targets

Broadly divided into two categories viz., commercial and strategic. The former has to do with mopping revenue and the second has to do with mopping intelligence and IP. Both are important and groups like APT 41 in fact straddle both worlds. There have been at least two instances of APT 41 monetizing stolen data internally and externally. 

Integration with Chinese foreign policy objectives

Complete. This is one area where there is zero ambiguity. From a classification perspective, nations and targets are classified as per advisories issued by the Chinese government. There is a feedback loop that is active as well, with the information stolen from targets being used to shape foreign policy interventions and methods. 

Handlers

Each group while reporting into Bureau 14 also has a MSS designated handler or manager who is primarily responsible for supervising operations, holding briefings and reporting on projects to the Central Political and Legal Affairs Commission (CPLC) of the Chinese Communist Party. There is also a reporting line that includes local MSS entities but this relationship is not very clear as of now. The handlers are accountable for the operational aspects and are personally held responsible for the threat actors attaining their targets.

Interestingly, the CPLC also has a proxy or a shadow supervisor embedded in the chain to keep an eye on the activities of the group and to validate the information shared by the handler.

What do these groups do with stolen data?

Part of this question has already been answered. Here is the other part:

·         All data is first crunched and analyzed using AI algorithms, primarily with machine learning and Deep Learning. These are used to process large data sets by learning from the data. These algorithms built or developed or otherwise is able to handle unstructured data, like text and images, and structured data, like numbers and statistics. The refined data with underlines are marked for the attention of a human analyst.

·         Data of financial importance or containing industrial IP is marked for attention for commercial action or for negotiation with the victim

·         Any data of strategic importance is classified, filed and tagged for the attention of a senior analyst

·         Data that can be weaponized to create further breaches or maintain access to a target environment is handed over to the specific team within the specific threat actor handling that account

·         The residual data is sent to a common pool accessible to all groups for training

·         The average data cycle lasts about 28 days