A "cyber espionage" group probably linked to the Chinese state targets human rights activists working on issues about the country for up to five years, a new report says.
The spy group, nicknamed Bronze President, has deployed malware against its alleged victims to monitor their activities and steal documents, according to the assessment released on Sunday by Secureworks, a US-based cyber security company.
One of the alleged targets is understood as a human rights group that raised concerns about the treatment of hundreds of thousands of Uighurs and other Muslim minorities in China. He also wrote about pro-democracy activists in Hong Kong.
There have been allegations of mass arrests of Uighur Muslims in China – long denied by the state
The non-governmental organization (NGO) asked not to be identified in relation to the report.
Secureworks said it was aware of a "handful" of NGOs it believed were targeted but could be higher. The security company has helped some of the alleged targets deal with and understand more about the cyber attack.
"The motivation for releasing this particular report is that the nature of the victims has a real human element," said Mike McLellan, Secureworks threat intelligence expert.
Mike McLellan believes Bronze President is based or tolerated in China
"Many of these organizations are working in very dangerous environments, talking to individuals on the ground, having to take personal information about them and protect them," he said.
"We really wanted to make sure that other organizations in the NGO sphere were aware of the campaign (cyber espionage) and could check and see if they too were affected. The impact of this unnoticed can be very significant for the organization." these organizations and the people they work with. "
In addition to NGOs, cyber spies also target law enforcement agencies and political entities operating in neighboring countries of China, including India and Mongolia, according to the report.
Secureworks said its researchers have been watching the cyber intelligence group's activities since mid-2018, but the campaign could have started as early as 2014.
"It is highly likely that the President of Bronze is based in the People's Republic of China (People's Republic of China)," the report said.
That conclusion was based on the fact that the NGOs allegedly directed all "research on relevant issues" to Beijing, as well as "strong evidence" linking the spy group's infrastructure to Chinese entities, the document said.
Another factor was "connections between a subset of the group's operating infrastructure and RPC-based Internet service providers," it said.
One of the bronze president's apparent targets was a human rights group who asked not to be identified
In addition, Secureworks said the tools used by cyber attacks "have historically been harnessed by threat groups operating in the PRC."
The report concluded: "The President of Bronze is likely to be sponsored or at least tolerated by the PRC government. The long-term systemic targeting of the threat group for NGOs and political networks does not align with patriotic or criminal threat groups."
McLellan, director of the cyber intelligence cell at Secureworks counter-threat unit, said the company was "as confident as possible that China is responsible for this campaign and these attacks."
He said a possible factor in the decision to attack the NGOs could have been the work they were doing on issues related to Hong Kong – consumed by protests against the government – as well as the Chinese Muslim minority of Uighar.
Violence erupts at mall HK
"I think the Chinese government will try to gather information about this kind of event," McLellan said. "He'll want to understand how opponents are thinking, how regional partners might be thinking, and one of the ways they will do that is to go out and try to gather information through means such as cyber attacks. I think there is every chance of that kind of thing." real world events are all linked to the same campaign we saw here. "
Secureworks said its researchers found malware they had never seen before investigating the alleged actions of the cyber espionage group.
This suggests that it can develop its own capabilities rather than just relying on widely available malware, according to the report. The attackers allegedly used a combination of widely available cyber tools, as well as what appears to have been their own kit to gain access to their alleged victims' networks.
After compromising a computer network "what they are doing is stealing information," McLellan said.
"They have been looking for specific documents – so power point presentations, Word documents, that sort of thing – that would give us an insight into their work, particularly in relation to China," he said.
"The intention here was information theft."
Sky News contacted the Chinese embassy in London and the Chinese Ministry of Foreign Affairs for an answer to Secureworks' allegations.