Cyber groups within China are targeting Japanese companies involved in heavy industry and national infrastructure as part of a multifaceted effort to create the Chinese strategic playbook. Credit: Thinkstock If you are a Japanese conglomerate, you’ve no doubt been made aware of the threat of cyber espionage and the level of effort that is being expended to compromise the trade secrets and intellectual property of your company.This multifaceted effort is being launched from within China and is part of a far larger dynamic, which is China’s projection of power within the Indo-Pacific region.In 2017, the Rand Corporation issued a comprehensive report on China’s efforts to adjust the status quo in the region (pdf) without firing a shot through the use of “gray zone” coercion focused on three domains: maritime, cyber and space. They asked two hard questions:How can Washington and Tokyo counteract a determined adversary, such as China, when it is seeking to undermine Japanese control over the Senkakus, intrude into computer networks for the purposes of industrial espionage and national security, and potentially cripple allied space assets in a time of crisis?How can the allies deter China’s gray zone coercion in situations where tit-for-tat strategies are either unavailable or unappealing due to the medium (such as a counterstrike in space)?The report notes how attribution enables China to operate within the gray zone, which makes deterrence challenging. The Japanese government recognizes that cyber groups within China — acting independently or with the covert support of China —are working on an “as needed basis at the behest of the Chinese government” to attack Japanese websites and conglomerates. As long as the efforts do not create a national emergency, they will continue to fall within the area of criminal activity. Japanese media notes how China, using their long-range planning, is driving toward being the global superpower by the year 2050. To achieve that, they must continue to adopt “transformative technologies.” One way to achieve such knowledge is through espionage and cyber espionage.Tracking Chinese cyber espionageTo that end, security researchers at Secure Works have conducted a deep dive into Bronze Butler threat group, which they assess has been operating out of China since at least 2012. The group’s primary focus has been on attacking Japanese companies and stealing their intellectual property and any other confidential data of interest. The primary focus appears to be companies involved in support or supply of critical infrastructure. How Japanese firms are being infiltratedThe Bronze Butler team uses all the arrows in their quiver to gain access to Japanese intellectual property, not relying on just one avenue of approach. They have been successful in the use of spearphishing, website compromises and exploitation of zero-day vulnerabilities. Interestingly, they used steganography to mask the malware payload delivery by embedding the payload within animated images.These efforts place the results of the Bronze Butler efforts firmly within the gray zone discussed by Rand, as the information being exfiltrated and collected are germane to national infrastructure, policy, and planning and sustainability of industry. They are not specifically targeting the national infrastructure. One might say the Chinese are collecting this information to create their playbook for when they do wish to attack Japan’s national infrastructure.The takeaway for those engaged in industry-supporting national infrastructure in any nation: Protect your intellectual property and your customers’ data because the Chinese and others want to collect the information for their strategic playbook. Related content news analysis China’s MSS using LinkedIn against the U.S. The head of the U.S. National Counterintelligence and Security Center says China's MSS is using social networks, specifically LinkedIn, to target, access, and recruit U.S. sources. By Christopher Burgess Aug 31, 2018 4 mins Social Engineering Cybercrime Security news analysis Tesla insider with expired NDA spills the tech beans A former Tesla engineer with an expired non-disclosure agreement (NDA) shared inside technical information on an obscure forum, which was quickly shared across multiple social media platforms. By Christopher Burgess Aug 30, 2018 3 mins Risk Management Security news analysis Horizon Air tragedy highlights airline insider threat vulnerability The ease at which a Horizon Air employee was able to steal and crash a Bombardier Q400 turboprop will likely prompt airlines to develop an insider threat mitigation strategy to close this vulnerability. By Christopher Burgess Aug 13, 2018 4 mins Security news analysis How did the TimeHop data breach happen? Compromise of an employee's credentials, lack of multi-factor authentication, and weak insider threat analysis all played a factor in the recent TimeHop data breach in which 21 million user accounts were compromised. By Christopher Burgess Aug 10, 2018 4 mins DLP Software Analytics Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe